Beware of Using Google Or OpenDNS For iTunes

Relayman writes "Joe Mailer wanted to download an iTunes movie recently and his Apple TV told him it would take two hours. When he switched his DNS resolver settings, the download time dropped to less than 20 seconds. Apparently, iTunes content is served by Akamai which uses geolocation based on the IP address of the DNS request to determine which server should provide his content. When you use Google or OpenDNS to resolve the Apple domain name, all the requests to Akamai appear to be coming from the same location and they're all directed to the same server pool, overloading that pool and causing the slow downloads. The solution: be wary of using Google or OpenDNS when downloading iTunes files or similar large files. Use your own ISP's DNS servers instead or run your own resolving DNS server."

Opposite Experience with Adobe Download

[eldavojohn]

First, I was able to verify this with the iTunes download. My Cox DNS was 20 seconds while my Google DNS was 2 minutes 10 seconds.

But I just tested this on my own by using a different source that uses Akamai: Adobe.

So I picked a file at this URL: http://ardownload.adobe.com/pub/adobe/reader/unix/9.x/9.4.0/enu/AdbeRdr9.4-1_i486linux_enu.bin

Sure enough, the initial server directed me to 72.215.224.16 with this partial tracert:

4 12 ms 10 ms 10 ms mrfddsrj02gex070002.rd.dc.cox.net [68.100.0.145]
5 17 ms 14 ms 12 ms ashbbprj01-ae0.0.rd.as.cox.net [68.1.0.220]
6 12 ms 15 ms 12 ms 72.215.224.16

Firefox told me this would take 3 Minutes and 35 Seconds.

Then, I set my DNS to the 8.8.8.8 and 8.8.4.4 addresses and tried it again. This time I was sent to 72.246.30.19 with this partial tracert:

4 11 ms 12 ms 14 ms mrfddsrj02gex070002.rd.dc.cox.net [68.100.0.145]
5 13 ms 11 ms 13 ms ashbbprj01-ae0.0.rd.as.cox.net [68.1.0.220]
6 17 ms 17 ms 13 ms ge13-1.br01.ash01.pccwbtn.net [63.218.44.125]
7 21 ms 18 ms 12 ms akamai.ge13-4.br02.ash01.pccwbtn.net [63.218.94.142]
8 17 ms 18 ms 13 ms a72-246-30-19.deploy.akamaitechnologies.com [72.246.30.19]

Surprisingly, this second server that I was directed to using Google DNS only took 10 seconds to download the same file. I did it a second time and it took 30 seconds.

Now after restoring my default DNS resolution that URL continually directs me to 72.215.224.40 and the download is as speedy as the Google DNS. If I switch back to Google DNS it now continually directs me to 72.246.30.32 so you can see that there's some load balancing going here that apparently can be divvied up by geographic location for some of their customers. Apparently Apple needs to investigate the same solution that Adobe is using from Akamai. Which doesn't consider everything from Google DNS being fulfilled from a west coast replication server?

Re:Opposite Experience with Adobe Download

[sumdumass]

I though Google used Anycast just like the rest of the large providers. Perhaps it's a routing issue where Google's servers are separated a bit geographically from certain people and the servers they are wanting to connect to?

Re:Opposite Experience with Adobe Download

[TooMuchToDo]

The problem is Akamai is using DNS to determine location, when it should be determining the geolocation of the client IP and throwing an HTTP redirect to the proper server. You can't rely on a client using the "proper" geographically-located DNS server.

Re:Opposite Experience with Adobe Download

[icebike]

Well the point of the GP's Anycast comment was that simply using 8.8.8.8 as your dns server is not sufficient to pinpoint WHERE your dns comes from.

8.8.8.8 will resolve to different physical machines depending on the load balancing that Google is doing.

Your dns request might be served out of California on one hit, and out of Ireland on the next hit.

Akamai, by paying attention to where the DNS request came from is doing it fundamentally WRONG, because they could actually deny service (for national licensing reasons) based on location of the DNS server when the actual user was in a totally different (and legal) location.

