Bit of an off-topic request. Does anyone has any stats on Recursive DNS appliances (infoblox etc) vs Bind on a server? Has anyone actually seen real life improvements? From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Perry Lorier Sent: Sunday, 13 June 2010 2:22 p.m. To: NZNOG List Subject: [nznog] New Zealand DNS Performance After the discussion a few weeks back about DNS performance, I asked one of my colleagues, Brendon Jones to add DNS performance to the gTLD/Root servers to our Active Measurement Platform (AMP) which is already monitoring the .nz nameservers. These have now had a while to collect some data and show a fairly interesting (and IMHO pretty visualisation of New Zealands DNS performance) * http://erg.cs.waikato.ac.nz/amp/matrix.php/latency/NZ/NZ+DNS For starters, we've in the past measured performance to the .nz ccTLD name servers to track their performance within New Zealand. This shows a pretty healthy coverage for .nz. Full marks to all the people who have done the hard work to make this happen. * http://erg.cs.waikato.ac.nz/amp/matrix.php/hops/NZ/NZ+DNS This in comparison shows how many hops we see in a traceroute to the .nz ccTLD servers. All the New Zealand name servers are firewalled in such a way we can't get an accurate count, but this at least provides a lower bound. You can see people who don't peer at WIX don't see the near instance of ns7.. * http://erg.cs.waikato.ac.nz/amp/matrix.php/latency/NZ/root+DNS * http://erg.cs.waikato.ac.nz/amp/matrix.php/hops/NZ/root+DNS Second up, we added a test to all of our measurement points to the Root Servers. This shows quite distinctively that there are several places in New Zealand whose peering policy means that they don't see some, or in the case of Otago Uni's CS Dept, any, New Zealand based instances. vuw interestingly doesn't appear to be able to contact any f.root instance at all. New Zealand seems to be fairly well covered with F, I, J and even a fairly close K root. * http://erg.cs.waikato.ac.nz/amp/matrix.php/latency/NZ/gtld+DNS * http://erg.cs.waikato.ac.nz/amp/matrix.php/hops/NZ/gtld+DNS This shows the same visualisation to all of the gTLD servers. This shows a much more unhappy view of New Zealand. Our monitoring points are quite biased towards universities which generally prefer KAREN, which has poor coverage (which appears to be due to KARENs policies) and thus show very poor numbers. However it doesn't paint a particularly rosy picture for much of the rest of New Zealand either, with Maxnet and TheLoop also failing to find any instances anywhere near New Zealand at all. * http://erg.cs.waikato.ac.nz/amp/matrix.php/latency/NZ/afilias+DNS * http://erg.cs.waikato.ac.nz/amp/matrix.php/hops/NZ/afilias+DNS Afilias provide nameserving for several zones including .org/.mobi and so on. Right this instant TelstraClear doesn't appear to be able to get to b0.org.afilias-nst.orghttp://erg.cs.waikato.ac.nz/amp/graph.php?src=NZ&dst=b0.org.afilias-nst.org at all, so again many of the universities show failures, although this time it doesn't appear to be routing issues with KAREN. Also, just as we were setting up collecting some test data (but unfortunately not traceroute data), KAREN coincidentally had a major outage in Hamilton which impacted the University of Waikato. This let us see what happens when KAREN's routes aren't available: (See? Unscheduled outages /can/ have an upside!) http://erg.cs.waikato.ac.nz/amp/graph.php?src=ampz-waikato&dst=b.root-servers.net&rge=1-day&date=2010-05-25 http://erg.cs.waikato.ac.nz/amp/graph.php?src=ampz-waikato&dst=e.root-servers.net&rge=1-day&date=2010-05-25 http://erg.cs.waikato.ac.nz/amp/graph.php?src=ampz-waikato&dst=j.root-servers.net&rge=1-day&date=2010-05-25 http://erg.cs.waikato.ac.nz/amp/graph.php?src=ampz-waikato&dst=k.root-servers.net&rge=1-day&date=2010-05-25 This shows that if we don't have KAREN routes available, then our performance to b, e, j and k root *improves*, Sigh. Also our performance to F root degrades as our commodity internet connection suddenly has to handle the additional load: http://erg.cs.waikato.ac.nz/amp/graph.php?src=ampz-waikato&dst=f.root-servers.net&rge=1-day&date=2010-05-25 So, all in all, New Zealand's DNS Performance is better than I had seen (my two measurement points inside Waikato University and Rurallink were two of the worst to choose from, Rurallink doesn't yet host an AMP node so doesn't appear here). Hopefully KAREN will in the future consider hosting/peering directly with at least a root server, and NZ ccTLD server so if an Universities commidity connection falls over then you can still resolve (and therefore create new connections to) other research institutions. KAREN could either start not accepting "scenic" routes from other R&E networks for other anycast instances of Root/gTLD/ccTLD servers, or provide access to them via less amusing routes by increasing their peering. People who don't peer at WIX miss out on the instances hosted there. If you're not peering, some of your customers are getting slower results for DNS lookups than necessary making web pages take longer, to load, and thus your service appear to be slower. Yet another reason to improve your peering. Ideas and comments welcomed!