If you could make your customers’ experience with your website or ecommerce storefront faster, more reliable and more secure, wouldn’t you be all over it?
DNS is responsible for steering customers to the appropriate content as quickly as possible. DNS queries can account for 29% of initial page load time; since just 1 second can be the difference between a loyal customer and a lost one, the approach you take to DNS architecture—unicast or anycast– is critical.
Unicast: Simple but Risky
In a unicast network, there’s a one-to-one relationship between an IP address and its corresponding authoritative nameserver. DNS requests for a given IP address will always resolve to a single physical location. Because this design has been relatively easy to implement and maintain, most organizations that manage their DNS in-house utilize the unicast architecture.
But what’s easiest may not be fastest for the customer. When a user enters your URL, DNS arbitrarily returns the IP address of one of your DNS name servers. You have no control over which name server DNS selects. A user in China could be served by a name server in North America. And a user in the U.S. could be served by a name server in Asia.
In addition to performance issues, risk is a major consideration with unicast networks. In Distributed Denial of Service (DDoS) attacks, for example, hackers can direct massive amounts of traffic from anywhere in the world to each nameserver. Attacks can focus on overwhelming each location individually until all nameservers are unavailable and users are unable to acces the content on your site.
As nameservers map to unique IP addresses in a unicast network, there is no redundancy in place if one of the nameservers goes offline due to either system failure or routine maintenance. This can mean dropped requests and timeouts, increased latency and degradation in customers’ experience with associated websites and services.
Anycast: Faster, More Reliable and Secure
In anycast networks, there’s a one-to-many relationship between IP addresses and their associated nameservers. Traffic to a single IP address can be distributed to different nameservers based on the origin of the requests.
By routing requests to the closest nameserver, the resolution time can be greatly reduced—visitors experience better overall performance. This effect is magnified for websites that include multiple DNS lookups for additional files and assets that need to be loaded before a page completes.
Anycast is faster, but what about security and reliability?
Anycast makes it much harder for attackers to succeed with DDoS attacks. Anycast networks direct the traffic of attacking machines to their closest nameserver (measured in network hops). If the attack comes from several areas of the globe, the traffic will become diluted among various nameservers. If the attack originates from a single location, this traffic will become effectively localized to a single nameserver, leaving the rest of the network unaffected.
In regards to reliability, anycast achieves high redundancy by distributing DNS service for each IP address across multiple nameservers. If a single nameserver goes down, that server will automatically be removed from the available routing options, and future traffic will continue to be routed to the remaining nameservers. Once service to the nameserver is restored, it can be reactivated on the network.
Most managed DNS providers run anycast networks due to the significant benefits in speed, reliability, maintainability, and security provided by its distributed nature—and businesses who want those benefits, without trying to build and maintain their own anycast networks, leverage the provider’s investment and expertise.
Unicast vs Anycast: How Do You Tell?
One step towards determining whether the network you are using is anycast is to run a traceroute . This manual tool, included with most operating systems, provides information on each device involved in the transmission of information to its ultimate destination and the amount of time it takes to travel (“hop”) from each of these devices to the next. By reviewing the results of a traceroute, line by line, you can determine whether a DNS host is being served in only one region or if it’s being served from multiple regions. If the same host is being served from multiple regions, an examination of latency from each region can give an indication of whether or not it’s an anycast network or a unicast network. Typically, an anycast network will be able to provide these responses with low latency from every region, whereas the latency would likely be much higher if the response is coming from a unicast network.
Traceroutes can help you track down Internet connection problems, including points of interruption, packet loss and high latency. But, as with many other manual diagnostic tools, it takes time to review and interpret the output, and provides only a limited snapshot in time within a limited context. You’ve got enough to do: Monitoring application and service performance was difficult even when enterprises owned the entire IT stack. As you move business-critical workloads into public clouds, visibility and control over of these services becomes exponentially more challenging.
There’s an Easier Way
As an alternative to doing your own diagnostics and analytics, you can offload the work to a managed service with the resources to continuously monitor the broader Internet ecosystem: data centers, private cloud, public cloud and CDN. Armed with the right intelligence, you can focus your time and expertise on determining the best action to take in making your customers’ experience more reliable and secure.
Dyn Internet Intelligence (Dii) service delivers unprecedented ability to monitor and analyze how the Internet’s performance affects your website and application users. With more than a billion data points collected daily for over 150 vantage points and 450 cities across the globe, you get a view of the Internet ecosystem that extends beyond your own network. Internet analysis is provided through diagnostic tools that reduce the time to identify connectivity and performance problems and give troubleshooting teams the power of “what if” testing to hasten resolution.