Download pptx - Velocity 2013: Resolution For A Faster Site

Resolution for a Faster Site

How DNS Affects Page Load Time

Ido [email protected] Performance Products, Akamai

©2013 AKAMAI | FASTER FORWARDTM

I will not talk about

• DNS pre-fetching (its great, use it!)• Optimizing for # of domains• Other FEO stuff• The pain of redirects on mobile, and HTTPS


I’ll also won’t be talking about

Daddy’s Nasty Sons


Why is DNS important?


http://www.flickr.com/photos/doe-oakridge/8773404536/

The phonebook of the Internet


http://www.flickr.com/photos/melissavenable/5422775934/

We just assume it always works







Location of DNS root servers, including anycast nodes, identified by their one-letter names. (2008)


Resource records

• TTLs• Common types:• A• AAAA• CNAME• NS

• A/AAAA can have multiple records• More on that later

• Results can be different in different locations/times

http://en.wikipedia.org/wiki/Domain_Name_System#DNS_resource_records


Let’s see some Data


Getaddrinfo() times, Chrome

Windows: upward blip of 1.45% of samples in around 1s (95.90 percentile), due to Windows DNS retransmission timer.Mac: 2 upward blips: 2.11% in around 300ms (91.51 percentile), and another of 1.07% at 1s (97.36 percentile), due to retransmission timers.Linux: upward blip of 1.81% in around 4250-4900ms (99.26 percentile).

OS Mean 10% 25% 50% 75% 90%

Windows 644 <=1 12 43 119 372

Mac 230 0 5 28 67 279

Linux 293 2 12 37 89 279

Source: Will Chan, http://goo.gl/ByZmX Mar 15, 2012

http://goo.gl/ByZmX

http://goo.gl/ByZmX


DNS failure - Mac

Device: Mac OSX 10.8.4 (mountain lion), Safari 6.0.5Connection: 3 name servers, all not responding

Time Activity---- --------- 0 -> DNS1 1 -> DNS1 (retransmit) 3 -> DNS2 1 -> DNS2 (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 9 -> DNS1 (retransmit)---- 21


DNS failure - WindowsDevice: Windows 7 (IE9)Connection: 3 name servers, all not responding

Time Activity---- --------- 0 -> DNS1 1 -> DNS2 1 -> DNS3 2 -> DNS1, DNS2, DNS3 4 -> DNS1, DNS2, DNS3 4 -> DNS1 1 -> DNS3 1 -> DNS2 2 -> DNS1, DNS2, DNS3 4 -> DNS1, DNS2, DNS3---- 24


Nav Timing data


DNS time vs page load time

Source: Akamai RUM data

0 - 10 msec

10 - 25 msec

25 - 50 msec

50 - 75 msec

75 - 100

msec

100 - 200

msec

200 - 300

msec

300 - 400

msec

400 - 500

msec

500 - 600

msec

600 - 700

msec

700 - 800

msec

800 - 900

msec

900 - 1000 msec

> 1000 msec

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

0

2000

4000

6000

8000

10000

12000

14000D

NS

Tim

e D

istr

ibu

tion P

ag

e L

oa

d T

ime


DNS time by browser type

Source: Akamai RUM data

Only hits with a base page download time <= 169ms

p25_dns median_dns p75_dns p90_dns0

100

200

300

400

500

600

700

ChromeFirefoxInternet ExplorerAndroid WebkitChrome MobileIEMobile


DNS by Continent

AS SA NA EU OC AF0

200

400

600

800

1000

1200

1400

1600

DNS by Continent, base page <= 169ms

p25_dnsmedian_dnsp75_dnsp90_dns

SA AS NA EU OC AF0

200

400

600

800

1000

1200

1400

1600

DNS by Continent, all

p25_dnsmedian_dnsp75_dnsp90_dns


Distance of users from resolvers – method 1

OC:6.5%

AF:6.9%

SA: 5.0%AS:6.25%

EU: 0.9%>2000 miles NA: 1.9%

July 2012, Akamai


Distance of users from resolvers – method 2

OC: 6.8%

AF: 7.3%

SA: 4.7%AS: 5.4%

EU: 1.4%>2000 miles NA: 1.7%

July 2012, Akamai


DNS usageAlexa Top 10,000 DNS Marketshare - May 6, 2013

Provider Rank

Websites (out of 10,000)

