Tier-1s break Anycast DNS Zhihao Li, Neil Spring D-Root: - - PowerPoint PPT Presentation

Tier-1’s break Anycast DNS

Zhihao Li, Neil Spring

D-Root: 199.7.91.13

• 111 Anycast replicas:
• 19 global (red): advertised without restriction
• 92 local (black): advertised one hop in BGP

Anycast

• Mental model:
• Packets sent to an anycast address travel to the nearest*

replica, subject to global/local constraints.

• More replicas should mean lower latency, better

distribution, reliability against denial-of-service attacks.

Anycast

• Mental model:
• Packets sent to an anycast address travel to the nearest*

replica, subject to global/local constraints.

• More replicas should mean lower latency, better

distribution, reliability against denial-of-service attacks.

Reality

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2015 - 2016

500 1000 1500 2000

Average miles per query traveled

Actual average distance Distance to nearest global replica Distance to nearest replica

• 4-5x optimal delay (to a local), 2x expected (nearest global)

Reality

• Despite doubling the number of (local) replicas

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 500 1000 1500 2000

Average miles per query traveled

Actual average distance Distance to nearest global replica Distance to nearest replica Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2015 - 2016

20 40 60 80 100

# Replicas

All Global

Reality

• 80% of queries should take under 1000 miles (16ms RTT)
• 50% are traveling farther.

2000 4000 6000 8000 10000

Miles per query traveled, Oct 1 2016

20 40 60 80 100

CDF

Distance to nearest replica Distance to nearest global replica Actual average distance

Reality

• Same data, first week in Oct 2016, log scale x-axis.
• Even when there’s a global replica in your city…

1 10 100 1000 10000

Miles per query traveled, Oct 1 2016

20 40 60 80 100

CDF

Distance to nearest replica Distance to nearest global replica Actual average distance

How do we fix it?

• More sites?
• More peerings?
• Better policies?
• Make local replicas global?
• What if ISPs chose cleverly from their providers?
• Pathological behavior must be atypical, right?
• Is it even broken?

Similar observations

• Anycast Latency: How Many Sites Are Enough?

Schmidt, Heidemann, Kuipers

• Used Atlas probes (not traces) to look at C, F,

K, L root.

• More sites doesn’t correlate with lower latency
• Making local sites global didn’t help K

It’s the tier-1’s

(I think)

Source (resolver) location

• For addresses originated by Tier 1’s, what is their nearest
• replica. Intensity by query volume.

UUNET QWEST TELIANET COGENT OPENTRANSIT DTAG LEVEL3 SEABONE KPN TELEFONICA ATT XO GTT ZAYO SPRINTLINK TATA NTT

sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp Global replicas 0.5 1 Client portion

Request destination

• For addresses originated by Tier 1’s, what is their chosen
• replica. Intensity by query volume.

UUNET QWEST TELIANET COGENT OPENTRANSIT DTAG LEVEL3 SEABONE KPN TELEFONICA ATT XO GTT ZAYO SPRINTLINK TATA NTT

sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp Global replicas 0.5 1 Query portion

Would you like to see them again?

Often McLean, VA.

• Traffic from tier-1 address space can arrive on other replicas,

but generally does not.

UUNET QWEST TELIANET COGENT OPENTRANSIT DTAG LEVEL3 SEABONE KPN TELEFONICA ATT XO GTT ZAYO SPRINTLINK TATA NTT

sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp Global replicas

UUNET QWEST TELIANET COGENT OPENTRANSIT LEVEL3 SEABONE TELEFONICA ATT GTT SPRINTLINK TATA NTT

sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp sewa paca bbca laca chil atga mifl abva mcva cpmd nyny louk zuch ffde viat sgsg hkcn tojp Global replicas 0.5 1 Query portion

Could just be us.

Could just be us.

No.

Could just be us.

No. This time using RIPE Atlas data, same Oct 1, 2016. Now counting vantage points whose queries transit a tier-1 (since we have traceroutes) instead of queries received.

A-Root

• Better. Notably, DTAG sends to London, not Frankfurt.

SPRINTLINK QWEST KPN DTAG UUNET ATT LGI XO ZAYO GTT LEVEL3 TELEFONICA SEABONE OPENTRANSIT TATA TELIANET COGENT NTT

lax nyc lon fra hkg lax nyc lon fra hkg

Global replicas

LGI

lax nyc lon fra hkg lax nyc lon fra hkg

Global replicas 0.5 1 Query portion

C-Root

• The best at matching tier-1-carried queries to a nearby site.

KPN DTAG TELEFONICA SEABONE LGI ZAYO OPENTRANSIT QWEST GTT ATT TATA SPRINTLINK UUNET LEVEL3 XO NTT TELIANET COGENT

lax

• rd

iad jfk mad par fra bts lax

• rd

iad jfk mad par fra bts

Global replicas

KPN TELEFONICA SEABONE LGI OPENTRANSIT QWEST GTT ATT TATA SPRINTLINK UUNET LEVEL3 NTT TELIANET COGENT

lax

• rd

iad jfk mad par fra bts lax

• rd

iad jfk mad par fra bts

Global replicas 0.5 1 Query portion

E-Root

• Similar to D in that northern Virginia is preferred, despite

Paris, Frankfurt, London query sources.

