• Save
Resolution for a Faster Site
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Resolution for a Faster Site

  • 541 views
Uploaded on

Resolution for a Faster Site, How DNS Affects Page Load Time

Resolution for a Faster Site, How DNS Affects Page Load Time

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
541
On Slideshare
541
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • http://www.speedawarenessmonth.com/caffeinated-dns-monitoring-and-the-att-dns-outage/http://blog.netdna.com/maxcdn/dns-outage-post-mortem/http://blog.dnsimple.com/incident-report-dns-outage-due-to-ddos-attack/http://www.networkcomputing.com/security/godaddy-outage-a-harsh-reminder-that-ent/240007312
  • http://www.caida.org/funding/dns-itr/proposal/Image: http://www.caida.org/funding/dns-itr/proposal/Figures/dns_map_2.png
  • http://en.wikipedia.org/wiki/Domain_Name_System#DNS_resource_records
  • http://www.flickr.com/photos/dia-a-dia/7046151669/
  • https://plus.google.com/103382935642834907366/posts/FKot8mghkok
  • http://blog.cloudharmony.com/2013/05/dns-marketshare-alexa-10000-fortune-500.html
  • http://www.flickr.com/photos/yukop/7350636534/
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • Dual stack analysis: http://www.potaroo.net/ispcol/2011-12/esotropia.htmlApple note: http://lists.apple.com/archives/ipv6-dev/2011/Jul/msg00009.html
  • Chrome: https://plus.google.com/103382935642834907366/posts/FKot8mghkokDual stack analysis: http://www.potaroo.net/ispcol/2011-12/esotropia.html
  • The important part is with the resolvers, not
  • http://www.flickr.com/photos/keithburtis/2614418536/

Transcript

  • 1. Resolution for a Faster Site How DNS Affects Page Load Time Ido Safruti ido@akamai.com Web Performance Products, Akamai
  • 2. ©2013 AKAMAI | FASTER FORWARDTM I will not talk about • DNS pre-fetching (its great, use it!) • Optimizing for # of domains • Other FEO stuff • The pain of redirects on mobile, and HTTPS
  • 3. ©2013 AKAMAI | FASTER FORWARDTM I’ll also won’t be talking about Daddy’s Nasty Sons
  • 4. ©2013 AKAMAI | FASTER FORWARDTM Why is DNS important?
  • 5. ©2013 AKAMAI | FASTER FORWARDTM The phonebook of the Internet
  • 6. ©2013 AKAMAI | FASTER FORWARDTM We just assume it always works
  • 7. ©2013 AKAMAI | FASTER FORWARDTM
  • 8. ©2013 AKAMAI | FASTER FORWARDTM
  • 9. ©2013 AKAMAI | FASTER FORWARDTM
  • 10. ©2013 AKAMAI | FASTER FORWARDTM
  • 11. ©2013 AKAMAI | FASTER FORWARDTM
  • 12. ©2013 AKAMAI | FASTER FORWARDTM Location of DNS root servers, including anycast nodes, identified by their one-letter names. (2008)
  • 13. ©2013 AKAMAI | FASTER FORWARDTM Resource records • TTLs • Common types: • A • AAAA • CNAME • NS • A/AAAA can have multiple records • More on that later • Results can be different in different locations/times http://en.wikipedia.org/wiki/Domain_Name_System#DNS_resource_records