Marketshare

Marketshare Change

DynECT 1 440 4.40% +6 / +1.382%

AWS Route 53 2 381 3.81% 14 / 3.815%

UltraDNS 3 361 3.61% -2 / -0.551%

DNSPod 4 336 3.36% 5 / 1.511%

CloudFlare 5 314 3.14% 23 / 7.904%

GoDaddy DNS 6 287 2.87% -10 / -3.367%

DNS Made Easy 7 246 2.46% 0

Akamai 8 217 2.17% 10 / 4.831%

Rackspace Cloud DNS 9 156 1.56% -2 / -1.266%

Verisign DNS 10 106 1.06% 5 / 4.95%

Softlayer DNS 11 79 0.79% 0

Namecheap 12 76 0.76% 0

easyDNS 13 76 0.76% -1 / -1.299%

Enom DNS 14 66 0.66% -1 / -1.493%

Cotendo Advanced DNS 15 47 0.47% -11 / -18.966%

Savvis 16 42 0.42% 0

Nettica 17 30 0.30% 0

ZoneEdit 18 29 0.29% 0

Internap 19 27 0.27% 0

ClouDNS 20 21 0.21% 3 / 16.667%

DNS Park 21 17 0.17% 1 / 6.25%

No-IP 22 12 0.12% 0

Zerigo DNS 23 10 0.10% 0

EuroDNS 24 7 0.07% 0

Worldwide DNS 25 5 0.05% -1 / -16.667%

DTDNS 26 2 0.02% 0

CDNetworks DNS 27 2 0.02% 1 / 100%

Total 339233.92

%

Source: Cloud Harmony

9 of top 10 run their own DNS.

The only one that doesn’t?

Hint: they have a DNS service

Amazon.com


Fortune 500 DNS Marketshare - May 6, 2013

Provider Rank

Websites (out of 500)

Marketshare

Marketshare Change

UltraDNS 1 36 7.20% 1 / 2.857%Verisign DNS 2 24 4.80% 0Akamai 3 13 2.60% 0DynECT 4 8 1.60% 0DNS Made Easy 5 6 1.20% 0Savvis 6 4 0.80% 0GoDaddy DNS 7 4 0.80% 0Internap 8 4 0.80% 0Rackspace Cloud DNS 9 2 0.40% 0AWS Route 53 10 2 0.40% 0easyDNS 11 1 0.20% 0No-IP 12 1 0.20% 0Enom DNS 13 1 0.20% 0ZoneEdit 14 1 0.20% 0

Total 10721.40

%

Alexa Top 1,000 DNS Marketshare - May 6, 2013

Provider Rank

Websites (out of 1,000)

Marketshare

Marketshare Change

DynECT 1 79 7.90% 0

UltraDNS 2 63 6.30% 1 / 1.613%

Akamai 3 48 4.80% 0

AWS Route 53 4 34 3.40% -1 / -2.857%

DNSPod 5 32 3.20% 0

DNS Made Easy 6 21 2.10% 0

GoDaddy DNS 7 14 1.40% 0

Cotendo Advanced DNS 8 11 1.10% -1 / -8.333%

Verisign DNS 9 10 1% 0

easyDNS 10 10 1% 0

CloudFlare 11 8 0.80% 1 / 14.286%

Rackspace Cloud DNS 12 7 0.70% 0

Namecheap 13 6 0.60% 0

Softlayer DNS 14 5 0.50% 0

Enom DNS 15 5 0.50% 0

Internap 16 3 0.30% 0

Savvis 17 3 0.30% 0

Nettica 18 2 0.20% 0

ClouDNS 19 2 0.20% 0

ZoneEdit 20 2 0.20% 0

DTDNS 21 1 0.10% 0

EuroDNS 22 1 0.10% 0

No-IP 23 1 0.10% 0

Worldwide DNS 24 1 0.10% 0

Total 36936.90

%

Source: Cloud Harmony


Source: Catchpoint DNS direct agents, testing the [ab].ns.facebook.com name servers