KPN DTAG UUNET TELIANET SEABONE LEVEL3 TELEFONICA OPENTRANSIT SPRINTLINK LGI ZAYO GTT COGENT ATT XO TATA NTT

pao sfo bur

• rd

atl mia iad lga lhr cdg fra qpg syd pao sfo bur

• rd

atl mia iad lga lhr cdg fra qpg syd

Global replicas

LEVEL3 LGI

pao sfo bur

• rd

atl mia iad lga lhr cdg fra qpg syd pao sfo bur

• rd

atl mia iad lga lhr cdg fra qpg syd

Global replicas 0.5 1 Query portion

F-Root

• Mostly European RIPE probes served by Chicago despite an

Amsterdam replica.

QWEST OPENTRANSIT KPN COGENT DTAG GTT ATT SPRINTLINK TATA UUNET XO ZAYO TELEFONICA TELIANET NTT LEVEL3 LGI SEABONE

pao

• rd

atl lga ams pao

• rd

atl lga ams

Global replicas

QWEST OPENTRANSIT KPN COGENT GTT ATT SPRINTLINK TATA UUNET TELEFONICA TELIANET NTT LEVEL3 LGI SEABONE

pao

• rd

atl lga ams pao

• rd

atl lga ams

Global replicas 0.5 1 Query portion

i-Root

• Still picking just one server, not typically the server with the

most clients.

XO KPN QWEST GTT TELEFONICA LEVEL3 SEABONE ZAYO UUNET OPENTRANSIT DTAG TELIANET TATA NTT COGENT ATT LGI

sox chi mia ash was mtv poa lon par amx lnx gva dex mln

• sl

gur wie sth lul rig tll fix rox jnb rwx spb ukx ank yan bah qtr dbi khi mum kat thi bkx ula sin hkx prt bnx mix tai tok vux wel sox chi mia ash was mtv poa lon par amx lnx gva dex mln

• sl

gur wie sth lul rig tll fix rox jnb rwx spb ukx ank yan bah qtr dbi khi mum kat thi bkx ula sin hkx prt bnx mix tai tok vux wel

Global replicas

LEVEL3 LGI

sox chi mia ash was mtv poa lon par amx lnx gva dex mln

• sl

gur wie sth lul rig tll fix rox jnb rwx spb ukx ank yan bah qtr dbi khi mum kat thi bkx ula sin hkx prt bnx mix tai tok vux wel sox chi mia ash was mtv poa lon par amx lnx gva dex mln

• sl

gur wie sth lul rig tll fix rox jnb rwx spb ukx ank yan bah qtr dbi khi mum kat thi bkx ula sin hkx prt bnx mix tai tok vux wel

Global replicas 0.5 1

J-Root

• Fairly good, although preference for “tpe” despite no clients.

DTAG LGI KPN TELIANET COGENT TATA SPRINTLINK TELEFONICA UUNET ATT SEABONE QWEST GTT ZAYO XO OPENTRANSIT LEVEL3 NTT

yvr sfo sea dfw eau

• rd

btl atl sjo ilg mia iad cbb sju rao aju cpv jpa rkv mad lgw par ams lju arn cpt waw sof kun rix tll led wil evn kwi bom mle del dac dmk iph sin pek tpe tbh sel hnd gum mel wlg yvr sfo sea dfw eau

• rd

btl atl sjo ilg mia iad cbb sju rao aju cpv jpa rkv mad lgw par ams lju arn cpt waw sof kun rix tll led wil evn kwi bom mle del dac dmk iph sin pek tpe tbh sel hnd gum mel wlg

Global replicas

LGI TELIANET COGENT TATA SPRINTLINK TELEFONICA UUNET ATT SEABONE QWEST GTT OPENTRANSIT LEVEL3 NTT

yvr sfo sea dfw eau

• rd

btl atl sjo ilg mia iad cbb sju rao aju cpv jpa rkv mad lgw par ams lju arn cpt waw sof kun rix tll led wil evn kwi bom mle del dac dmk iph sin pek tpe tbh sel hnd gum mel wlg yvr sfo sea dfw eau

• rd

btl atl sjo ilg mia iad cbb sju rao aju cpv jpa rkv mad lgw par ams lju arn cpt waw sof kun rix tll led wil evn kwi bom mle del dac dmk iph sin pek tpe tbh sel hnd gum mel wlg

Global replicas 0.5 1

K-Root

• Looks a bit like D.

