How CDNs and Alternative DNS Services Combine For Higher Latency

The_PHP_Jedi writes "Alternative DNS services, such as OpenDNS and Google Public DNS, are used to bypass the sluggishness often associated with local ISP DNS servers. However, as more websites, particularly smaller ones, use content distribution networks via embedded ads, widgets, and other assets, the effectiveness of non-ISP DNS servers may be undermined. Why? Because CDNs rely on the location of a user's DNS server to determine the closest server with the hosted content. Sajal Kayan published a series of test results which demonstrates the difference, and also provided the Python script used so you can test which is the most effective DNS service for your own Internet connection."

Leave Canada Alone

[ironicsky]

Why drag us lovely CDN's in to this.

Re:Leave Canada Alone

[PNutts]

Why wouldn't I use OpenDNS? They may be working for profit but it is free to individuals. Also, I disagree that they are the "exact same ads" when they consist of a few text links and I trust them more than Comcast. But more importantly, assuming you were correct that they are the same ads, the other benefits far outweigh this nit. The ability to whitelist/blacklist domains and block them by category is more than worth the price of admission, which again is free. Then throw in useage reports... To ignore all that because of the "exact same ads" is shortsighted. The company I work for started using this and the incidents of crapware have gone way down. I've set it up on all my family's computers and recommend it to others.

Re:Leave Canada Alone

For one, because they're deliberately abusing the Open moniker. They also do not provide an ad-free DNS service, unlike for example Google's DNS server. Furthermore, they redirect www.google.com through OpenDNS servers. Last but not least, to change the configuration (e.g. the Google redirection or the NXDOMAIN highjacking), you have to get an account and always log in. For DNS. Are you kidding me?

Re:Leave Canada Alone

[Sillygates]

This still violates the DNS specification, and there is no way to effectively turn it off. Why is this a problem? Please see: http://en.wikipedia.org/wiki/DNS_hijacking#Use_by_ISPs .

For this reason I use Internet2, Level 3's (4.2.2.2 - 4.2.2.4), and now google's dns servers.

Re:Leave Canada Alone

[Sir_Lewk]

I don't give a shit if you use OpenDNS or not. If you like their censorship features then that is great, use what works for you.

What I do give a shit about is people recommending OpenDNS as a good alternative for ISP DNS servers in discussions about NXDOMAIN fuckery. They are about the absolute last alternative DNS provider you should choose if NXDOMAIN is important to you. Just about any of the dozens of other free DNS servers doesn't require you to do retarded shit like use DynamDNS just to get standards compliant DNS results, recommending OpenDNS is irresponsible at best.

Seriously, just because they have "Open" in their name, doesn't mean they are good.

Re:Leave Canada Alone

[Sir_Lewk]

OR just use a REAL DNS server and don't worry about that shit. Why is this such a hard concept?

Re:Leave Canada Alone

[lonecrow]

But I use OpenDNS to keep the kids away from Chat Routlette, Goatse.cx and other emotionally scarring sites. If Google DNS offered that I would switch.

Poor application design

[Mondo1287]

Maybe I'm missing something here, but shouldn't be the application's responsibility to provide a geographically correct host name to the client, not the responsibility of DNS? It seems like poor application design to rely on DNS for this. Your app should determine the host based on the IP of the client, not give the client an arbitrary host name and then rely on DNS to provide your geologically correct server.

Re:Poor application design

[jcinnamond]

I think you're missing the point. Geographically aware DNS is used to send you to your nearest deployment of an application. Deciding after you've arrived is too late.

Re:Poor application design

[Zerth]

Like you couldn't redirect on GET instead of serving up the app?

Re:Poor application design

[Trepidity]

There's various tricks you can do to decide later, if you have significant content other than the raw HTML page itself, though they do require some server processing. The initial HTML request will be based on DNS, but once the user's hit your servers, you have their IP, so you can rewrite the URLs of embedded content / AJAX requests / whatever, so that they hit a geographically nearby server.

Google Public DNS

[The+MAZZTer]

Automatically routes your DNS request to a Google server close to you. So there's no problem here.

Re:Google Public DNS

[arkhan_jg]

But if you look at TFA, that doesn't actually work in practise - looking at, for example, the swedish EC2 host pinging -
internap:
using local DNS gives a ping of 36.3, opendns is 40 and googledns is 189!
akamai:
local dns resolved IP pings at 13.2, opendms at 51.7 and googledns at 36.

In both cases, using local DNS gives a substantially faster responding server with both CDN networks tested, presumably one that is physically closer to the testing machine. Using google DNS and open DNS both result in getting less optimal servers for the actual content; so any saving in DNS resolution itself is lost due to the CDN giving you the actual website content from a sub-optimal location; especially if you're pulling down lots of different bits of content.