Asia stats influenced by China



Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

IPv6

http://www.flickr.com/photos/yukop/7350636534/


Standard request flow

-> Request A record-> Request AAAA record<- Receive CNAME/A record<- Recursively resolve

Resolver (caching) will send full recursive in a single response.Host will cache each record with appropriate TTLApps/Browser – receives host/IP, but no TTL.



Dual stack DNS behavior - basics

OS: Windows XP 5.1.2600 Service Pack 3 Connection: tcpopen foo.rd.td.h.labs.apnic.net

Time (ms) Packet Activity

0 → DNS Query for AAAA record foo.rd.td.h.labs.apnic.net 581 ← AAAA response 2a01:4f8:140:50c5::69:72 4 → DNS Query for A record for foo.rd.td.h.labs.apnic.net 299 ← A response 88.198.69.81 3 → SYN to 2a01:4f8:140:50c5::69:72 280 ← SYN + ACK response from 2a01:4f8:140:50c5::69:72 1 → ACK to 2a01:4f8:140:50c5::69:72 ------ 1168

Source: Geoff Huston

http://www.potaroo.net/ispcol/2011-12/esotropia.html



Dual stack DNS behavior - basics

OS: Mac OSX 10.8.4 (mountain lion) Connection: tcpopen foo.rd.td.h.labs.apnic.net

Time (ms) Packet Activity

0 → DNS Query for A record for foo.rd.td.h.labs.apnic.net 0 → DNS Query for AAAA record foo.rd.td.h.labs.apnic.net 521 ← AAAA response 2a01:4f8:140:50c5::69:72 0 ← A response 88.198.69.81 1 → SYN to 2a01:4f8:140:50c5::69:72 166 ← SYN + ACK response from 2a01:4f8:140:50c5::69:72 1 → ACK to 2a01:4f8:140:50c5::69:72 ------ 689


DNS failure – Mac – IPv4 + IPv6 - ChromeDevice: Mac OSX 10.8.4 (mountain lion), Chrome 27Connection: 3 name servers, all not responding

Time Activity---- --------- 0 -> DNS1 A 0 -> DNS1 AAAA 1 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit) 3 -> DNS2 A 0 -> DNS2 AAAA 1 -> DNS2 A (retransmit) 0 -> DNS2 AAAA (retransmit) 3 -> DNS3 A 0 -> DNS3 AAAA 1 -> DNS3 A (retransmit) 0 -> DNS3 AAAA (retransmit) 3 -> DNS1 A 0 -> DNS1 AAAA 9 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit)---- 21 not available because DNS lookup failed


DNS failure – Mac – IPv4 + IPv6 - FirefoxDevice: Mac OSX 10.8.4 (mountain lion), Firefox 22Connection: 3 name servers, all not responding

Time Activity---- --------- 0 -> DNS1 A 0 -> DNS1 AAAA 1 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit) 3 -> DNS2 A 0 -> DNS2 AAAA 1 -> DNS2 A (retransmit) 0 -> DNS2 AAAA (retransmit) 3 -> DNS3 A 0 -> DNS3 AAAA 1 -> DNS3 A (retransmit) 0 -> DNS3 AAAA (retransmit) 3 -> DNS1 A 0 -> DNS1 AAAA 9 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit)---- 21 “Server not found”


DNS failure – Mac – IPv4 + IPv6 - Firefox (DNS on IPv6)

Device: Mac OSX 10.8.4 (mountain lion), Firefox 22Connection: 3 name servers, all not responding

Time Activity---- --------- 0 -> DNS1 A, AAAA 1 -> DNS1 (retransmit) 3 -> DNS2 1 -> DNS2 (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 9 -> DNS1 (retransmit) 9 -> DNS2 1 -> DNS2 (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 1 -> DNS1 (retransmit)---- 39 “Server not found”


