Best Practices in DNS Service-Provision Architecture Version 1.2 - - PowerPoint PPT Presentation

best practices in dns service provision architecture
SMART_READER_LITE
LIVE PREVIEW

Best Practices in DNS Service-Provision Architecture Version 1.2 - - PowerPoint PPT Presentation

Jun 10, 2023 577 likes •1.24k views

Best Practices in DNS Service-Provision Architecture Version 1.2 Bill Woodcock Packet Clearing House Nearly all DNS is Anycast Large ISPs have been anycasting recursive DNS servers for more than twenty years. Which is a very long time, in

slide-1
SLIDE 1

Best Practices in DNS Service-Provision Architecture

Version 1.2 Bill Woodcock Packet Clearing House

slide-2
SLIDE 2

Nearly all DNS is Anycast

Large ISPs have been anycasting recursive DNS servers for more than twenty years. Which is a very long time, in Internet years. All but one of the root nameservers are anycast. All the large gTLDs are anycast.

slide-3
SLIDE 3

Reasons for Anycast

Transparent fail-over redundancy Latency reduction Load balancing Attack mitigation Configuration simplicity (for end users)

  • r lack of IP addresses (for the root)
slide-4
SLIDE 4

No Free Lunch The two largest benefits, fail-over redundancy and latency reduction, both require a bit of work to operate as you’d wish.

slide-5
SLIDE 5

Fail-Over Redundancy

DNS resolvers have their own fail-over mechanism, which works... um... okay. Anycast is a very large hammer. Good deployments allow these two mechanisms to reinforce each other, rather than allowing anycast to foil the resolvers’ fail-over mechanism.

slide-6
SLIDE 6

Resolvers’ Fail-Over Mechanism

DNS resolvers like those in your computers, and in referring authoritative servers, can and often do maintain a list of nameservers to which they’ll send queries. Resolver implementations differ in how they use that list, but basically, when a server doesn’t reply in a timely fashion, resolvers will try another server from the list.

slide-7
SLIDE 7

Anycast Fail-Over Mechanism

Anycast is simply layer-3 routing. A resolver’s query will be routed to the topologically nearest instance of the anycast server visible in the routing table. Anycast servers govern their own visibility. Latency depends upon the delays imposed by that topologically short path.

slide-8
SLIDE 8

Conflict Between These Mechanisms

Resolvers measure by latency. Anycast measures by hop-count. They don’t necessarily yield the same answer. Anycast always trumps resolvers, if it’s allowed to. Neither the DNS service provider nor the user are likely to care about hop-count. Both care a great deal about latency.

slide-9
SLIDE 9

How The Conflict Plays Out

Client Anycast Servers

slide-10
SLIDE 10

How The Conflict Plays Out

Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path Client Anycast Servers ns1.foo ns2.foo Two servers with the same routing policy

slide-11
SLIDE 11

How The Conflict Plays Out

Anycast chooses this one Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path Client Anycast Servers ns1.foo ns2.foo Two servers with the same routing policy

slide-12
SLIDE 12

How The Conflict Plays Out

Resolver chooses this one Anycast chooses this one Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path Client Anycast Servers ns1.foo ns2.foo Two servers with the same routing policy

slide-13
SLIDE 13

How The Conflict Plays Out

Anycast trumps resolver Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path Client Anycast Servers ns1.foo ns2.foo Two servers with the same routing policy

slide-14
SLIDE 14

Resolve the Conflict

The resolver uses different IP addresses for its fail-over mechanism, while anycast uses the same IP addresses.

Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path Client Anycast Servers ns1.foo ns2.foo

slide-15
SLIDE 15

Resolve the Conflict

Client Anycast Cloud A Anycast Cloud B Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path ns2.foo ns1.foo

Split the anycast deployment into “clouds” of locations, each cloud using a different IP address and different routing policies.

slide-16
SLIDE 16

Resolve the Conflict

Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path

This allows anycast to present the nearest servers, and allows the resolver to choose the one which performs best.

Client ns2.foo ns1.foo Anycast Cloud A Anycast Cloud B

slide-17
SLIDE 17

Resolve the Conflict

Low-latency, high hop-count desirable path High-latency, low hop-count undesirable path

These clouds are usually referred to as “A Cloud” and “B Cloud.” The number of clouds depends on stability and scale trade-offs.

