For network operators, recursive (caching) DNS is a critical service. Without good, fast DNS service, the Internet service appears slow and unresponsive. Caching DNS systems must also be capable of absorbing “spikes” in traffic which can occur for a multitude of reasons – peak loads, Internet events, DoS etc.
Over a few posts we’ll cover 13 simple techniques to ensure good service. They’re relevant for service provider networks and many are applicable to Enterprises as well.
Below is our first suggested technique, which is how Anycast can be used to make your caching DNS more robust.
Anycast is a simple way to advertise the same IP address for all DNS servers – this simplifies customer provisioning, and means that DNS queries will automatically be re-routed if a server fails. A DDoS attack from within the network will only affect the “nearest” server(s) to the attack source(s), so disruption is minimized. ??Anycast can be implemented on a server with a simple script, which performs a DNS health check and then advertises a /32 route to the relevant routers. Routers propagate this route to the network edge using the relevant routing protocol. As /32 routes take precedence over larger subnets, this ensures that all DNS queries from the local network edge are routed to the “local” DNS server. ??If the DNS software fails, the script health check will withdraw the route. If the server fails or becomes unreachable, the adjacent router will age the route out. Some tuning of route aging on the routers may be needed. In both cases, there is already a route to the “next nearest” DNS server and queries will flow to it. ??The process of route withdrawal can be made shorter than the client’s “no DNS response” failover time, so clients need never fail over to a secondary DNS server address. Recovery is, of course, automatic. The Anycast address is configured as a VIP on each server. The real address of each server should not respond to UDP/TCP 53, or should be protected from this traffic by adjacent network elements. This ensures that attempts to DDOS the servers from off-net, or by using the real addresses, will fail.