DNS failure – Mac – IPv4 + IPv6 - Safari

Device: Mac OSX 10.8.4 (mountain lion), Safari 6.0.5Connection: 3 name servers, all not responding

Time Activity---- --------- 0 -> DNS1 A, AAAA 1 -> DNS1 A, AAAA (retransmit) 3 -> DNS2 A, AAAA 1 -> DNS2 A, AAAA (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 9 -> DNS1 (retransmit) 27 -> DNS2 81 -> DNS2 (retransmit) 243 -> DNS3...



Protocol failure – OS “native” behavior

OS: Windows XP 5.1.2600 Service Pack 3 Connection: tcpopen foo.rx.td.h.labs.apnic.net

Time Activity

0 → DNS AAAA? foo.rx.td.h.labs.apnic.net 581 ← AAAA 2a01:4f8:140:50c5::69:72 4 → DNS A? foo.rx.td.h.labs.apnic.net 299 ← A 88.198.69.81 3 → SYN 2a01:4f8:140:50c5::69:dead 3000 → SYN 2a01:4f8:140:50c5::69:dead 6000 → SYN 2a01:4f8:140:50c5::69:dead 12000 → SYN 88.198.69.81 298 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 -------- 22185





Protocol failure – OS “native” behaviorOS: Mac OS X 10.7.2 Connection: tcpopen foo.rxxx.td.h.labs.apnic.net

Time Activity

0 → DNS AAAA? foo.rxxx.td.h.labs.apnic.net 4 → DNS A? foo.rxxx.td.h.labs.apnic.net 230 ← DNS AAAA 2a01:4f8:140:50c5::69:dead 2a01:4f8:140:50c5::69:deae 2a01:4f8:140:50c5::69:deaf 20 ← A response 88.198.69.81 3 → SYN 2a01:4f8:140:50c5::69:dead (1) 980 → SYN 2a01:4f8:140:50c5::69:dead (2) 1013 → SYN 2a01:4f8:140:50c5::69:dead (3) 1002 → SYN 2a01:4f8:140:50c5::69:dead (4) 1008 → SYN 2a01:4f8:140:50c5::69:dead (5) 1103 → SYN 2a01:4f8:140:50c5::69:dead (6) 2013 → SYN 2a01:4f8:140:50c5::69:dead (7) 4038 → SYN 2a01:4f8:140:50c5::69:dead (8) 8062 → SYN 2a01:4f8:140:50c5::69:dead (9) 16091 → SYN 2a01:4f8:140:50c5::69:dead (10) 32203 → SYN 2a01:4f8:140:50c5::69:dead (11) 8031 → SYN 2a01:4f8:140:50c5::69:deae (repeat sequence of 11 SYNs) 75124 → SYN 2a01:4f8:140:50c5::69:deaf (repeat sequence of 11 SYNs) 75213 → SYN 88.198.69.81 297 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 --------

226435





Dual stack on Mac + Safari

OS: Mac OS X 10.7.2 Browser: Safari: 5.1.1

URL: www.rd.td.h.labs.apnic.net

Time Activity IPv4 IPv6 0 → DNS A? www.rd.td.h.labs.apnic.net 1 → DNS AAAA? www.rd.td.h.labs.apnic.net 333 ← AAAA 2a01:4f8:140:50c5::69:72 5 ← A 88.198.69.81 1 → SYN 88.198.69.81 270 → SYN 2a01:4f8:140:50c5::69:72 28 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 1 → [start HTTP session] 251 ← SYN+ACK 2a01:4f8:140:50c5::69:72 0 → RST 2a01:4f8:140:50c5::69:72 ----- 639ms (time to connect)