It's an interesting enough result that I'm going to reinvestigate using my ISP DNS for my dnsmasq local cache server (or at least one hosted in my own country), and compare total page rendering time for the sites I visit often, rather than just DNS resolution times, given how many large sites use akamai and the like these days.

Do you even know what a CDN is?

Yeah, go ahead and block them. Try it. Do you know what happens? Most of the web sites you use just won't fucking work. This is especially true with so many web sites these days serving up their images, JavaScript scripts and stylesheets via a CDN.

Re:Do you even know what a CDN is?

[betterunixthanunix]

1. The Web is not the be-all and end-all of the Internet
2. Browsing without autoloading images is not nearly as bad as you make it out to be
3. Most of what I go on the web for is news (where the text is usually more important) and journal articles (which are distributed as PDFs)

As a case in point, Slashdot is perfectly fine without images or Javascript (as long as you request Javascript-free pages, which are readily delivered).

Slashdot uses Akamai

[sajalkayan]

Slashdot.org is serving static assets from the hostname a.fsdn.com which is served via Akamai CDN. I count 19 requests to http://a.fsdn.com/* on a single pageload of the homepage. These static files are currently served by a server within my ISPs network rather than some server on the other side of the globe... Alamai uses DNS routing.

Re:Is this a problem?

[Burdell]

It isn't just ads. For example, Microsoft, Apple, Symantec, and Red Hat use CDNs for distributing software updates (that's just a few companies I know of off the top of my head). Basically, CDNs keep the Internet working, saving server load at the source and bandwidth across the Internet and at the providers.

Most CDNs don't do this..

[poptix_work]

While some shoddy CDN companies may reroute you at the DNS level, many are actually smarter about it. Smart systems will redirect you to a 'closer' system via a different URL for media files, or utilize anycast BGP routing so that you always take the shortest path to one of their nodes.

As for 'who serves stuff on CDNs that I want to see anyway' -- everyone. From porn sites to Google to Youtube, they're all one type or another of CDN.

Re:Most CDNs don't do this..

[mother_reincarnated]

Ok so by "shoddy CDN companies" you mean every CDN anyone here has ever heard of? And the vast majority of enterprises that have hot/hot (public) datacenters?

Using anycast for serving content is a guarantee of fail. Great for DNS, less than ideal for HTTP. How serious a failure depends on important reliable and consistent end user experience is. Using geolocation based on the actual source address for content within the pages is a very intelligent thing to do in addition to doing it at the LDNS level initially.

On the innertubes anycast is good for things for which UDP is appropriate (even if they use other transports), and it can be acceptable for HA between a hot and a warm datacenter, but it's just not robust enough for a "CDN".

Re:no big deal, really

[bjourne]

CDN:s (Content Delivery Networks for those who don't know. I can't believe these things have to be spelled out on /. Quality really has gone downhill) are not only used for advertising. They are used to serve all kinds of resource-intensive content. Such as porn. And streaming video. Let's say you're an Aussie with your website hosted on the Australian mainland. Then you'll pay premium for international bandwidth because Australia has crappy connections to the rest of the world. So you want international visitors to get their images and other static content you don't change regularily from a CDN to reduce your bandwidth costs.

Re:Is this a problem?

[michael_cain]

Seven or so years ago, before I retired from one of the large cable companies, CDNs were hosting the relatively static parts for a surprisingly large number of broadly popular sites. I had an opportunity to see the list when we were approached by the then-largest CDN, who wanted to place servers in many of our head-end locations for the obvious performance benefit. I was the one who pointed out that all of our internal DNS requests were routed to one of two data centers, one on the East Coast and one on the West, creating exactly the situation described in the OP: the CDN would have no idea where the original request came from, so would be unable to direct the end user to the appropriate server.

I was one of the few engineers who argued for less centralization in our network. I wanted broader distribution for reliability purposes: at that time, the massive centralized mail servers had a tendency to fail at the drop of a hat. But it would also have given us the ability to work with companies like the CDNs in order to provide better service.

Re:Is this a problem?

[Professor_UNIX]

This is exactly the problem. Most people have probably not heard about a little company called Akamai, but chances are if you're downloading content from a large site, you're using Akamai's content delivery network. Go view a trailer on Apple's site for instance and you'll see the host is actually served off edgesuite.net (which is Akamai). They use a distributed system of caching mirror servers to serve up content to a server closest to you geographically.