Re:Opposite Experience with Adobe Download

[TheRaven64]

Not really. An HTTP redirect means that you make an initial connection to one server, and are then told that what you really want is on another. This adds a small amount of latency, but typically well under half a second. The original server is then not used for the remainder of the download. Akamai is typically used to serve large files - at least a few megabytes - so this extra hop doesn't add much overhead, and does make the geographic distribution much more efficient.

Using the DNS server's IP to determine the address of the client is fundamentally broken. There are other cases where it can fail spectacularly, such as when you have a computer sitting on two networks - it always sends DNS requests on one and then picks the less-loaded network for other connections, so the DNS tells it to go to the right server for the DNS cache's network and the client uses the other network. You can also have serious problems with resolvers caching addresses in a laptop - if you move between two networks (e.g. 3G and WiFi) and the server's address is cached, you'll find that you're going to the wrong server.

Re:Opposite Experience with Adobe Download

[rjstanford]

The point here is that routing a request to a server near the DNS server is fundamentally the wrong thing to do. You route to the server closest to the end user.

And how do you do that? After all, they've already made their request and you have to have something answer it. Sure, you could tell them to talk to someone else, but that's a potentially very slow bounce (at internet speeds). Aha! When they connect and ask for the file, that's actually the 2nd time they communicate with you. The first time they provide a string, an "address" so to speak, and ask machines that you control what IP address they should talk to. Perfect! That even has to be a separate request so we're not adding latency. You can figure out where they are through that lookup request, get their IP (or the IP of their immediate upstream, same thing for this purpose), and give them the best IP address for their 'net location.

Oh, that's what they're doing already? Yeah... maybe, just maybe, they're smarter than random /. armchair quarterbacks are at this. If you start routing your internet requests through geo-random proxies, services that try to help you based on your geolocation are going to be confused. There's no way around that. The fact that you're just proxying some of your traffic only means that just some services are going to be confused. Still your (collective) fault.

Re:Opposite Experience with Adobe Download

[vrmlguy]

A HTTP redirect system requires extra http request to be made without even knowing where the client is. You could be making that request from South Africa to North America, adding big delay.

An HTTP redirect is typically resolved in less than a second. If your download is going to take over a minute, that's less that 1% of your total download time.

When 99.9% of internet users use their local ISP's DNS it just makes sense to build it like that. Sure it's not perfect for the odd geeks who have changed their DNS settings, but that is so small minority it doesn't make any sense to slow down their whole system.

When your power users don't use their local ISPs, it makes sense to at least filter out those requests for special handling. Right now, if I were asked to chose a CDN, I'd have to recommend someone other that Akamai, if only because I use OpenDNS at home. If I were Akamai, I'd want to route Google and OpenDNS requests to servers that provide HTTP redirects based on the client's IP.

Akamai has been in this business for a very long time and has their infrastructure on datacenters all over the planet. They know what they're doing.

If they knew what they were doing, they wouldn't have this problem. Level 3 was able to grab Netflix, which indicates at least some customer dissatisfaction, and Limewire is growing at twice Akamai's rate. Do you work for Akamai, or are you a free-lance apologist?

Re:Opposite Experience with Adobe Download

[CastrTroy]

Because MAC addresses are only used at layer 2, and don't travel the whole length of the packet. The MAC address changes between each router the packet passes between. The MAC address seen by the Apple servers are just the MAC Address that apple has on their own routers in the datacenter. Apple has no way of seeing the initial MAC address from the Apple TV unit initiating the request.

Re:Opposite Experience with Adobe Download

[MintyGreenMedia]

Akamai has been in this business for a very long time and has their infrastructure on datacenters all over the planet. They know what they're doing.

Based on the "IPv6 is hard!" whining I've heard from their camp, I'm not so convinced they still know what they're doing.

Good advice - Always use your ISP for DNS

[crusty_architect]

This is a very widespread practice now. Use your own ISP for DNS.

Re:Good advice - Always use your ISP for DNS

[shentino]

Only if I trust them not to fuck with it.

Re:Good advice - Always use your ISP for DNS

[MachDelta]

MIL - I realized after a few seconds that probably stands for "Mother-In-Law", but the mechanic in me instantly interpreted it as "Malfunction Indicator Lamp."