Dual stack on Mac + Safari, broken IPv6

URL: www.rxxx.td.h.labs.apnic.net

Time Activity IPv4 IPv6 0 → DNS A? www.rxxx.td.h.labs.apnic.net 0 → DNS AAAA? www.rxxx.td.h.labs.apnic.net 299 ← AAAA 2a01:4f8:140:50c5::69:dead 2a01:4f8:140:50c5::69:deae 2a01:4f8:140:50c5::69:deaf 2 → SYN 2a01:4f8:140:50c5::69:dead 0 ← A 88.198.69.81 270 → SYN 2a01:4f8:140:50c5::69:deae 120 → SYN 2a01:4f8:140:50c5::69:deaf 305 → SYN 88.198.69.81 300 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 1 → [start HTTP session] ----- 1297





Dual stack on Mac + Chrome

OS: Mac OS X 10.7.2 Browser: Chrome 16.0.912.36

URL: www.rd.td.h.labs.apnic.net

Time Activity IPv4 IPv6 0 → DNS A? www.rd.td.h.labs.apnic.net 0 → DNS AAAA? www.rd.td.h.labs.apnic.net 299 ← A 88.198.69.81 1 ← AAAA 2a01:4f8:140:50c5::69:72 1 → SYN 88.198.69.81 (port a) 1 → SYN 88.198.69.81 (port b) 250 → SYN 88.198.69.81 (port c) 48 ← SYN+ACK 88.198.69.81 (port a) 0 → ACK 88.198.69.81 (port a) 0 → [start HTTP session (port a)] ----- 600





Dual stack on Mac + Chrome, broken IPv6

URL: xxx.rx.td.h.labs.apnic.net

Time Activity IPv4 IPv6 0 → DNS A? xxx.rx.td.h.labs.apnic.net 0 → DNS AAAA? xxx.rx.td.h.labs.apnic.net 298 ← AAAA 2a01:4f8:140:50c5::69:dead 0 ← A 88.198.69.81 11 → SYN 2a01:4f8:140:50c5::69:dead (a) 0 → SYN 2a01:4f8:140:50c5::69:dead (b) 250 → SYN 2a01:4f8:140:50c5::69:dead (c) 51 → SYN 88.198.69.81 (d) 1 → SYN 88.198.69.81 (e) 250 → SYN 88.198.69.81 (f) 48 ← SYN+ACK 88.198.69.81 (d) 0 → ACK 88.198.69.81 (d) 0 → [start HTTP session (d)] ----- 909





Dual stack on Mac + Chrome, broken IPv6

OS: Mac OS X 10.8.4 Browser: Chrome 27

Time Activity IPv4 IPv6 0 → DNS A? www.rd.td.h.labs.apnic.net 0 → DNS AAAA? www.rd.td.h.labs.apnic.net 299 ← A 88.198.69.81 1 ← AAAA 2a01:4f8:140:50c5::69:72 1 → SYN 88.198.69.81 (port a) 1 → SYN 88.198.69.81 (port b) 250 → SYN 88.198.69.81 (port c) 48 ← SYN+ACK 88.198.69.81 (port a) 0 → ACK 88.198.69.81 (port a) 0 → [start HTTP session (port a)] ----- 600




Dual Stack: OS behavior

DNS DNS Timeout TCP Timeout Preference

Windows Serial 21 IPv6

Mac OS (as of Lion)

parallel 21* 75 Fastest*

iOS parallel 45-60 sec Fastest

Native OS behavior – based on “connect()”.Important for native applications.

Lion and IPv6 http://goo.gl/7qxHC: Results from getaddrinfo are now sorted using routing statistics (destination with the lowest min round trip time wins)

http://goo.gl/7qxHC

http://goo.gl/7qxHC

http://goo.gl/7qxHC


Dual Stack: Browser

IE 9 Chrome Firefox Safari

# of Connections

2 in parallel 2 in parallel + 1 slightly after

2 in parallel Single connection

Preference IPv6 IPv6 IPv6 Fastest (Mac)

Dual stack – happy eyeballs

NoSerial: wait for timeout

start with IPv6, +300ms IPv4

In parallel Start with first, +calc time add second, etc.