Client ns2.foo ns1.foo Anycast Cloud A Anycast Cloud B

slide-18
SLIDE 18

Latency Reduction

Latency reduction depends upon the native layer-3 routing of the Internet. The theory is that the Internet will deliver packets using the shortest path. The reality is that the Internet will deliver packets according to ISPs’ policies.

slide-19
SLIDE 19

Latency Reduction

ISPs’ routing policies differ from shortest- path where there’s an economic incentive to deliver by a longer path.

slide-20
SLIDE 20

ISPs’ Economic Incentives (Grossly Simplified)

ISPs have high cost to deliver traffic through transit. ISPs have a low cost to deliver traffic through their peering. ISPs receive money when they deliver traffic to their customers.

slide-21
SLIDE 21

ISPs’ Economic Incentives (Grossly Simplified)

Therefore, ISPs will deliver traffic to a customer across a longer path, before by peering or transit across a shorter path. If you are both a customer, and a customer of a peer or transit provider, this has important implications.

slide-22
SLIDE 22

Normal Hot-Potato Routing

Anycast Instance West Anycast Instance East Exchange Point West Exchange Point East Transit Provider Green If the anycast network is not a customer of large Transit Provider Red... ...but is a customer of large Transit Provider Green... Transit Provider Red

slide-23
SLIDE 23

Normal Hot-Potato Routing

Anycast Instance West Anycast Instance East Exchange Point West Exchange Point East Transit Provider Green Traffic from Red’s customer... Transit Provider Red Red Customer East

slide-24
SLIDE 24

Transit Provider Red

Normal Hot-Potato Routing

Anycast Instance West Anycast Instance East Exchange Point West Exchange Point East Transit Provider Green Red Customer East ...then traffic from Red’s customer... ...is delivered from Red to Green via local peering, and reaches the local anycast instance.

slide-25
SLIDE 25

How the Conflict Plays Out

Anycast Instance West Anycast Instance East Transit Provider Red Exchange Point West Exchange Point East Transit Provider Green But if the anycast network is a customer of both large Transit Provider Red... ...and of large Transit Provider Green, but not at all locations...

slide-26
SLIDE 26

How the Conflict Plays Out

Anycast Instance West Anycast Instance East Exchange Point West Exchange Point East Transit Provider Green ...then traffic from Red’s customer... ...will be misdelivered to the remote anycast instance... Red Customer East

slide-27
SLIDE 27

How the Conflict Plays Out

Anycast Instance West Anycast Instance East Exchange Point West Exchange Point East Transit Provider Green ...then traffic from Red’s customer... ...will be misdelivered to the remote anycast instance, because a customer connection... Red Customer East

slide-28
SLIDE 28

How the Conflict Plays Out

Anycast Instance West Anycast Instance East Exchange Point West Exchange Point East Transit Provider Green ...then traffic from Red’s customer... ...will be misdelivered to the remote anycast instance, because a customer connection is preferred for economic reasons over a peering connection. Red Customer East

slide-29
SLIDE 29

Resolve the Conflict

Anycast Instance West Anycast Instance East Exchange Point West Exchange Point East

Any two instances of an anycast service IP address must have the same set of large transit providers at all locations.

This caution is not necessary with small transit providers who don’t have the capability of backhauling traffic to the wrong region on the basis of policy.

Transit Provider Red Transit Provider Green

slide-30
SLIDE 30

Putting the Pieces Together

  • We need an A Cloud and a B Cloud.
  • We need a redundant pair of the same transit

providers at most or all instances of each cloud.

  • We need a redundant pair of hidden masters for

the DNS servers.

  • We need a network topology to carry control and

synchronization traffic between the nodes.

slide-31
SLIDE 31

Redundant Hidden Masters

slide-32
SLIDE 32

An A Cloud and a B Cloud

slide-33
SLIDE 33

A Network Topology

“Dual Wagon-Wheel”

A Ring B Ring

slide-34
SLIDE 34

Redundant Transit

Two ISPs

ISP Red ISP Green

slide-35
SLIDE 35

Redundant Transit

ISP Blue ISP Yellow

Or four ISPs

ISP Red ISP Green

slide-36
SLIDE 36

Local Peering

IXP IXP IXP IXP IXP IXP IXP IXP IXP IXP

slide-37
SLIDE 37

Resolver-Based Fail-Over

Customer Resolver Server Selection Customer Resolver Server Selection

slide-38
SLIDE 38

Resolver-Based Fail-Over

Customer Resolver Server Selection Customer Resolver Server Selection

slide-39
SLIDE 39

Internal Anycast Fail-Over

Customer Resolver Customer Resolver

slide-40
SLIDE 40

Global Anycast Fail-Over

Customer Resolver Customer Resolver

slide-41
SLIDE 41

Unicast Attack Effects

Distributed Denial-of- Service Attackers

Traditional unicast server deployment...

slide-42
SLIDE 42

Unicast Attack Effects

Distributed Denial-of- Service Attackers

Traditional unicast server deployment... ...exposes all servers to all attackers.

slide-43
SLIDE 43

Unicast Attack Effects

Distributed Denial-of- Service Attackers Blocked Legitimate Users

Traditional unicast server deployment... ...exposes all servers to all attackers, leaving no resources for legitimate users.

slide-44
SLIDE 44

Anycast Attack Mitigation

Distributed Denial-of- Service Attackers

slide-45
SLIDE 45

Anycast Attack Mitigation

Distributed Denial-of- Service Attackers Impacted Legitimate Users

slide-46
SLIDE 46

Anycast Attack Mitigation

Distributed Denial-of- Service Attackers Unaffected Legitimate Users Impacted Legitimate Users

slide-47
SLIDE 47

Copies of this presentation can be found in PDF and QuickTime formats at: https:// pch.net / resources / papers / dns-service-architecture Bill Woodcock Research Director Packet Clearing House woody@pch.net

