Much has been written about anycast and its effectiveness in enhancing the resilience of the Domain Name System (DNS) against attacks and failures, and its scaling of DNS nameserver capacity, both in the authoritative and recursive resolver infrastructure.
However, little research has been conducted into its adoption in top-level and second-level domains (TLDs and SLDs). To address this gap in knowledge, we at the University of Twente — in collaboration with CAIDA, UC San Diego and SIDN Labs — recently quantified this adoption. In doing so, we showed that a few large operators have been behind a significant increase in the adoption of anycast in top-level and second-level domains since 2017. Below are some highlights from our paper, which won Best Paper Award at TMA 2021.
Anycast as DNS resilience mechanisms
The original design of the DNS distributes both load and responsibility by delegating authority over distinct sub-trees of the DNS namespace. This design avoids a single point of failure disrupting the entire global system. However, if the delegating authority of one of the sub-trees fails, all domains under that path will be unreachable. For example, if the Verisign nameservers were to fail, all the .com domains would be unreachable.
To avoid the aforementioned catastrophic situation, the DNS protocol allows specifying multiple authoritative nameservers as responsible for a sub-tree of the DNS namespace. These multiple nameservers, usually placed in different geographical and topological locations (different Autonomous Systems (ASes), or networks), enhanced the resilience of the DNS ecosystem. If one of the nameservers fails, even silently, resolver software reissues their request to a different replica.
Over time, another mechanism has emerged for providing resilience at the network layer: IP anycast. In the IP anycast model, geographically diverse server replicas use the same IP address by arranging for different networks to announce the same network prefix.
When a client sends a packet to the server’s anycast IP address, this is automatically rerouted to the (topologically) closest replica. If the network connecting this replica fails, normal Internet routing processes will reroute packets to the next closest replica.
With anycast, the replica selection shifts from an explicit choice made by the requesting party (typically a client or recursive resolver) to an implicit choice implemented by BGP and the ISP’s routing policy.
Anycast adoption by TLDs
Our findings showed that the number of TLDs that used anycast has grown from 93% in 2017 to 97% in 2021, leaving only 50 TLDs relying on unicast authoritative nameservers. This result is encouraging for DNS resilience, given the fundamental role played by TLDs in the DNS infrastructure.
gTLD | ccTLD | new gTLD | Total | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
2017 | 2021 | 2017 | 2021 | 2017 | 2021 | 2017 | 2021 | |||||
Unicast | 1 | 1 | 79 | 34 | 25 | 15 | 105 (7.1%) | 50 (3.4%) | ||||
Mixed | 2 | 1 | 137 | 160 | 117 | 139 | 256 (17.4%) | 300 (20.4%) | ||||
Anycast | 3 | 5 | 31 | 53 | 1,077 | 1,065 | 1,112 (75.5%) | 1,123 (76.2%) | ||||
Total | 7 | 7 | 247 | 247 | 1,219 | 1,219 | 1,473 | 1,473 |
Table 1 — Breakdown of TLDs with unicast, anycast, or mix of both anycast and unicast (mixed) authoritative nameservers in 2017 and 2021. Anycast adoption (including mixed) in 2021 reached ∼ 97%.
Interestingly we also found that three ccTLDs (.ve, .pa, and .cd) had switched from mixed anycast to unicast in this time. For .pa and .ve this was related to the sunset of the Internet System Consortium’s (ISC) secondary authoritative anycast service on 31 January 2020.
Anycast adoption by SLD
Using DNS data provided by the OpenINTEL project, we mapped the anycast adoption of ~65% of the global DNS SLDs infrastructure. From this, we found that more than half of responsive SLDs use an anycast deployment for their nameservers in 2021. Compared to 2017, this was an increase of 11.7% of domains relying upon anycast.
However, the fact that only 2.3% of the nameservers are using anycast suggests a concentration towards few anycast providers. This hypothesis was confirmed by looking at the Top 10 anycast organizations, which are responsible for ~92% of domains adopting it; GoDaddy alone accounted for half of the market share.
Cost and registrars play an important role in adoption
Some readers may wonder if anycast is a choice of customers (domain owners) or DNS operators (registrars usually). An interesting case to analyse is that of OVH, a popular European hosting provider that offers optional anycast service for DNS nameservers for €1.21/year.
In our study, we found that nearly all the SLDs of OVH use unicast. Therefore, if customers need to pay or choose the anycast service, they will be less likely to adopt it.
Another interesting case worth noting is the role of registrars in small-economy markets such as ccTLDs. Comparing Netherlands (.nl) and Sweden (.se), we found that .se has high anycast adoption, due to its larger registrar, Loopia AB, whereas .nl has a lower anycast adoption, due to the use of unicast by TransIP B.V.
Avoid anycast as a single solution for resilience
In anycast, resilience is not explicit in the DNS but manifests in the routing system because anycast hides (some of) the replica choice decision from the client. If all NS entries point to the same anycast IP, resolution relies entirely on anycast. If these servers or subnet fail silently, then everyone routed to that advertiser is effectively black-holed.
Our suggestion to operators is to avoid anycast as a single solution for resilience. Instead use it in combination with other resilience mechanisms embedded in the DNS, such as multiple network systems, IPs, and ASes for redundancy.
Raffaele Sommese is a PhD candidate at the University of Twente.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.