Remember failed IPs

yes yes yes yes


http://www.flickr.com/photos/natwilson/4260384198/


Multiple records – DNS round robin

$ dig www.akamai.com

; <<>> DiG 9.8.3-P1 <<>> www.akamai.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29543;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:;www.akamai.com. IN A

;; ANSWER SECTION:www.akamai.com. 900 IN CNAME www-main.akamai.com.edgesuite.net.www-main.akamai.com.edgesuite.net. 900 IN CNAME a152.dscb.akamai.net.a152.dscb.akamai.net. 20 IN A 173.223.232.168a152.dscb.akamai.net. 20 IN A 173.223.232.163

;; Query time: 94 msec;; SERVER: 192.168.1.1#53(192.168.1.1);; WHEN: Wed Jun 19 01:24:27 2013;; MSG SIZE rcvd: 142


Round Robin DNS

• Resolvers will shuffle results order – for LB effect• Browsers respect the order of records• Good for load-balancing• Good for high availability!


Round Robin DNS

• Resolvers will shuffle results order – for LB effect• Browsers respect the order of records• Good for load-balancing• Good for high availability!• Good for high availability?


http://www.flickr.com/photos/coast_guard/3220493384/

What happens when things break?


IE on Windows (XP – Windows 7)

• 2 parallel connections for each record• Retransmit SYN until TCP time-out: 21 seconds• Only on time-out – try next host.


http://tinyurl.com/disap-cat


IE on Windows (XP – Windows 7)

• 2 parallel connections for each record• Retransmit SYN until TCP time-out: 21 seconds• Only on time-out – try next host.

• Now, consider dual stack with 3 IPv6 records, and 3 IPv4.• IPv6 is prioritized.• If IPv6 is not working – 63 seconds until fallback to IPv4.

• Yes… 21 seconds isn’t that much fun either.


Chrome

• 3 parallel connections for each record (1 starting after ~100ms)• Retransmit SYN until TCP time-out: • 75 seconds on Mac• 21 on Windows• ?? On iOS

• With dual stack - happy eyeballs. • 300ms: try alternate protocol

• Why not do the same for alternate host?


Firefox

• 2 parallel connections for each record (starting ~800ms apart) • Retransmit SYN, adding 2 connections at a time – prior to time out, • Total of 6-7 connections per host (SYN only)

• Connect to second host not before time-out time • 90 seconds observed on Mac• 21 on Windows

• With dual stack - happy eyeballs. • ?? ms: try alternate protocol

• Why not do the same for alternate host?


Safari

• 1 connections for each host• On Mac:• Add connections to next hosts after derived time-out/rtt time (<< TCP timeout)

• On Windows:• Serialized – try new host only when connection timed out (21 sec)

• Retransmit SYN periodically on each connection• Give up after timeout expires on all hosts• Mac = 1 TCP timeout overall!• Windows = # hosts X TCP timeout• ?? On iOS


Native OS support

• 1 connections for each record• Retransmit SYN periodically (based on OS schedule)• Continue to next record after time-out• Once all expired – give-up.


Recommendations for round robin DNS

• Helpful for load-balancing• Gives some level of high-availability – if you know how to use it• Don’t put a record if you know the IP is down!• Manage your TTLs

• Don’t put multiple records on IPv6!!!

• Seriously – DON’T put multiple records on IPv6.


DNS Cache

http://www.flickr.com/photos/fairfaxcounty/7456122122/


Local OS

• Local host caches DNS according to instructions• Network change – SHOULD triggers DNS cache cleaning• Moving to airplane mode will


Browser cache

Browsers cache DNS records for performance reasons.How?• An application doesn’t get the TTL record from the resolver.

• IE: 30 min• Chrome: 1 min• Firefox: 1 min• Safari: 15-60 seconds

• Chrome DNS client: read Will Chan’s post: http://goo.gl/ByZmX

http://goo.gl/ByZmX

http://goo.gl/ByZmX

http://goo.gl/ByZmX


Negative caching

When there is no response for a record, resolvers will cache the “no response” for the TTL defined in the SOA, typically – 1 hour.