Shortly after that I had a chuckle upon realizing that they're both things no one likes to see.

Re:Good advice - Always use your ISP for DNS

[camperdave]

Um, I know it is early (6am here for me...) but which modern OS only supports one server?...

Grab your morning coffee and fire up the sarcasm detector.

Re:Good advice - Always use your ISP for DNS

[CheerfulMacFanboy]

yeah, since you can't set secondary dns servers in any modern os...

Sure you can, Primary and secondary are setup to openDNS on my router...

Do they resolve wooosh.com?

Re:Good advice - Always use your ISP for DNS

[a_nonamiss]

I guess everyone's mileage varies. I've been using RoadRunner in Central Ohio since 1998. (I was a residential beta tester back when you had to install a RoadRunner client and "sign in" to a proxy server using a Kerberos token.) I've had both residential and business class service, and I can only recall one DNS outage which lasted about an hour. Now, I won't say there weren't other outages. We had one winter where the physical circuit went down 5 times in 2 months due to weather-related problems. But DNS has always been rock solid for me.

Re:Good advice - Always use your ISP for DNS

[Z00L00K]

I already do, and since my ISP censors the internet through their DNS there is no alternative to go back to them.

And a cleaned up version of my config. It doesn't involve the ISP at all but queries the root servers on the net instead.

And as long as the ISP:s doesn't filter the DNS requests to the root servers this is the way to go right now.

options {
                allow-query {
                                127.0.0.1;
                                192.168.0.0/16;
                };
                directory "/var/named";
                pid-file "/var/run/named/named.pid";
                recursion yes;
                dnssec-validation no;
};

key mykey. {
                algorithm HMAC-MD5;
                secret "** Secretas... ***";
};

zone "." {
                type hint;
                file "root.hints";
};

zone "int.anon.org" {
                type master;
                allow-update { key mykey.;};
                file "int.anon.org.db";
                notify yes;
};

zone "1.168.192.in-addr.arpa" {
                type master;
                allow-update { key mykey.;};
                file "1.168.192.db";
                notify yes;
};

zone "localdomain" {
                type master;
                file "localhost.db";
                notify no;
};

zone "0.0.127.in-addr.arpa" {
                type master;
                file "0.0.127.db";
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
                type master;
                file "ip6.local.db";
                allow-update { none; };
};

Re:Good advice - Always use your ISP for DNS

[jaymz666]

They resolve it to some parked site.

Re:Good advice - Always use your ISP for DNS

[KibibyteBrain]

Why use your ISP for DNS? Chances are their servers suck, and they will insert spam links for failed resolutions to add insult to injury for their horrible service. Find a server that is 1) geographically close and 2) measurably performs well. I personally use this tool for locating a DNS server that measurably works well with my connection: http://www.grc.com/dns/benchmark.htm .

Re:Good advice - Always use your ISP for DNS

[hazem]

Use your own ISP for DNS.

Do you have any tips for keeping your ISP from directing a "server not found" to one of their crappy ad-ridden search pages? I think that's a major reason people choose DNS servers that aren't at their ISP.

Re:Good advice - Always use your ISP for DNS

[Khyber]

It's blacklisted in my router at the root domain level.

Slashdot runs so much faster, now.

WHY MUST YOU LOAD SOMETHING WHEN I'M CLOSING YOUR TAB, SLASHDOT?

Seriously, that's a bunch of bullshit.

Re:Good advice - Always use your ISP for DNS

[nabsltd]

Sure you can, Primary and secondary are setup to openDNS on my router...

I really don't understand why such a high percentage of /. readers use anything other than their own DNS server (i.e., a DNS server in or behind their router).

It's insanely trivial to install a caching DNS resolver on just about any OS and there is also custom router firmware that does this.

Re:Good advice - Always use your ISP for DNS

[crusty_architect]

So standard question. Why are you throwing unresolvable queries at your ISP's DNS??

Re:Good advice - Always use your ISP for DNS

[RobertM1968]

This is a very widespread practice now. Use your own ISP for DNS.

I prefer using a DNS provider who doesn't serve me a Yahoo powered by Bing search page if I try going to a bad URL - unlike my "own ISP".