The one reason I use an open DNS server instead of my cable provider's (Cox Cable) servers is because they have an Akamai server for Cox and it was horribly overloaded. I was getting 512 Kbps anytime I was trying to download something from Apple. I switched my DNS to a combination of Level3's and Cisco's open DNS servers and I started hitting another Akamai server outside Cox and started getting 15 Mbps. It was night and day going from barely being able to watch a standard definition movie trailer on Apple's site while it buffered buffered, played, buffered, play buffered, etc. to being able to watch a 1080p HDTV stream with the buffer way ahead of my realtime viewing.

Uptime

[h4rr4r]

Considering TWC can't keep their DNS servers up reliably using them is not even an option.

Re:Is this a problem?

[betterunixthanunix]

As opposed to using the client IP address?

Re:Is this a problem?

[b4k3d+b34nz]

The whole point of a CDN (the middle initial) is distribution, theoretically to a broad area.

For example, without a CDN, you have 3 servers, all located in San Francisco. The guy who lives in Florida (or Russia, or South America) who requests content from your server will receive it much more slowly than the guy who lives in Vegas.

With a CDN, there will be servers all over the nation (and preferably around the world, if you serve internationally) which will be physically closer to the requestor that can serve with a lower latency. The servers within the CDN farm utilize reverse DNS lookup to balance and serve traffic from the correct place.

This is not accurate

[davidu]

I'm the founder of OpenDNS (and long-time slashdot reader).

This article is not very accurate for a number of reasons. First, both my service (OpenDNS) and Google's are co-located in similar POPs to all of the major CDNs which causes this problem to be largely avoided. The author of the blog post used a tiny sample size and tested mainly from EC2 instances, neither of which helps his cause.

1) EC2 instances are BY DESIGN not co-located in the same place as major peering infrastructure because that real estate costs more. They are one or two hops away. People use EC2 for compute power, not for routing performance. So he needs to use something like Keynote or Gomez to test from home connections. If he had, he'd see it doesn't impact anything, and often improves performance, especially in the US. We don't have POPs in Asia yet, though they are coming this year, and when we do, we'll improve things for him.

2) Akamai is the only CDN where this will ever be perceptible because their deployments are so dense. They have 3000+ pops which means they will also be able to target more precisely. But this is being worked on RIGHT NOW in the IETF -- http://tools.ietf.org/html/draft-vandergaast-edns-client-ip-01

Anyways, this is really not the issue the author makes it out to be, and for the edge cases, they are being worked on.

Thanks,
David

Re:This is not accurate

[funfail]

Hi David. Isn't it possible for you to just cooperate with Akamai and resolve according to the client location based on IP address?

Re:This is not accurate

[davidu]

yep! This is the exact goal of the IETF draft I linked. Unfortunately the old guard of DNS (Vixie, et al) are not supporting it because they fear it raises insurmountable privacy concerns. Most disagree since the ultimate authority will see the clients IP eventually, but that's the current hold up. Not sure if it can be resolved to everyone's satisfaction. :-(

Re:This is not accurate

awesome! thank you for your reply. BUT wouldn't giving client ip away in the dns request reduce privacy?

Re:This is not accurate

[davidu]

That's the argument opponents make. I don't buy it for a variety of reasons. Hard to write it on my iPhone but will blog about it soon.

Re:This is not accurate

[arkhan_jg]

You know, I'd thought I'd actually try it out for myself with a rough and ready test. I have an ISP that gives me multiple real IP addresses, so I stuck my PC on the DMZ with a real IP, and tested each of the DNS servers as the sole DNS server in windows, without using either my local dnsmasq local cache or the one on my router. Obviously, I flushed windows own DNS cache between each ping test. The results are below, make of them what you will.

I also tested all DNS providers with both primary and secondary servers; since the 2ndary servers always gave me the same IP address as the primary, they're not included. Ping times are a simple 0DP average of two sets of 10 pings (and there were no odd spikes, with my connection otherwise idle)

First though, the response times of the DNS servers themselves, average uncached - tested using GRC's DNSBench.
aaisp is my own ISP, BT is a large ISP in my country, 4.2.2.3 is one which I'm using at the moment, having previously tested it as fastest.

google (8.8.8.8): 156ms
opendns (208.67.222.222): 176 ms
aaisp (217.169.20.20): 115 ms
BT (194.72.9.34): 71ms
level 3 (4.2.2.3): 95ms

Then, testing which CDN server each DNS server sends me to, and the ping times of those servers - I used the same CDN DNS names as the article;

First, cdn.thaindia.com (internap):

google resolves as 64.7.222.130, ping 167ms
opendns resolves as 77.242.194.130, ping 15ms (!)
aaisp resolves as 64.20.60.99, ping 82 ms
BT resolves as 64.20.60.106, ping 81ms
level 3 resolves as 64.20.60.106, ping 81ms