From RFC 2308: “its TTL is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.”

• Don’t refer to a host before you defined it!• Don’t delete a record if you plan to use it!• Change TTL to 1 sec, and set to some bogus value until ready.


Setting TTLS

http://www.flickr.com/photos/shortleafiscute/5831167984/


Setting TTLs

Alexa top 1000, TTLs of A records:

80% < 1 hour

They actually change quite frequently!

<1m <2.5m <5m <10m <1h <5h <1d <2d <5d >5d

193 152 34 229 169 154 39 13 4 1


Setting TTLs

• Short enough to accommodate failover• Depends on your DNS performance – too short means more DNS activity• Mobile


Facebook

www.facebook.com. 3600 IN CNAME star.c10r.facebook.com.star.c10r.facebook.com. 60 IN A 173.252.112.23

www.google.com. 300 IN A 74.125.239.51www.google.com. 300 IN A 74.125.239.50www.google.com. 300 IN A 74.125.239.49www.google.com. 300 IN A 74.125.239.52www.google.com. 300 IN A 74.125.239.48

Google


Anycast

Hong-Kong

London

NYC

ISP

IX

ISP

T1N

ISP


Anycast

Hong-Kong

London

NYC

ISP

IX

ISP

T1N

ISP

10.0.1.X

10.0.3.X

10.0.2.X example.com IN NS10.0.1.110.0.2.110.0.3.1

67% chance of getting a far resolver!


Anycast

Hong-Kong

London

NYC

ISP

IX

ISP

T1N

ISP

10.0.1.X

10.0.3.X

10.0.2.X

10.0.10.X

10.0.10.X

10.0.10.X example.com IN NS10.0.10.110.0.10.2


CDNs and Distributed Service

Hong-Kong

London

NYC

ISP

IX

ISP

T1N

ISP

10.0.1.X

10.0.3.X

10.0.2.X


CDNs and Distributed Services

• Geo and network based mapping of users• Mapping is based on resolvers IP addresses – they issue the requests



• Geo and network based mapping of users• Mapping is based on resolvers IP address

• Challenges:• Corporate network/VPN – resolver at the corporate, not close to the user.• Centralized DNS resolvers at ISPs/carriers• Remote resolvers• Open resolvers – sparse, and remote from user!



• Geo and network based mapping of users• Mapping is based on resolvers IP address

• Challenges• Edns0 client subnet data.• Extension to DNS to deliver info about the requesting user.• Can make more informed decisions.


DNSSEC

• Validates the record• Does NOT encrypt it• Prevents DNS spoofing/poisoning

• Collapse to TCP if frame too large

• Common concerns:• Slow• Not supported


DNSSEC

Sample data from a day of DNS traffic of a US based customer:

• Records are cacheable• Need to validate only once• Some resolvers will not validate…• Consider DNSSEC today!

Total Percentage of DNS hits

Total hits 4,487,728 100.00%Total IPv6 hits 204,477 4.56%Total DNSSEC hits 3,552,809 79.17%Total DNSSEC TCP 5,344 0.12%Non DNSSEC TCP 2,406 0.05%


http://www.flickr.com/photos/keithburtis/2614418536/


Key Takeaways

• Use a distributed, “professional” DNS vendor, • unless you really know what you are doing.

• Don’t set multiple records (round-robin) for IPv6! Just Don’t!• Multiple records (round robin) is good for load-balancing• Be careful when using it for failover/high availability• Set low TTLs (minutes) when using multiple records

• If a server is down – take it out of the rotation! • Failover costs in performance – in some cases over 20 seconds delay.

• Don’t delete a record, even when taking a server down for maintenance• Better to set a low TTL, and even giving a bogus address, to avoid negative TTL• Control your SOA record – to determine the TTL for negative caching.


Takeaways for your org/home network

• Don’t enable IPv6 if it works only on your internal network• For corporate/VPN:• Configure the local DNS to be used ONLY for internal resources.• Prioritize using the carrier/default local resolver over the corp resolver.

Thank you!

Ido Safruti, [email protected]