[dns-operations] Everyone having their own resolver
gih at apnic.net
Thu Feb 4 03:08:13 UTC 2016
> On 4 Feb 2016, at 5:34 AM, Matthew Pounsett <matt at conundrum.com> wrote:
>> On Feb 3, 2016, at 12:20 , Paul Hoffman <phoffman at proper.com> wrote:
>> On 3 Feb 2016, at 7:41, Matthew Pounsett wrote:
>>> The existing infrastructure can probably handle it initially, sure .. but expect your domain registrations and DNS hosting to be an order of magnitude more expensive. Much of the authoritative infrastructure has an overhead multiplier built into its capacity, where the multiplier is locally chosen based on the likelihood and impact of DDoS. Some infrastructures are built to handle over 100x the “normal” traffic load.
>>> When the normal query rate sees an order (or two) magnitude jump, it eats away that extra capacity built into the system, and everyone has to scale up to get back their DDoS-eating overhead.
>> These are interesting bold statements, and I've heard similar over the past few years.
>> Has anyone ever measured this? That is, there are a bunch of people on this very mailing list who have access to the caches and possibly even the query logs for Very Large Resolvers. It would be grand to see current research (or at least a list of good recent research) on what percentage of queries are for things in the long tail.
> The ad-based measurement system built by Geoff Huston and George Michaelson has provided some very good information on the number of individual systems behind the very large recursive servers such as Google and OpenDNS. From memory, because I can’t seem to put my hands on the presentation slides at the moment, I believe it’s in the neighbourhood of 25% of the Internet’s users behind a very small number (2-3?) of resolver farms, and 90% of all users behind less than 1% of the visible resolvers.
> I’m sure George or Geoff are on here to contradict my recollection.
Slide 19 http://www.potaroo.net/presentations/2015-05-08-resolvers.pdf
90% of the Internet’s users have their DNS queries forwarded into 0.7% of all the visible resolvers (around 2,000)
23% of users have their DNS queries passed into resolver farms operated by just 3 entities (one is Google’s Public DNS service, obviously)
I don’t get to see the query logs, so I have no idea of the profile of queries these large resolvers see. Our experiment was in seeding users with unique (never seen before) DNS names and then looking to see which resolvers asked for this name.
This conversation thread appears to be talking about the “robustness” of the DNS resolution infrastructure. There is perhaps a related measurement that points to a rather poor picture of DNS resolution infrastructure: one quarter of users appear to be unable to resolve an uncached DNS name with a single query to the zone’s authoritative server. (http://www.potaroo.net/presentations/2014-07-20-DNS-measure.pdf, slide 18) I strongly suspect that the DNS resolution infrastructure is relatively rough and ready and not necessarily all that good. What appears to save our collective bacon is the suspicion that most name queries are answered from a local cache so you are rarely exposed to overheads of querying all the way through the forwarder chain to one of the authoritative name servers.
More information about the dns-operations