  • 14. ©2013 AKAMAI | FASTER FORWARDTM Let’s see some Data
  • 15. ©2013 AKAMAI | FASTER FORWARDTM Getaddrinfo() times, Chrome Windows: upward blip of 1.45% of samples in around 1s (95.90 percentile), due to Windows DNS retransmission timer. Mac: 2 upward blips: 2.11% in around 300ms (91.51 percentile), and another of 1.07% at 1s (97.36 percentile), due to retransmission timers. Linux: upward blip of 1.81% in around 4250-4900ms (99.26 percentile). OS Mean 10% 25% 50% 75% 90% Windows 644 <=1 12 43 119 372 Mac 230 0 5 28 67 279 Linux 293 2 12 37 89 279 Source: Will Chan, http://goo.gl/ByZmX Mar 15, 2012
  • 16. ©2013 AKAMAI | FASTER FORWARDTM DNS failure - Mac Device: Mac OSX 10.8.4 (mountain lion), Safari 6.0.5 Connection: 3 name servers, all not responding Time Activity ---- --------- 0 -> DNS1 1 -> DNS1 (retransmit) 3 -> DNS2 1 -> DNS2 (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 9 -> DNS1 (retransmit) ---- 21
  • 17. ©2013 AKAMAI | FASTER FORWARDTM DNS failure - Windows Device: Windows 7 (IE9) Connection: 3 name servers, all not responding Time Activity ---- --------- 0 -> DNS1 1 -> DNS2 1 -> DNS3 2 -> DNS1, DNS2, DNS3 4 -> DNS1, DNS2, DNS3 4 -> DNS1 1 -> DNS3 1 -> DNS2 2 -> DNS1, DNS2, DNS3 4 -> DNS1, DNS2, DNS3 ---- 24
  • 18. ©2013 AKAMAI | FASTER FORWARDTM Nav Timing data
  • 19. ©2013 AKAMAI | FASTER FORWARDTM DNS time vs page load time Source: Akamai RUM data 0 2000 4000 6000 8000 10000 12000 14000 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 0 - 10 msec 10 - 25 msec 25 - 50 msec 50 - 75 msec 75 - 100 msec 100 - 200 msec 200 - 300 msec 300 - 400 msec 400 - 500 msec 500 - 600 msec 600 - 700 msec 700 - 800 msec 800 - 900 msec 900 - 1000 msec > 1000 msec DNSTimeDistribution PageLoadTime
  • 20. ©2013 AKAMAI | FASTER FORWARDTM DNS time by browser type Source: Akamai RUM data Only hits with a base page download time <= 169ms 0 100 200 300 400 500 600 700 p25_dns median_dns p75_dns p90_dns Chrome Firefox Internet Explorer Android Webkit Chrome Mobile IEMobile
  • 21. ©2013 AKAMAI | FASTER FORWARDTM Distance of users from resolvers – method 1 OC:6.5% AF:6.9% SA: 5.0%AS:6.25% EU: 0.9% >2000 miles NA: 1.9% July 2012, Akamai
  • 22. ©2013 AKAMAI | FASTER FORWARDTM Distance of users from resolvers – method 2 OC: 6.8% AF: 7.3% SA: 4.7%AS: 5.4% EU: 1.4% >2000 miles NA: 1.7% July 2012, Akamai
  • 23. ©2013 AKAMAI | FASTER FORWARDTM DNS usage Alexa Top 10,000 DNS Marketshare - May 6, 2013 Provider Rank Websites (out of 10,000) Marketshar e Marketshare Change DynECT 1 440 4.40% +6 / +1.382% AWS Route 53 2 381 3.81% 14 / 3.815% UltraDNS 3 361 3.61% -2 / -0.551% DNSPod 4 336 3.36% 5 / 1.511% CloudFlare 5 314 3.14% 23 / 7.904% GoDaddy DNS 6 287 2.87% -10 / -3.367% DNS Made Easy 7 246 2.46% 0 Akamai 8 217 2.17% 10 / 4.831% Rackspace Cloud DNS 9 156 1.56% -2 / -1.266% Verisign DNS 10 106 1.06% 5 / 4.95% Softlayer DNS 11 79 0.79% 0 Namecheap 12 76 0.76% 0 easyDNS 13 76 0.76% -1 / -1.299% Enom DNS 14 66 0.66% -1 / -1.493% Cotendo Advanced DNS 15 47 0.47% -11 / -18.966% Savvis 16 42 0.42% 0 Nettica 17 30 0.30% 0 ZoneEdit 18 29 0.29% 0 Internap 19 27 0.27% 0 ClouDNS 20 21 0.21% 3 / 16.667% DNS Park 21 17 0.17% 1 / 6.25% No-IP 22 12 0.12% 0 Zerigo DNS 23 10 0.10% 0 EuroDNS 24 7 0.07% 0 Worldwide DNS 25 5 0.05% -1 / -16.667% DTDNS 26 2 0.02% 0 CDNetworks DNS 27 2 0.02% 1 / 100% Total 3392 33.92% Source: Cloud Harmony 9 of top 10 run their own DNS. The only one that doesn’t? Hint: they have a DNS service Amazon.com
  • 24. ©2013 AKAMAI | FASTER FORWARDTM Fortune 500 DNS Marketshare - May 6, 2013 Provider Rank Websites (out of 500) Marketsh are Marketshare Change UltraDNS 1 36 7.20% 1 / 2.857% Verisign DNS 2 24 4.80% 0 Akamai 3 13 2.60% 0 DynECT 4 8 1.60% 0 DNS Made Easy 5 6 1.20% 0 Savvis 6 4 0.80% 0 GoDaddy DNS 7 4 0.80% 0 Internap 8 4 0.80% 0 Rackspace Cloud DNS 9 2 0.40% 0 AWS Route 53 10 2 0.40% 0 easyDNS 11 1 0.20% 0 No-IP 12 1 0.20% 0 Enom DNS 13 1 0.20% 0 ZoneEdit 14 1 0.20% 0 Total 107 21.40% Alexa Top 1,000 DNS Marketshare - May 6, 2013 Provider Rank Websites (out of 1,000) Marketsha re Marketshare Change DynECT 1 79 7.90% 0 UltraDNS 2 63 6.30% 1 / 1.613% Akamai 3 48 4.80% 0 AWS Route 53 4 34 3.40% -1 / -2.857% DNSPod 5 32 3.20% 0 DNS Made Easy 6 21 2.10% 0 GoDaddy DNS 7 14 1.40% 0 Cotendo Advanced DNS 8 11 1.10% -1 / -8.333% Verisign DNS 9 10 1% 0 easyDNS 10 10 1% 0 CloudFlare 11 8 0.80% 1 / 14.286% Rackspace Cloud DNS 12 7 0.70% 0 Namecheap 13 6 0.60% 0 Softlayer DNS 14 5 0.50% 0 Enom DNS 15 5 0.50% 0 Internap 16 3 0.30% 0 Savvis 17 3 0.30% 0 Nettica 18 2 0.20% 0 ClouDNS 19 2 0.20% 0 ZoneEdit 20 2 0.20% 0 DTDNS 21 1 0.10% 0 EuroDNS 22 1 0.10% 0 No-IP 23 1 0.10% 0 Worldwide DNS 24 1 0.10% 0 Total 369 36.90% Source: Cloud Harmony
  • 25. ©2013 AKAMAI | FASTER FORWARDTM Source: Catchpoint DNS direct agents, testing the [ab].ns.facebook.com name servers Asia stats influenced by China
  • 26. ©2013 AKAMAI | FASTER FORWARDTM
  • 27. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. IPv6 http://www.flickr.com/photos/yukop/7350636534/
  • 28. ©2013 AKAMAI | FASTER FORWARDTM Standard request flow -> Request A record -> Request AAAA record <- Receive CNAME/A record <- Recursively resolve Resolver (caching) will send full recursive in a single response. Host will cache each record with appropriate TTL Apps/Browser – receives host/IP, but no TTL.
  • 29. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Dual stack DNS behavior - basics OS: Windows XP 5.1.2600 Service Pack 3 Connection: tcpopen foo.rd.td.h.labs.apnic.net Time (ms) Packet Activity 0 → DNS Query for AAAA record foo.rd.td.h.labs.apnic.net 581 ← AAAA response 2a01:4f8:140:50c5::69:72 4 → DNS Query for A record for foo.rd.td.h.labs.apnic.net 299 ← A response 88.198.69.81 3 → SYN to 2a01:4f8:140:50c5::69:72 280 ← SYN + ACK response from 2a01:4f8:140:50c5::69:72 1 → ACK to 2a01:4f8:140:50c5::69:72 ------ 1168 Source: Geoff Huston
  • 30. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Dual stack DNS behavior - basics OS: Mac OSX 10.8.4 (mountain lion) Connection: tcpopen foo.rd.td.h.labs.apnic.net Time (ms) Packet Activity 0 → DNS Query for A record for foo.rd.td.h.labs.apnic.net 0 → DNS Query for AAAA record foo.rd.td.h.labs.apnic.net 521 ← AAAA response 2a01:4f8:140:50c5::69:72 0 ← A response 88.198.69.81 1 → SYN to 2a01:4f8:140:50c5::69:72 166 ← SYN + ACK response from 2a01:4f8:140:50c5::69:72 1 → ACK to 2a01:4f8:140:50c5::69:72 ------ 689
  • 31. ©2013 AKAMAI | FASTER FORWARDTM DNS failure – Mac – IPv4 + IPv6 - Chrome Device: Mac OSX 10.8.4 (mountain lion), Chrome 27 Connection: 3 name servers, all not responding Time Activity ---- --------- 0 -> DNS1 A 0 -> DNS1 AAAA 1 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit) 3 -> DNS2 A 0 -> DNS2 AAAA 1 -> DNS2 A (retransmit) 0 -> DNS2 AAAA (retransmit) 3 -> DNS3 A 0 -> DNS3 AAAA 1 -> DNS3 A (retransmit) 0 -> DNS3 AAAA (retransmit) 3 -> DNS1 A 0 -> DNS1 AAAA 9 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit) ---- 21 not available because DNS lookup failed
  • 32. ©2013 AKAMAI | FASTER FORWARDTM DNS failure – Mac – IPv4 + IPv6 - Firefox Device: Mac OSX 10.8.4 (mountain lion), Firefox 22 Connection: 3 name servers, all not responding Time Activity ---- --------- 0 -> DNS1 A 0 -> DNS1 AAAA 1 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit) 3 -> DNS2 A 0 -> DNS2 AAAA 1 -> DNS2 A (retransmit) 0 -> DNS2 AAAA (retransmit) 3 -> DNS3 A 0 -> DNS3 AAAA 1 -> DNS3 A (retransmit) 0 -> DNS3 AAAA (retransmit) 3 -> DNS1 A 0 -> DNS1 AAAA 9 -> DNS1 A (retransmit) 0 -> DNS1 AAAA (retransmit) ---- 21 “Server not found”
  • 33. ©2013 AKAMAI | FASTER FORWARDTM DNS failure – Mac – IPv4 + IPv6 - Firefox (DNS on IPv6) Device: Mac OSX 10.8.4 (mountain lion), Firefox 22 Connection: 3 name servers, all not responding Time Activity ---- --------- 0 -> DNS1 A, AAAA 1 -> DNS1 (retransmit) 3 -> DNS2 1 -> DNS2 (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 9 -> DNS1 (retransmit) 9 -> DNS2 1 -> DNS2 (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 1 -> DNS1 (retransmit) ---- 39 “Server not found”
  • 34. ©2013 AKAMAI | FASTER FORWARDTM DNS failure – Mac – IPv4 + IPv6 - Safari Device: Mac OSX 10.8.4 (mountain lion), Safari 6.0.5 Connection: 3 name servers, all not responding Time Activity ---- --------- 0 -> DNS1 A, AAAA 1 -> DNS1 A, AAAA (retransmit) 3 -> DNS2 A, AAAA 1 -> DNS2 A, AAAA (retransmit) 3 -> DNS3 1 -> DNS3 (retransmit) 3 -> DNS1 9 -> DNS1 (retransmit) 27 -> DNS2 81 -> DNS2 (retransmit) 243 -> DNS3 ...
  • 35. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Protocol failure – OS “native” behavior OS: Windows XP 5.1.2600 Service Pack 3 Connection: tcpopen foo.rx.td.h.labs.apnic.net Time Activity 0 → DNS AAAA? foo.rx.td.h.labs.apnic.net 581 ← AAAA 2a01:4f8:140:50c5::69:72 4 → DNS A? foo.rx.td.h.labs.apnic.net 299 ← A 88.198.69.81 3 → SYN 2a01:4f8:140:50c5::69:dead 3000 → SYN 2a01:4f8:140:50c5::69:dead 6000 → SYN 2a01:4f8:140:50c5::69:dead 12000 → SYN 88.198.69.81 298 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 -------- 22185 Source: Geoff Huston
  • 36. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Protocol failure – OS “native” behavior OS: Mac OS X 10.7.2 Connection: tcpopen foo.rxxx.td.h.labs.apnic.net Time Activity 0 → DNS AAAA? foo.rxxx.td.h.labs.apnic.net 4 → DNS A? foo.rxxx.td.h.labs.apnic.net 230 ← DNS AAAA 2a01:4f8:140:50c5::69:dead 2a01:4f8:140:50c5::69:deae 2a01:4f8:140:50c5::69:deaf 20 ← A response 88.198.69.81 3 → SYN 2a01:4f8:140:50c5::69:dead (1) 980 → SYN 2a01:4f8:140:50c5::69:dead (2) 1013 → SYN 2a01:4f8:140:50c5::69:dead (3) 1002 → SYN 2a01:4f8:140:50c5::69:dead (4) 1008 → SYN 2a01:4f8:140:50c5::69:dead (5) 1103 → SYN 2a01:4f8:140:50c5::69:dead (6) 2013 → SYN 2a01:4f8:140:50c5::69:dead (7) 4038 → SYN 2a01:4f8:140:50c5::69:dead (8) 8062 → SYN 2a01:4f8:140:50c5::69:dead (9) 16091 → SYN 2a01:4f8:140:50c5::69:dead (10) 32203 → SYN 2a01:4f8:140:50c5::69:dead (11) 8031 → SYN 2a01:4f8:140:50c5::69:deae (repeat sequence of 11 SYNs) 75124 → SYN 2a01:4f8:140:50c5::69:deaf (repeat sequence of 11 SYNs) 75213 → SYN 88.198.69.81 297 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 -------- 226435 Source: Geoff Huston
  • 37. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Dual stack on Mac + Safari OS: Mac OS X 10.7.2 Browser: Safari: 5.1.1 URL: www.rd.td.h.labs.apnic.net Time Activity IPv4 IPv6 0 → DNS A? www.rd.td.h.labs.apnic.net 1 → DNS AAAA? www.rd.td.h.labs.apnic.net 333 ← AAAA 2a01:4f8:140:50c5::69:72 5 ← A 88.198.69.81 1 → SYN 88.198.69.81 270 → SYN 2a01:4f8:140:50c5::69:72 28 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 1 → [start HTTP session] 251 ← SYN+ACK 2a01:4f8:140:50c5::69:72 0 → RST 2a01:4f8:140:50c5::69:72 ----- 639ms (time to connect) Source: Geoff Huston
  • 38. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Dual stack on Mac + Safari, broken IPv6 URL: www.rxxx.td.h.labs.apnic.net Time Activity IPv4 IPv6 0 → DNS A? www.rxxx.td.h.labs.apnic.net 0 → DNS AAAA? www.rxxx.td.h.labs.apnic.net 299 ← AAAA 2a01:4f8:140:50c5::69:dead 2a01:4f8:140:50c5::69:deae 2a01:4f8:140:50c5::69:deaf 2 → SYN 2a01:4f8:140:50c5::69:dead 0 ← A 88.198.69.81 270 → SYN 2a01:4f8:140:50c5::69:deae 120 → SYN 2a01:4f8:140:50c5::69:deaf 305 → SYN 88.198.69.81 300 ← SYN+ACK 88.198.69.81 0 → ACK 88.198.69.81 1 → [start HTTP session] ----- 1297 Source: Geoff Huston
  • 39. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Dual stack on Mac + Chrome OS: Mac OS X 10.7.2 Browser: Chrome 16.0.912.36 URL: www.rd.td.h.labs.apnic.net Time Activity IPv4 IPv6 0 → DNS A? www.rd.td.h.labs.apnic.net 0 → DNS AAAA? www.rd.td.h.labs.apnic.net 299 ← A 88.198.69.81 1 ← AAAA 2a01:4f8:140:50c5::69:72 1 → SYN 88.198.69.81 (port a) 1 → SYN 88.198.69.81 (port b) 250 → SYN 88.198.69.81 (port c) 48 ← SYN+ACK 88.198.69.81 (port a) 0 → ACK 88.198.69.81 (port a) 0 → [start HTTP session (port a)] ----- 600 Source: Geoff Huston
  • 40. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Dual stack on Mac + Chrome, broken IPv6 URL: xxx.rx.td.h.labs.apnic.net Time Activity IPv4 IPv6 0 → DNS A? xxx.rx.td.h.labs.apnic.net 0 → DNS AAAA? xxx.rx.td.h.labs.apnic.net 298 ← AAAA 2a01:4f8:140:50c5::69:dead 0 ← A 88.198.69.81 11 → SYN 2a01:4f8:140:50c5::69:dead (a) 0 → SYN 2a01:4f8:140:50c5::69:dead (b) 250 → SYN 2a01:4f8:140:50c5::69:dead (c) 51 → SYN 88.198.69.81 (d) 1 → SYN 88.198.69.81 (e) 250 → SYN 88.198.69.81 (f) 48 ← SYN+ACK 88.198.69.81 (d) 0 → ACK 88.198.69.81 (d) 0 → [start HTTP session (d)] ----- 909 Source: Geoff Huston
  • 41. ©2013 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Dual stack on Mac + Chrome, broken IPv6 OS: Mac OS X 10.8.4 Browser: Chrome 27 Time Activity IPv4 IPv6 0 → DNS A? www.rd.td.h.labs.apnic.net 0 → DNS AAAA? www.rd.td.h.labs.apnic.net 299 ← A 88.198.69.81 1 ← AAAA 2a01:4f8:140:50c5::69:72 1 → SYN 88.198.69.81 (port a) 1 → SYN 88.198.69.81 (port b) 250 → SYN 88.198.69.81 (port c) 48 ← SYN+ACK 88.198.69.81 (port a) 0 → ACK 88.198.69.81 (port a) 0 → [start HTTP session (port a)] ----- 600 Source: Geoff Huston
  • 42. ©2013 AKAMAI | FASTER FORWARDTM Dual Stack: OS behavior DNS DNS Timeout TCP Timeout Preference Windows Serial 21 IPv6 Mac OS (as of Lion) parallel 21* 75 Fastest* iOS parallel 45-60 sec Fastest Native OS behavior – based on “connect()”. Important for native applications. Lion and IPv6 http://goo.gl/7qxHC: Results from getaddrinfo are now sorted using routing statistics (destination with the lowest min round trip time wins)
  • 43. ©2013 AKAMAI | FASTER FORWARDTM Dual Stack: Browser IE 9 Chrome Firefox Safari # of Connections 2 in parallel 2 in parallel + 1 slightly after 2 in parallel Single connection Preference IPv6 IPv6 IPv6 Fastest (Mac) Dual stack – happy eyeballs No Serial: wait for timeout start with IPv6, +300ms IPv4 In parallel Start with first, +calc time add second, etc. Remember failed IPs yes yes yes yes
  • 44. ©2013 AKAMAI | FASTER FORWARDTM http://www.flickr.com/photos/natwilson/4260384198/
  • 45. ©2013 AKAMAI | FASTER FORWARDTM Multiple records – DNS round robin $ dig www.akamai.com ; <<>> DiG 9.8.3-P1 <<>> www.akamai.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29543 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.akamai.com. IN A ;; ANSWER SECTION: www.akamai.com. 900 IN CNAME www- main.akamai.com.edgesuite.net. www-main.akamai.com.edgesuite.net. 900 IN CNAME a152.dscb.akamai.net. a152.dscb.akamai.net. 20 IN A 173.223.232.168 a152.dscb.akamai.net. 20 IN A 173.223.232.163 ;; Query time: 94 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Wed Jun 19 01:24:27 2013 ;; MSG SIZE rcvd: 142
  • 46. ©2013 AKAMAI | FASTER FORWARDTM Round Robin DNS • Resolvers will shuffle results order – for LB effect • Browsers respect the order of records • Good for load-balancing • Good for high availability!
  • 47. ©2013 AKAMAI | FASTER FORWARDTM Round Robin DNS • Resolvers will shuffle results order – for LB effect • Browsers respect the order of records • Good for load-balancing • Good for high availability! • Good for high availability?
  • 48. ©2013 AKAMAI | FASTER FORWARDTM http://www.flickr.com/photos/coast_guard/3220493384/ What happens when things break?
  • 49. ©2013 AKAMAI | FASTER FORWARDTM IE on Windows (XP – Windows 7) • 2 parallel connections for each record • Retransmit SYN until TCP time-out: 21 seconds • Only on time-out – try next host.
  • 50. ©2013 AKAMAI | FASTER FORWARDTM
  • 51. ©2013 AKAMAI | FASTER FORWARDTM IE on Windows (XP – Windows 7) • 2 parallel connections for each record • Retransmit SYN until TCP time-out: 21 seconds • Only on time-out – try next host. • Now, consider dual stack with 3 IPv6 records, and 3 IPv4. • IPv6 is prioritized. • If IPv6 is not working – 63 seconds until fallback to IPv4. • Yes… 21 seconds isn’t that much fun either.
