NANOG 87 - DNS Fundamentals
ISC’s Eddy Winstead will be giving a one-day DNS Fundamentals course at the upcoming NANOG meeting in Atlanta.Read post
There are three reasons why you want a root server near you:
In the early days of the Internet, most international traffic passed through the USA. Traffic between two nodes in Japan that didn’t use the same ISP was often routed through San Francisco. Traffic between two European countries was often routed either through New York or Amsterdam.
The creation and growth of local Internet exchanges — variously called IXs, IXPs, NAPs, or MAEs — allowed local traffic to remain local. If ISPs for both of those Japanese nodes were connected to an Internet exchange in Japan, then traffic could be routed there rather than through North America. It was a tremendous improvement. Yes, the Internet is global, and yes, it is good that any Internet node can communicate with any other Internet node, but if the traffic between them is routed through a local IX rather than a distant hub, the communication is faster, more reliable, and less vulnerable to outages caused by events far away.
Most Internet transactions or connections begin by looking up something in the DNS, and many DNS lookups begin with a query to a root server (if there is no local cached copy). DNS data is cached by all of the lookup software (“resolvers”) but there are limits (both from common sense and from technology) to the length of time that data can or should be cached.
So unless there is a root server close to you, there is a good chance, the probability of which is impossible to figure, that an Internet transaction will begin by making a long-distance query to a faraway root server. This takes time. The protocols are very robust; if the first faraway root server queried does not return a result, the lookup software will search for another root server, probably somewhere else, keeping up this search until it finds one. That search-if-it-fails algorithm is very reliable, but it is not very fast. Under some circumstances that search might take several seconds.
When all is well on the global Internet, having a nearby root server provides a moderate increase in response time and reliability. It is during one of the inevitable denial-of-service attacks that the advantage becomes vital.
From time to time, there are hostile DoS attacks on parts of the Internet. Denial of Service. Some dark force that has captured or bought access to a “botnet” of compromised computers will unleash all of the computers at its disposal to send forged traffic to the victim systems. These attacks are usually magnified by leveraging off the failures of un-upgraded, un-patched personal computers or personal devices. The net result is that Internet traffic in the vicinity of the victims becomes hundreds or thousands or millions of times heavier than normal. The usually-adequate long-distance circuits become bogged down with attack traffic and are not useful for much else.
If there is no root server close to you, so that your root queries must travel over long-distance circuits to reach a server, and those long-distance circuits are so overloaded that your queries are lost, then your Internet will become useless. You might only need to communicate with a business that is within easy walking distance, but if your root DNS service requires sending queries to faraway places, then your resolver’s cached root data will eventually time out, and your communication will fail.
For the best protection against being collateral damage in a global attack, your community should have its own IX. Every IX should have at least one root server. That combination will permit Internet service to continue in your community regardless of what data storms are happening in the rest of the world. The various content distribution services are installing content servers in most locations, so if you have your own IX and your own root server and your own copy of most major content, you can continue most operation even when there is a major cable cut.
Queries made to root servers convey information about the names being looked up. Sometimes that information is best kept private. The farther a query has to travel, the greater the likelihood that someone is snooping. If the root server is local, then root DNS queries can only be snooped by people with local access. When a query travels a long way, you don’t really know who owns the stops along the way, and who might be listening.
What's New from ISC