OpenDNS, DNS, and Anycast

Posted byryan niemesPosted inUncategorized

I wanted to let everyone know about OpenDNS. They provide publicly-accessible DNS servers at the following addresses:

208.67.222.222
208.67.220.220

This is a fantastic service, and leads me to a discussion on the topic of Anycast and DNS.

Anycast is one of the types of traffic flows. Remember the other types:

  1. Unicast: used for peer to peer communication (1 to 1). Use IP classes A, B, and C here.
  2. Multicast: used for one to many communication (1 to n, where n indicates the multicast subscribers). Multicast addresses are class D, range 224.0.0.0 to 239.255.255.255, or 224.0.0.0/4 in CIDR notation.
  3. Broadcast: used for one to ALL communication (1 to N, where N indicates all systems within a broadcast domain). This is also known as the all-ones IP address, i.e: 255.255.255.255

Anycast is similar but doesn’t have a specific IPv4 address like Multicast and Broadcast. I would opine that it’s 1 to x, where x is the closest (from a routing perspective) Unicast address.

This will work as long as your application supports it. The DNS is one of those applications because it’s UDP-based, and you simply fire off a query to the nearest DNS server and accept any reply that comes back. In fact, the top-level domain (TLD) servers are anchored in Anycast IP addresses. I suspect that OpenDNS servers are also using Anycast, with a back-end replication and zone transfers being performed using the ‘real’ IP addresses of the servers. RFC3258 outlines how the TLD Anycast service is set up, but basically it works like this:

The IP addresses you want to use for Anycast are advertised in several places within your network. If you have a global network, you might use 10.0.0.0/8 in Europe as well as China and Canada. If you are in China trying to reach this address, the network will route you to the closest 10.0.0.0/8 advertisement point. The nice thing is, if that route is no longer advertised in a particular location, the network will route you to the next closest one. Keep in mind that the service is not necessarily tied to advertisement of this prefix within your network, so some additional mechanism will need to be in place to avoid blackholing traffic.

One thought on “OpenDNS, DNS, and Anycast

  1. To avoid blackholing traffic, have your load balancers bgp peer with your network core. They are doing the health checks of the physical servers and can stop advertising the host or network route when there are no physical servers available. the same result occurs if the load balancers fail. This is the best way to tie the service’s availability to the route’s existence.

    Like

Comments are closed.

%d bloggers like this: