All, With the recent announcement of Google's public DNS servers, I am worried about operators of CDN who may rely on DNS queries for geo-location (Akamai comes to mind). Today it is reasonable to assume DNS queries from ISP1's name servers (or address block in general) are probably from a client within the ISP1 network. With public DNS servers it gets a whole pile harder. A issue I saw first hand is when I had statically set my DNS resolvers to ISP1 servers and then changed to ISP2. For many months everything went okay but then one day iTunes stopped working. It was not that ISP2 was blocking access to their DNS resolvers, but that the Akamai cluster that queries to the ISP2 resolvers was not advertised into the ISP1 network (rightly or wrongly). More importantly, ISP1 had Akamai servers of their own which I had been bypassing. I think this is something for the community to carefully consider, especially given how CDN like Akamai can dramatically reduce traffic across peering links for a number of NZ ISP. I'm not trying to condone the idea of public DNS servers or comment on the motivation behind Google and others operating them, but just focus on the impacts. Does any one else see a cause for concern? -David M
David At 08:32 p.m. 12/12/2009, you wrote:
All,
With the recent announcement of Google's public DNS servers, I am worried about operators of CDN who may rely on DNS queries for geo-location (Akamai comes to mind). Today it is reasonable to assume DNS queries from ISP1's name servers (or address block in general) are probably from a client within the ISP1 network. With public DNS servers it gets a whole pile harder.
Akamai does use DNS resolvers as a part of its CDN. Others tend to use anycast routing. It is more popular as it is more direct, rather than waiting on DNS responses and traffic hand offs. I wouldn't say Akamai is alone, but most newer CDNs use Anycast.
I think this is something for the community to carefully consider, especially given how CDN like Akamai can dramatically reduce traffic across peering links for a number of NZ ISP. I'm not trying to condone the idea of public DNS servers or comment on the motivation behind Google and others operating them, but just focus on the impacts.
Does any one else see a cause for concern?
Most holders of large or valuable content use two geo fencing techniques. After the initial connection, theres often one coded into the player, looking at giveaway clues on your PC. DRM systems also have their own methods of geo tracking. So on a typical site you may have 3 systems checking you out. And its known that there is "leakage". Richard
On Sat, 12 Dec 2009, Richard Naylor wrote:
At 08:32 p.m. 12/12/2009, David wrote:
Today it is reasonable to assume DNS queries from ISP1's name servers (or address block in general) are probably from a client within the ISP1 network. With public DNS servers it gets a whole pile harder.
Well that's not always the case especially with outsourced DSL etc. I seem to also remember that the routing policy for Xtra's DNS servers was different from that of some of the DSL networks ( probably due to Xtra vs Telecom split ) at one point, though last time I looked they were fairly similar. I think the big advantage is that as long as the ISP's DNS is reliable and they don't start doing funny stuff like NXDOMAIN hijacking then customers will get a better experience by just leaving things on default and getting their settings automatically. Both Google and Opendns have their nearest servers hundreds of milliseconds away so people using them will get a worse experience, which should discourage people from using them.
Akamai does use DNS resolvers as a part of its CDN. Others tend to use anycast routing. It is more popular as it is more direct, rather than waiting on DNS responses and traffic hand offs. I wouldn't say Akamai is alone, but most newer CDNs use Anycast.
To tell the truth I got the opposite impression last time I looked at the top 20 vendors. A couple of them are using anycast but I got the impression that GSLB was preferred due to greater ability to fine-tune delivery and reduced build costs. Actually when it comes the CDNs the lack of choice in NZ is pretty bad[1]. AFAIK Citylink and Akamai are the only ones with any NZ based servers ( and Citylink has limited coverage) although I have heard some rumors. Anyway I'll make the assumption that everyone here checks their traffic sources regularly and if having (say) an EC2 node here would save you 6 figures per month you'd have already called Amazon and offered them a spare rackor two.. [1] - Not many in Australia either -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
Should have put a disclaimer that my employer operates/owns a CDN (not that I'm directly involved).
Akamai does use DNS resolvers as a part of its CDN. Others tend to use anycast routing. It is more popular as it is more direct, rather than waiting on DNS responses and traffic hand offs. I wouldn't say Akamai is alone, but most newer CDNs use Anycast.
To tell the truth I got the opposite impression last time I looked at the top 20 vendors. A couple of them are using anycast but I got the impression that GSLB was preferred due to greater ability to fine-tune delivery and reduced build costs.
I agree with Simon, there are some very clear benefits to using DNS alongside anycast. Control is a huge problem with anycast: it's all or nothing and you are not always sure what you're going to get before you start advertising. Load-balancing is not possible among the sites, only within them. If we are discussing popularity, it's fair to say that Akamai are by far the most popular and will be impacted. NZ ISP who host Akamai servers could also be negatively impacted. I wanted to ensure people are aware of the issues associated with using a third-party resolver and may even take the opportunity to have a good look at their current resolvers to ensure they are performing. The issue Google are highlighting as the "most dominant cause of DNS latency" is cache miss. How many of us have really looked at the hit/miss ratio in BIND or considered how load-balancing/anycasting to DNS resolvers can reduce the hit rate? Is anyone implementing BIND forwarding to try and obtain a larger cache? For example, if you have anycast resolvers deployed around your network they will maintain their own local cache - by setting forward-only and then directing the query traffic to site-wide caches which do full recursion at the head of the network you get the benefit of local caching and load balancing and (hopefully) an increase the hit rate within your network. In the case of the Google DNS service, the product manager says "We are continuing to work with other companies and individuals on possible solutions. " to the problem of CDN GSLB. (full txt here: http://groups.google.com/group/public-dns-discuss/msg/1bb9feb0922ff585 ). I'm not holding my breath. -d
participants (3)
-
David Miles -
Richard Naylor -
Simon Lyall