![Page 2: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/2.jpg)
2 / 20
![Page 3: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/3.jpg)
Unicast & Anycast
Unicast: send the message to a specific machineAnycast: send the message to any of the machines whichimplement a service (DNS, 6to4. . . )
In practice, used only when routing is used (not load balancersor VRRP). RFC 1546, 4786. . .
3 / 20
![Page 4: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/4.jpg)
Why anycast?
Main reason: resilience against denial-of-service attacks.The big accelerator was the great attack against the root in2002.Others reasons: break the size limits of the NS record set.
First DNS deployments: AS 112 (RFC 6304) then the root.Today very common.
4 / 20
![Page 5: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/5.jpg)
General theory of operation
Several machines listen to the service IP addressRouters announce the service IP address in several placesRouting algorithm chooses the “closest”
Works with OSPF, BGP or others. On the Internet, we use BGP.
5 / 20
![Page 6: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/6.jpg)
More terminology
The machines behind a same service IP address areinstances of the same anycast cloud.
6 / 20
![Page 7: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/7.jpg)
Let’s see
L.root-servers.net is widely anycasted.traceroute from several places to see the differentinstances of LAll the networks which go to the same instance are anattraction basin (watershed?)
Geographical note: the third largest river watershed in the worldis in Africa (Congo basin)
7 / 20
![Page 8: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/8.jpg)
Name server identity
NSID queries (RFC 5001) allow to know the identity of thename server
dig +nsid @l.root-servers.net SOA .
Unformatted output. dig displays as “(h) (e) (r) (0) (1) (.) (l)(.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)”
8 / 20
![Page 9: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/9.jpg)
Name server identity
NSID queries (RFC 5001) allow to know the identity of thename server
dig +nsid @l.root-servers.net SOA .
Unformatted output. dig displays as “(h) (e) (r) (0) (1) (.) (l)(.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)”
8 / 20
![Page 10: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/10.jpg)
Name server identity
NSID queries (RFC 5001) allow to know the identity of thename server
dig +nsid @l.root-servers.net SOA .
Unformatted output. dig displays as “(h) (e) (r) (0) (1) (.) (l)(.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)”
8 / 20
![Page 11: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/11.jpg)
Name server identity
NSID queries (RFC 5001) allow to know the identity of thename server
dig +nsid @l.root-servers.net SOA .
Unformatted output. dig displays as “(h) (e) (r) (0) (1) (.) (l)(.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)”
And from Abidjan?
8 / 20
![Page 12: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/12.jpg)
Name server identity
NSID queries (RFC 5001) allow to know the identity of thename server
dig +nsid @l.root-servers.net SOA .
Unformatted output. dig displays as “(h) (e) (r) (0) (1) (.) (l)(.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)”
And from Abidjan? (Old hostname.bind not suitable foranycast. Do you see why?
8 / 20
![Page 13: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/13.jpg)
Name server identity
NSID queries (RFC 5001) allow to know the identity of thename server
dig +nsid @l.root-servers.net SOA .
Unformatted output. dig displays as “(h) (e) (r) (0) (1) (.) (l)(.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)”
And from Abidjan? (Old hostname.bind not suitable foranycast. Do you see why? See also http://tools.ietf.org/id/draft-jabley-dnsop-anycast-mapping
8 / 20
![Page 14: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/14.jpg)
Deploying anycast
General warningAnycast is much better when you monitor the service and shutdown the routing announce when the DNS server is down
DNSISUP=$(dig @$ANYCASTSERVICE $MYDOMAIN SOA +short)if [ "$DNSISUP" != $GOODANSWER ];thenecho "Stopping Anycast...."
/etc/init.d/bgpd stopfi
9 / 20
![Page 15: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/15.jpg)
Deploying anycast, IGP
(IGP = Internal Gateway Protocol like OSPF)
Useful for recursive name servers (client-based fallback istoo slow for a serious service)Also to implement load-sharing on authoritative servers
http://www.netlinxinc.com/netlinx-blog/45-dns/122-anycast-dns-part-4-using-ospf.html
10 / 20
![Page 16: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/16.jpg)
Deploying anycast, IGP
(IGP = Internal Gateway Protocol like OSPF)Useful for recursive name servers (client-based fallback istoo slow for a serious service)
Also to implement load-sharing on authoritative servers
http://www.netlinxinc.com/netlinx-blog/45-dns/122-anycast-dns-part-4-using-ospf.html
10 / 20
![Page 17: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/17.jpg)
Deploying anycast, IGP
(IGP = Internal Gateway Protocol like OSPF)Useful for recursive name servers (client-based fallback istoo slow for a serious service)Also to implement load-sharing on authoritative servers
http://www.netlinxinc.com/netlinx-blog/45-dns/122-anycast-dns-part-4-using-ospf.html
10 / 20
![Page 18: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/18.jpg)
Deploying anycast, IGP
(IGP = Internal Gateway Protocol like OSPF)Useful for recursive name servers (client-based fallback istoo slow for a serious service)Also to implement load-sharing on authoritative servers
http://www.netlinxinc.com/netlinx-blog/45-dns/122-anycast-dns-part-4-using-ospf.html Better touse VRRP? Depends on your topology.
