Cygna Labs
Book a Demo
shield

Strengthen your organization’s cybersecurity posture with software solutions from Cygna Labs

  1. Home

  2. Blog

  3. DNS Anycast Addressing

DNS Anycast Addressing

Timothy Rooney

Timothy Rooney

Nov 04, 2024

DNS Anycast Addressing

The term “anycast” refers to an IP address assigned to a set of interfaces (usually belonging to different nodes), any one of which can be the intended recipient. Anycast addresses are assigned from the same address space from which unicast addresses have been allocated. Thus, unlike private or multicast address space, one cannot visually differentiate a unicast address from an anycast address.

Anycast Routing

An IP packet destined for an anycast address is routed to the nearest network interface (according to routing table metrics) configured with the anycast address. The idea is that the sender need not be concerned with which particular DNS server receives the packet, just as long as one of those servers using the anycast address receives it and responds.

From the perspective of the DNS client, the operating system resolver service that performs DNS lookups for the client can issue a query addressed to the anycast address, and the network will route the request to the nearest available DNS server configured with the anycast address. This enables the routing infrastructure to route the query to the DNS server closest to the resolver client (according to routing metrics) wherever the resolver happens to be.

Static routing enables configurable routing of DNS queries across the routing infrastructure according to the router administrator’s choice. However, if the DNS server homed on a given router fails, static routing provides no automated alternate routing. Implementation of dynamic routing on the DNS server enables advertisement of reachability to the anycast address using standard routing protocols such as Open Shortest Path First (OSPF) or Border Gateway Protocol (BGP). With dynamic routing, if the DNS server homed on one or more routers fails and stops transmitting routing updates, the routers will update their routing tables accordingly to route around the unavailability of the DNS service.

Anycast Advantages

Deploying anycast addressing for DNS provides several benefits:

• Simplified resolver configuration

• Improved resolution performance

• High availability DNS services

• Resilience from DNS denial-of-service attacks

Resolvers configured with the DNS servers’ anycast address would have their queries routed to the nearest DNS server configured with that anycast address. Regardless of where the resolver host connects to the network, the same anycast IP address may be used by the resolver to locate a DNS server. This homogenized resolver configuration also helps provide improved performance of the resolution process. A query to a DNS anycast address should be routed to the closest DNS server, thereby reducing the latency of the overall query process.

The outage of a DNS server can be communicated (by absence of communication) to the routing infrastructure to update routing tables accordingly. This requires the DNS server to run a routing daemon using the protocol of choice to communicate reachability to the local router. Participation in routing protocol updates enables the local router to update its routing table with an appropriate metrics, and to pass this on to other routers via the routing protocol. The DNS server simply needs to communicate that its anycast address is reachable. An even better approach conveys this routing update based on the status of the DNS daemon or service on the server as it does with our DNS appliances. Thus, DNS queries are routed in accordance with routing protocol metrics for optimal performance and load balancing, while routing only to those servers advertising reachability.

Deploying anycast also provides mitigation against denial-of-service attacks as evidenced by the distributed-denial-of-service (DDoS) attack on multiple root servers on February 6, 2007. Of the six root servers targeted, the two most severely affected did not use anycast addressing. The other four root servers, having deployed anycast, spread the attack across more physical servers. For example, the attack on the F-root server, whose anycast IP address was deployed over forty DNS servers, was minimized by distributing the impact of the attack across these forty servers. This form of load sharing enabled the F-root server(s) to continue processing legitimate queries despite the attack.

Anycast Implementation

Anycast addressing offers several benefits, but every technology choice brings trade-offs, and no single technology offers a comprehensive solution to a given challenge., For example, configuring DNS servers with routing daemons requires additional effort and identifying which anycast-addressed server responded to a given query for troubleshooting or cyberthreat investigations may prove challenging given the IP address ambiguity. These issues can be assuaged with deployment of Cygna DDI appliances, which include routing daemons for both OSPF and BGP with simple menu-based configuration and with our DDI Guard software, which provides DDI traffic collection and reporting, including DNS queries and responses. I invite you to contact us to learn more. For more information about anycast addressing, please read our DNS Anycast white paper and attend our upcoming webinar on November 19, 2024 for more information.