Re:Good advice - Always use your ISP for DNS

[RobertM1968]

Anycast == Hard, DNS == Easy...

DNS also equals "stupid method of doing it". While most/many large ISPs have DNS servers geographically located, a number still do not. Heck, back in the 90's, UUNet ran three "public" (for their customers) DNS servers... if memory serves, they were Virginia, Chicago and Cali. Customers would use the closest two. Now... this was an ISP that was AlterDial, MSN's backbone and dial-in, AOL's backbone and dial-in, and, at the time, battling for the largest Internet backbone against IBM.

Don't know why they'd use a method known to be broken for various implementations/setups/ISPs and hope it works with larger ISPs' customers. Makes no sense at all.

Re:Good advice - Always use your ISP for DNS

[RobertM1968]

So standard question. Why are you throwing unresolvable queries at your ISP's DNS??

Hmmm... here's a few guesses:
(1) typo
(2) bad link from another site
(3) dead link on a search engine
(4) checking a domain that's been registered to see if it's active, parked or pointing nowhere

I'm sure there are other reasons...

Re:Good advice - Always use your ISP for DNS

[beelsebob]

But why would you? Even if it's easy, it's more effort than it's worth.

Re:Good advice - Always use your ISP for DNS

[Khyber]

By domain name, of course. You do know how to use a wildcard in your config script, yes?
*.akamai.net

You can also implement a blacklist by IP address. It's quite simple to find out which IP addresses are currently allocated to Akamai.

Adios Akamai with specialized whitelist exceptions for certain components to get some sites to work properly.

And I have to repeat the settings in NoScript as well but of course that's pretty trivial.

Re:Good advice - Always use your ISP for DNS

[Khyber]

How about you come over and watch it happen for yourself? That's a fully open invitation with full-paid plane ticket and couch space. And when you see me prove to you hands-down that it's DNS all the way (and I'm not switching to Google because their DNS propagation is slow as balls,) you get to swallow ten of my fresh bhut jolokia peppers as an "I told you so" and I get to record it and post it on youtube.

Deal? I just spent last week helping the Redlands Police Department track down the source of some random pair of video signals coming into my and other people's apartment (over-powered baby video monitor.)

I'm down for the next challenge. Please, come on by. Developing the tech for growing plants without light at all was much more complicated.

Re:Good advice - Always use your ISP for DNS

[faedle]

Believe it or not, sometimes you have no choice.

Where I presently live, there is no DSL-based service available, only cable modem. If you are fortunate to live on the right side of the building, you can get Clear's WiMAX service, but that has issues.

Re:Good advice - Always use your ISP for DNS

[Qzukk]

The MAC address is only visible on the local network. The first router you hit strips it and adds its own (assuming that the router's uplink is ethernet or some other link protocol that has a MAC).

The idea behind anycast is that I can install hundreds of DNS servers around the world, and give them all the same address but make them return different results, with the idea that the DNS server that is "closest" to the user would return a (non-anycast) address for "download.example.com" that is also "close".

Namebench DNS tool

[maggotbrain_777]

This afternoon, I found a tool from Google Code called namebench which tests response times against multiple DNS servers and give recommendations based upon a number of query types. The results returned when checking the 'censorship tests' were interesting. Seems a number of sites (wikileaks, isohunt, stormfront) returned 'incorrect' results across DNS servers. I'm going to try this over the next couple of days and see if any of my browsing speeds improves.

Re:You would think.

[Timothy+Brownawell]

They only find out your IP address after it's too late.

1. Your computer asks a DNS resolver where the server is.
2. The DNS resolver asks Apple's (well, Akami's) DNS server where the server is.
3. The DNS server guesses the closest server, but all it has available to work with is the address of the resolver.
4. Your computer uses that answer to contact the server and download whatever. If it was given the wrong server, it's too late now.

Re:Why

[omglolbah]

The beauty of the DNS "trick" is that a user requesting say "yadiyadi.com/media/cheez.mp4" in Norway would get one IP and a client in say Australia would get a completely different IP. This makes the whole CDN implementation a whole lot easier as you avoid the whole negotiation issue by having the domain resolve to different IPs based on the source of the request.