Then profile.ak.fbcdn.net (akamai):

google resolves it as 92,122,217,75, ping 22ms
opendns resolves as 195.59.150.152, ping 15ms
aaisp resolves as 92.122,208.106, ping 13ms
BT resolves as 88.221.94.242, ping 14ms
level 3 resolves as 195.59.150.144, ping 15 ms

However you slice it, google's public DNS is a bad choice for me. Longer to resolve addresses, and it sends me to non-optimal CDN servers. OpenDNS is a mixed bag; slower resolution than the rest, but sends me to easily the most optimal cdn.thaindia.com server (shame about the redirected NXDOMAIN problem). Yet BT are the fastest DNS resolver of all, and still return decent results. Go figure; I thought they'd be overloaded and well, crap.

I'm definitely going to have to further testing for my own personal use, using whole page rendering on my favourite sites to see what is actually the best option for me personally, as DNS resolver speed clearly isn't the whole story in this CDN world.

Re:This is not accurate

[BitZtream]

If anyone would like to see this for themselves on any servers they use, check out namebench

http://code.google.com/p/namebench/

Tests to figure out which DNS servers you should use from a speed perspective mostly, but does all sorts of neat checks for DNS hijacking like OpenDNS does.

Its bad enough to do NXDOMAIN hijacking, but flat out stealing google traffic and running it threw their own servers is just bullshit.

Re:This is not accurate

[davidu]

You have summarized the privacy concern well. That's exactly the issue. The fear that is held is that implementations won't respect someone who includes 0.0.0.0/0 and instead will replace it with the actual client's source_addr when forwarding a request along. Think hotel, cafe, wifi hotspot vendors, etc... Those folks tend to implement for ease, not privacy. And sometimes they opt against privacy.

The critics of the proposal think that there is no assurance of privacy, and they feel that's a reason to not move forward. In my world, there are much better ways to violate real privacy than to see a client IP address in a DNS request, but maybe I'm less sensitive about it. I think it's certainly worthy of discussion and attempting to find a solution.

Re:This is not accurate

[davidu]

Well the critics argue that the Internet != The WWW. Which is true. If you are sending email, the destination SMTP server, and it's corresponding authoritative DNS server would never normally see the client's original IP. The fact that TONS of benefits exist from routing and performance to anti-spam measures would benefit from this, we're creating a vector of privacy leakage that possibly didn't previously exist in all scenarios.

None of this considers the fact that very few DNS operators would actually even implement this standard. Just big 3rd party resolvers like us and Google and big CDNs and eye-ball sites.

Re:This is not accurate

[sajalkayan]

I'm the author of the blogpost and am inclined to reply. David, I don't mean any disrespect to OpenDNS. It is an awesome service and I too myself use it when nothing else works. I don't have anything against OpenDNS. If you for some strange reason want to discredit data from EC2 instances, please see the data from Thai and the Swedish ISP. Both are personal internet connections of people residing in the respective countries from their homes. Now that you have really discredited me, I have to work harder to get data from someone's home connection is US and UK (apparently you dont recognize data from other locations). Thanks, Sajal

Re:This is not accurate

[gad_zuki!]

>. Unfortunately the old guard of DNS (Vixie, et al) are not supporting it because they fear it raises insurmountable privacy concerns.

Old guard? You'll find end users are also very much concerned with privacy. Rewriting the DNS spec solely for CDNs is ridiculous. Want location services in web broswer? Add it to http. Let the browser makers figure out the implemention.

Not to mention, there's nothing open about your service. Its simply free. There's nothing open source about it and you openly violate the DNS spec with your typo domain crap. Sorry, the internet doesnt need "open" dns to ruin dns. You've done enough already. Thankfully, google offers free dns at 8.8.8.8.

Re:Is this a problem?

[pjt33]

Ok, saving network capacity I can buy as a benefit. I'm not sure that latency - the focus of TFS - is a real issue when downloading software updates, though.

OpenNIC published server locations...

[pongo000]

...so those in the know can select the nameserver(s) closest to them without having to depend upon a 3rd party to determine (sometimes erroneously) what servers are closest.

Re:You're a man after my own heart! apk

[LordLimecat]

Neither infected PDFs nor Java rely on javascript. An ad in a DIV will infect you just fine.

Re:What?

[Ash-Fox]

That would be a violation of my state's wiretapping laws.

Most wiretapping laws that I am aware of do not protect you from 'eaves dropping' from private companies when you're using their services.