Thanks, and Questions?

slide-48
SLIDE 48

Packet Clearing House

Overview of PCH DNS Anycast Service and Infrastructure

Bill Woodcock March, 2016

slide-49
SLIDE 49

Packet Clearing House

Overall Topology

slide-50
SLIDE 50

Packet Clearing House

Registry

Overall Topology

Hidden Master Hidden Master

slide-51
SLIDE 51

Packet Clearing House

Registry

Overall Topology

Hidden Master Hidden Master Intake Slave Intake Slave Intake Slave Outbound Master Outbound Master Outbound Master PCH

slide-52
SLIDE 52

Packet Clearing House

Registry

Overall Topology

Hidden Master Hidden Master Intake Slave Intake Slave Intake Slave Anycast Node Anycast Node Anycast Node Anycast Node

...

Outbound Master Outbound Master Outbound Master PCH

slide-53
SLIDE 53

Packet Clearing House

Registry

Overall Topology

Hidden Master Hidden Master Intake Slave Intake Slave Intake Slave DNSSEC Signing Infrastructure Anycast Node Anycast Node Anycast Node Anycast Node

...

Outbound Master Outbound Master Outbound Master PCH

slide-54
SLIDE 54

Packet Clearing House

Registry

Overall Topology

Hidden Master Hidden Master Intake Slave Intake Slave Intake Slave Measurement Slave Measurement Slave Measurement Probe Measurement Probe DNSSEC Signing Infrastructure Anycast Node Anycast Node Anycast Node Anycast Node

...

Outbound Master Outbound Master Outbound Master PCH

slide-55
SLIDE 55

Packet Clearing House

130 Locations

slide-56
SLIDE 56

Packet Clearing House

Anycast Node Construction

135 locations at the moment, adding a new

  • ne about every ten days.

70% are “small” 250Mbps 20% are “medium” 20-60Gbps 10% are “large” 60-120Gbps All installations are preconfigured. Small are self-installed by the local host, while medium and large are installed by PCH staff.

slide-57
SLIDE 57

Packet Clearing House

Small (70%)

Cisco 2921 Router 250Mbps throughput Internally-integrated Cisco UCS-E160D-M2 x86 server 64GB RAM, 2x 1TB SATA drives 2Gbps peering 1Gbps transit

All-in-one enclosure, ships preconfigured in a single shipping crate, requires only three patch cords and one power cord to bring up.

slide-58
SLIDE 58

Packet Clearing House

Medium (20%)

Cisco ASR9001 Router Two Cisco UCSC-C220-M4S x86 servers 768GB RAM, 8x 1TB SAS drives 10-40Gbps peering 10-20Gbps transit Cisco Nexus 3548 10Gbps Switch

slide-59
SLIDE 59

Packet Clearing House

Large (10%)

Cisco ASR9006 Router 3x-8x Cisco UCSC-C220-M4S x86 servers 768GB RAM 8x 1TB SAS drives 40-80Gbps peering 20-40Gbps transit Cisco Nexus 9396 10/40Gbps Switch

slide-60
SLIDE 60

Packet Clearing House

Making Our Own Bandwidth

Essentially all Internet bandwidth (more than 98%) is produced by “peering” in Internet Exchange Points. Bandwidth is transported from IXPs to the point of consumption, increasing in cost, and suffering loss and latency along the way. This is called “transit.” Unlike other DNS service providers, we are not dependent upon transit. We serve data exclusively from within IXPs, producing essentially all of our own bandwidth at higher quality and lower cost.

slide-61
SLIDE 61

Packet Clearing House

Nondiscriminatory Access

Other DNS service providers dependency upon transit makes registries’ zone data a pawn in local transit politics. By contrast, through our open peering, PCH makes the zones of the registries we serve equally available to all networks and users at no cost. We already have nearly 8,000 direct connections with other networks in 130 locations on six continents, and add more every day.

slide-62
SLIDE 62

Packet Clearing House

New Zone Autoconfiguration

From trusted registries, over authenticated transport, we autoconfigure new zones. If we see an update pertaining to a zone that we’re not configured for, we automatically configure that zone across our infrastructure. If the zone goes stale, we check whether it’s delegated to our servers from the root. If not, we deconfigure it and stop serving it.

slide-63
SLIDE 63

Packet Clearing House

AXFR to IXFR

When registries serve us zone data via AXFR

  • r we perform a DNSSEC full-zone signing,

we convert to IXFR within our infrastructure,

  • ptimizing performance, particularly to our

remotest anycast nodes.

slide-64
SLIDE 64

Bill Woodcock Executive Director Packet Clearing House woody@pch.net

Thanks, and Questions?