This is overly simplified of course.

It works for the vast majority of users too.

Re:Hrmmm

[socsoc]

Elegant? Misusing DNS to make a CDN faster isn't elegant.

Re:Alternate solution

[devilspgd]

You don't need to install iTunes to install QuickTime. Sadly, you do need QuickTime to install iTunes. Which is the lessor evil depends on your needs, but I'd be thrilled to have iTunes alone without QuickTime, Bonjour or the host of kernel mode crap it installs.

Re:sounds like an apple problem

[devilspgd]

Right... Without DRM, but with a watermark (in other words, if you download a Miley Cyrus song and share it, anyone else who gets access to it can track it back to you)

That being said, I have a lot of trouble getting upset over the fact that purchased content is watermarked. As long as I'm not distributing the content, who cares?

Multiple DNS feature?

Seems like it would be useful to use multiple DNS servers and then choose whichever one has the fastest download and abandon the other connections.

Do any browsers/OSs/whatever have this feature? As I understand it, the secondary DNS feature only uses the secondary server when the primary server is down.

Re:Multiple DNS feature?

[Jon+Stone]

That's sounds very much like the default behaviour of ISC's bind, up until version 9.6 https://www.isc.org/software/bind/new-features/9.6

Randomize server selection on queries As a security improvement to make forgery a little more difficult, BIND 9.6 now attempts to make the order of the server selection for queries less predictable. Previously, BIND would prefer to query the server with the lowest round trip time (RTT). Now servers that haven't been tried yet have their RTT set to a random value between 0 ms and 7 ms. And the RTT values of servers which have been tried are now randomly changed up to 128 ms.

This algorithm also applies to DNS servers specified with the "forwarders" clause. A local bind installation with the ISP's and Google's DNS servers configured as forwarders would do what you want. The OS and applications would then be configured to use the local DNS server.

Re:Hrmmm

[Gadget_Guy]

It must be Apple's "magic" that's causing the trouble.

No, it is not Apple's fault. Anyone using Akamai would have the same problem. I think Microsoft use them for Windows Updates too.

And how is this news?

[xnpu]

This applies to tons of GEO-optimized services and has been this way since day one. Really, how is this news?

Re:And how is this news?

[xnpu]

BTW - Remember when Google proposed to modify the DNS protocol to pass on the end-users IP? This is exactly why.

Re:Alternate solution

[dangitman]

Which is the lessor evil depends on your needs,

Well, since neither Quicktime or iTunes is leased to you, I guess that means neither is a lessor evil.

Re:Hrmmm

[Desert+Raven]

No, it's not particularly elegant. But on the other hand, split-horizon DNS is nothing new or magical either. Nor would I classify it as "abuse". The capability has been there since the early days of BIND.

In the DNS trade, we refer to it under the category of "stupid DNS tricks"

That said, it does have some significant advantages over other techniques.

#1, It's protocol-independent. Sure you can do intelligent redirects with HTTP, but not everything in the world is HTTP
#2, Even with HTTP, in order for it to work, you have to now change the name of the server, and often the links to internal content. Your initial request to www.domain.com will now have to be redirected to hostx.domain.com or www.location.domain.com etc., and links on the pages to content servers will also have to be altered. This can be confusing to end-users, and may require additional SSL certs. It's also a code maintenance issue.
#2a, While the renaming seems trivial on first glance, it has HUGE implications for search engines, etc, since those "local" servers will get indexed instead of a generic name
#2b, It also means that a calculation will have to be made by the web server deciding where to redirect you to, then the actual redirect, increasing load and latency. DNS solutions are "pre-computed" and thus do not have similar issues.
#2c, If you solve 2a by checking every request at every location, you make 2b much worse
#3, It's simple.

Downsides:

#1, Third-party DNS recursive services throw it off. (There is a proposed RFC that would allow for such recursives to pass the originating network in the request)
#2, It makes DNSSEC a right royal PITA (Much more than it already is)

Re:You would think.

[TooMuchToDo]

More info on my above point. If Akamai were to use HTTP instead of DNS for load balancing, complexity would increase in having to manage redirect clusters, as you couldn't anycast them over UDP like you can with DNS.