10 / 20
![Page 19: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/19.jpg)
Configuration on the name server
None! Just listen on the service IP addressAnd add the monitoring as seen above
11 / 20
![Page 20: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/20.jpg)
Configuration on the name server
None! Just listen on the service IP address
And add the monitoring as seen above
11 / 20
![Page 21: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/21.jpg)
Configuration on the name server
None! Just listen on the service IP addressAnd add the monitoring as seen above
11 / 20
![Page 22: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/22.jpg)
Deploying anycast, EGP
(EGP = External Gateway Protocol, today only BGP)
For authoritative name serversResiliency is paramount for DNS service (Microsoft’sfailure two days ago. . . )
12 / 20
![Page 23: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/23.jpg)
Deploying anycast, EGP
(EGP = External Gateway Protocol, today only BGP)For authoritative name servers
Resiliency is paramount for DNS service (Microsoft’sfailure two days ago. . . )
12 / 20
![Page 24: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/24.jpg)
Deploying anycast, EGP
(EGP = External Gateway Protocol, today only BGP)For authoritative name serversResiliency is paramount for DNS service (Microsoft’sfailure two days ago. . . )
12 / 20
![Page 25: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/25.jpg)
BGP with Quagga
router bgp 112bgp router-id x.y.z.tnetwork 192.175.48.0/24neighbor a.b.c.d remote-as xxxxneighbor a.b.c.d prefix-list all inneighbor a.b.c.d prefix-list as112-out out
Yes, that’s all!https://www.as112.net/as112-centos.htmlhttp://netlinxinc.com/netlinx-blog/45-dns/125-anycast-dns-part-5-using-bgp.html
13 / 20
![Page 26: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/26.jpg)
Other routing software
For OpenBGPD seehttps://www.as112.net/as112-freebsd.html
For BIRD, see http://vincent.bernat.im/en/blog/2011-dns-anycast.html
14 / 20
![Page 27: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/27.jpg)
Origin AS?
Two schools of thought: one unique AS (to bind them all :-)Or one AS per instance (RFC 6382 )Some use one unique origin but add an AS per site in thepath (you need a lot of AS numbers but Afrinic allows it)
15 / 20
![Page 28: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/28.jpg)
Origin AS?
Two schools of thought: one unique AS (to bind them all :-)
Or one AS per instance (RFC 6382 )Some use one unique origin but add an AS per site in thepath (you need a lot of AS numbers but Afrinic allows it)
15 / 20
![Page 29: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/29.jpg)
Origin AS?
Two schools of thought: one unique AS (to bind them all :-)Or one AS per instance (RFC 6382 )
Some use one unique origin but add an AS per site in thepath (you need a lot of AS numbers but Afrinic allows it)
15 / 20
![Page 30: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/30.jpg)
Origin AS?
Two schools of thought: one unique AS (to bind them all :-)Or one AS per instance (RFC 6382 )Some use one unique origin but add an AS per site in thepath (you need a lot of AS numbers but Afrinic allows it)
15 / 20
![Page 31: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/31.jpg)
Hesitant?
Yes, anycast is not obviousStart with something less critical: host an instance ofAS112! https://www.as112.net/
16 / 20
![Page 32: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/32.jpg)
Hesitant?
Yes, anycast is not obvious
Start with something less critical: host an instance ofAS112! https://www.as112.net/
16 / 20
![Page 33: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/33.jpg)
Hesitant?
Yes, anycast is not obviousStart with something less critical: host an instance ofAS112! https://www.as112.net/
16 / 20
![Page 34: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/34.jpg)
Monitoring anycast
RIPE Atlas probes: a friendly botnet of 4 500 small probesin the worldRIPE stat: a lot of information about routinghttp://stat.ripe.net/
17 / 20
![Page 35: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/35.jpg)
Monitoring anycast
RIPE Atlas probes: a friendly botnet of 4 500 small probesin the world
RIPE stat: a lot of information about routinghttp://stat.ripe.net/
17 / 20
![Page 36: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/36.jpg)
Monitoring anycast
RIPE Atlas probes: a friendly botnet of 4 500 small probesin the worldRIPE stat: a lot of information about routinghttp://stat.ripe.net/
17 / 20
![Page 37: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/37.jpg)
Buying anycast
There are also several providers who lease you anycast hostingservices.
18 / 20
![Page 38: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/38.jpg)
Buying anycast
There are also several providers who lease you anycast hostingservices. You still have to monitor and to check (in one africancountry, the provider claimed they have an anycast instance inthe country, which was false)
18 / 20
![Page 39: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/39.jpg)
Catching fire
(Thanks to S. Collins)
Better resilience against dDoSAttack is contained in one attraction basin (local attacksstay local)
19 / 20
![Page 40: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/40.jpg)
Catching fire
(Thanks to S. Collins)Better resilience against dDoS
Attack is contained in one attraction basin (local attacksstay local)
19 / 20
![Page 41: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/41.jpg)
Catching fire
(Thanks to S. Collins)Better resilience against dDoSAttack is contained in one attraction basin (local attacksstay local)
19 / 20
![Page 42: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/42.jpg)
Conclusion
A technology now matureWhich seriously improves DNS quality and resiliency
20 / 20
![Page 43: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/43.jpg)
Conclusion
A technology now mature
Which seriously improves DNS quality and resiliency
20 / 20
![Page 44: Anycast for the DNS - bortzmeyer.org · Why anycast? Main reason: resilience against denial-of-service attacks. The big accelerator was the great attack against the root in 2002](https://reader031.vdocuments.site/reader031/viewer/2022021911/5c308e9109d3f20d698b8fa1/html5/thumbnails/44.jpg)
Conclusion
A technology now matureWhich seriously improves DNS quality and resiliency
20 / 20