SPRINTLINK KPN OPENTRANSIT TELEFONICA DTAG ZAYO LGI GTT UUNET XO QWEST TELIANET ATT COGENT SEABONE TATA NTT LEVEL3 us-rno us-sgu us-mkc cr-sjo us-mia us-ric uy-mvd is-rey gb-lon fr-par nl-ams ch-gva de-kae ch-zrh de-fra it-mil cz-prg at-vie pl-poz pl-gdy hu-bud rs-beg bg-sof gr-ath lv-rix fi-hel za-jnb ru-led lb-bey ru-mow am-evn am-abo ir-thr in-bom kz-plx jp-tyo au-bne us-rno us-sgu us-mkc cr-sjo us-mia us-ric uy-mvd is-rey gb-lon fr-par nl-ams ch-gva de-kae ch-zrh de-fra it-mil cz-prg at-vie pl-poz pl-gdy hu-bud rs-beg bg-sof gr-ath lv-rix fi-hel za-jnb ru-led lb-bey ru-mow am-evn am-abo ir-thr in-bom kz-plx jp-tyo au-bne

Global replicas

SPRINTLINK KPN OPENTRANSIT TELEFONICA DTAG ZAYO LGI GTT UUNET XO QWEST TELIANET ATT COGENT SEABONE TATA NTT LEVEL3 us-rno us-sgu us-mkc cr-sjo us-mia us-ric uy-mvd is-rey gb-lon fr-par nl-ams ch-gva de-kae ch-zrh de-fra it-mil cz-prg at-vie pl-poz pl-gdy hu-bud rs-beg bg-sof gr-ath lv-rix fi-hel za-jnb ru-led lb-bey ru-mow am-evn am-abo ir-thr in-bom kz-plx jp-tyo au-bne us-rno us-sgu us-mkc cr-sjo us-mia us-ric uy-mvd is-rey gb-lon fr-par nl-ams ch-gva de-kae ch-zrh de-fra it-mil cz-prg at-vie pl-poz pl-gdy hu-bud rs-beg bg-sof gr-ath lv-rix fi-hel za-jnb ru-led lb-bey ru-mow am-evn am-abo ir-thr in-bom kz-plx jp-tyo au-bne

Global replicas 0.5 1 Query portion

L-Root

• Many global replicas (like i), not often choosing nearby

replicas

Global replicas

apw hnl anc ppt yvr pdx sea sjc rno lax phx den mty ywg lwc sal

• rd

azo atl sjo mia yyz ytz uio ilg iad lim yow bog scl sdq ccs cbb sju eze asu mvd poa ldb bfh fln bel udi bsb vcp gru sjk cnf sdu for ssa nat dkr

• po

cmn byk abj dnd lba lcy rcs bcn cdg

• ry

bru ams lys mrs gva dus dtm ham tun

• sl

flr cph mmx prg bts arn cpt beg sof her msq jnb ist kbp

• ds

esb blz bey amm hrk svo jed dar rov sah evn ruh kwi gyd dmm bah dxb run sez mru mct svx bom isb lhe plx ccu mdl rgn bkk jkt jog per pek mnl icn hnd gum meb pom syd bne pni hir nou maj chc akl nan suv apw hnl anc ppt yvr pdx sea sjc rno lax phx den mty ywg lwc sal

• rd

azo atl sjo mia yyz ytz uio ilg iad lim yow bog scl sdq ccs cbb sju eze asu mvd poa ldb bfh fln bel udi bsb vcp gru sjk cnf sdu for ssa nat dkr

• po

cmn byk abj dnd lba lcy rcs bcn cdg

• ry

bru ams lys mrs gva dus dtm ham tun

• sl

flr cph mmx prg bts arn cpt beg sof her msq jnb ist kbp

• ds

esb blz bey amm hrk svo jed dar rov sah evn ruh kwi gyd dmm bah dxb run sez mru mct svx bom isb lhe plx ccu mdl rgn bkk jkt jog per pek mnl icn hnd gum meb pom syd bne pni hir nou maj chc akl nan suv

Global replicas

apw hnl anc ppt yvr pdx sea sjc rno lax phx den mty ywg lwc sal

• rd

azo atl sjo mia yyz ytz uio ilg iad lim yow bog scl sdq ccs cbb sju eze asu mvd poa ldb bfh fln bel udi bsb vcp gru sjk cnf sdu for ssa nat dkr

• po

cmn byk abj dnd lba lcy rcs bcn cdg

• ry

bru ams lys mrs gva dus dtm ham tun

• sl

flr cph mmx prg bts arn cpt beg sof her msq jnb ist kbp

• ds

esb blz bey amm hrk svo jed dar rov sah evn ruh kwi gyd dmm bah dxb run sez mru mct svx bom isb lhe plx ccu mdl rgn bkk jkt jog per pek mnl icn hnd gum meb pom syd bne pni hir nou maj chc akl nan suv

Why is D-Root not distributed?

• ‘mcva’ and ‘cpmd’ are announced through

UMD / MAX-Gigapop, which peers with Quest, Telia, Level3. Other replicas are announced by Packet Clearing House (PCH).

• Some Tier-1 ISPs peer only with UMD, thus

route queries only to ‘mcva’ and ‘cpmd’.

Why is C-Root so good?

• C is operated by Cogent, another Tier-1
• Expect other tier-1’s peer with Cogent widely
• Expect their early-exit-ed queries to go

immediately to Cogent, and reach the nearest replica

• rd

• rd

• rd

• rd

So how can anycast improve?

• Do we bug tier-1 operators?
• Do we assume it’s no big deal since PowerDNS

will pick among the 13?

• Do we spend resources elsewhere?

(Pretending that my affiliation with Maryland makes me vaguely responsible for administering this resource)