RFC 1546 - Host Anycasting Service

How UDP and TCP Use Anycasting

      It is important to remember that anycasting is a stateless service.
      An internetwork has no obligation to deliver two successive packets
      sent to the same anycast address to the same host.

      Because UDP is stateless and anycasting is a stateless service, UDP
      can treat anycast addresses like regular IP addresses. A UDP
      datagram sent to an anycast address is just like a unicast UDP
      datagram from the perspective of UDP and its application. A UDP
      datagram from an anycast address is like a datagram from a unicast
      address. Furthermore, a datagram from an anycast address to an
      anycast address can be treated by UDP as just like a unicast datagram
      (although the application semantics of such a datagram are a bit
      unclear).

      TCP's use of anycasting is less straightforward because TCP is
      stateful. It is hard to envision how one would maintain TCP state
      with an anycast peer when two successive TCP segments sent to the
      anycast peer might be delivered to completely different hosts.

      The solution to this problem is to only permit anycast addresses as
      the remote address of a TCP SYN segment (without the ACK bit set). A
      TCP can then initiate a connection to an anycast address. When the
      SYN-ACK is sent back by the host that received the anycast segment,
      the initiating TCP should replace the anycast address of its peer,
      with the address of the host returning the SYN-ACK. (The initiating
      TCP can recognize the connection for which the SYN-ACK is destined by
      treating the anycast address as a wildcard address, which matches any
      incoming SYN-ACK segment with the correct destination port and
      address and source port, provided the SYN-ACK's full address,
      including source address, does not match another connection and the
      sequence numbers in the SYN-ACK are correct.) This approach ensures
      that a TCP, after receiving the SYN-ACK is always communicating with
      only one host.

Emphasis mine.

Re:Why

[TooMuchToDo]

You can anycast DNS with UDP and the client never knows the difference since it's handled with BGP and IP. HTTP redirects would be much more difficult to do from a reliability and scalability standpoint. Also, when it fails, it would be much less graceful.

TreeWalk

[macraig]

Use your own ISP's DNS servers instead or run your own resolving DNS server.

The first suggestion is just no longer an option, for so many reasons, all of them based on lack of trustworthiness in this climate of corporate dominance and machination. I was using OpenDNS for several years, but recently I started using TreeWalk to host my own modest DNS server. Seems to work fine, and I don't even notice it's there.

Where are the torrents?

[louarnkoz]

Load balancing based on the DNS resolver is so 1999! Even when it works, it works by chance, and does not test the actual speed between your PC and the potential servers. Compare that to Bit Torrent, which actually tests the speed of the downloads. You really wonder why Apple, and Akamai, would not use some kind of torrent technology!

Re:Where are the torrents?

You really wonder why Apple, and Akamai, would not use some kind of torrent technology!

Because BitTorrent is a free open protocol which Akamai would not be able to charge money for.

Re:Where are the torrents?

[thegarbz]

Some of us have metered uploads and our net also slows to a crawl when we send a mere 75KB/s upstream even though we can download at 2MB/s. I like bittorrent as much as the next guy, but I actively disable it where possible for services which charge me money AND leech off my bandwidth which also costs me money.

Re:Where are the torrents?

[docblack]

You really wonder why Apple, and Akamai, would not use some kind of torrent technology!

I don't think you understand how this works, Akamai is just a web proxy: Akamai gets free rack space from an ISP, in return Akamai serves content (Itunes, MS, Farmville ;) to the ISP customers thus saving the provider from using their backbone for this cached content. It's a simple system. If you are using OpenDNS Akamai doesn't know which servers to use for your session. Since there is no client software beyond a web browser that is requesting files there isn't a whole lot you can do without adding complexity. Measuring speed is kind of pointless as I can guarantee the cached content at your ISP's datacenter is the best place to download from :) -DRB

Re:Hrmmm

[crusty_architect]

Elegant is over-rated. DNS is a great place to implement some good value trickery for 99.99% of customers.

Re:WTF

[dontmakemethink]

WTF is iTunes?

It's the virus that is installed when you update Quicktime.