  • 52. ©2013 AKAMAI | FASTER FORWARDTM Chrome • 3 parallel connections for each record (1 starting after ~100ms) • Retransmit SYN until TCP time-out: • 75 seconds on Mac • 21 on Windows • ?? On iOS • With dual stack - happy eyeballs. • 300ms: try alternate protocol • Why not do the same for alternate host?
  • 53. ©2013 AKAMAI | FASTER FORWARDTM Firefox • 2 parallel connections for each record (starting ~800ms apart) • Retransmit SYN, adding 2 connections at a time – prior to time out, • Total of 6-7 connections per host (SYN only) • Connect to second host not before time-out time • 90 seconds observed on Mac • 21 on Windows • With dual stack - happy eyeballs. • ?? ms: try alternate protocol • Why not do the same for alternate host?
  • 54. ©2013 AKAMAI | FASTER FORWARDTM Safari • 1 connections for each host • On Mac: • Add connections to next hosts after derived time-out/rtt time (<< TCP timeout)  • On Windows: • Serialized – try new host only when connection timed out (21 sec) • Retransmit SYN periodically on each connection • Give up after timeout expires on all hosts • Mac = 1 TCP timeout overall! • Windows = # hosts X TCP timeout • ?? On iOS
  • 55. ©2013 AKAMAI | FASTER FORWARDTM Native OS support • 1 connections for each record • Retransmit SYN periodically (based on OS schedule) • Continue to next record after time-out • Once all expired – give-up.
  • 56. ©2013 AKAMAI | FASTER FORWARDTM Recommendations for round robin DNS • Helpful for load-balancing • Gives some level of high-availability – if you know how to use it • Don’t put a record if you know the IP is down! • Manage your TTLs • Don’t put multiple records on IPv6!!! • Seriously – DON’T put multiple records on IPv6.
  • 57. ©2013 AKAMAI | FASTER FORWARDTM http://www.flickr.com/photos/fairfaxcounty/7456122122/
  • 58. ©2013 AKAMAI | FASTER FORWARDTM Local OS • Local host caches DNS according to instructions • Network change – SHOULD triggers DNS cache cleaning • Moving to airplane mode will 
  • 59. ©2013 AKAMAI | FASTER FORWARDTM Browser cache Browsers cache DNS records for performance reasons. How? • An application doesn’t get the TTL record from the resolver. • IE: 30 min • Chrome: 1 min • Firefox: 1 min • Safari: 15-60 seconds • Chrome DNS client: read Will Chan’s post: http://goo.gl/ByZmX
  • 60. ©2013 AKAMAI | FASTER FORWARDTM Negative caching When there is no response for a record, resolvers will cache the “no response” for the TTL defined in the SOA, typically – 1 hour. From RFC 2308: “its TTL is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.” • Don’t refer to a host before you defined it! • Don’t delete a record if you plan to use it! • Change TTL to 1 sec, and set to some bogus value until ready.
  • 61. ©2013 AKAMAI | FASTER FORWARDTM Setting TTLS http://www.flickr.com/photos/shortleafiscute/5831167984/
  • 62. ©2013 AKAMAI | FASTER FORWARDTM Setting TTLs Alexa top 1000, TTLs of A records: 80% < 1 hour They actually change quite frequently! <1m <2.5m <5m <10m <1h <5h <1d <2d <5d >5d 193 152 34 229 169 154 39 13 4 1
  • 63. ©2013 AKAMAI | FASTER FORWARDTM Setting TTLs • Short enough to accommodate failover • Depends on your DNS performance – too short means more DNS activity • Mobile
  • 64. ©2013 AKAMAI | FASTER FORWARDTM Facebook www.facebook.com. 3600 IN CNAME star.c10r.facebook.com. star.c10r.facebook.com. 60 IN A 173.252.112.23 www.google.com. 300 IN A 74.125.239.51 www.google.com. 300 IN A 74.125.239.50 www.google.com. 300 IN A 74.125.239.49 www.google.com. 300 IN A 74.125.239.52 www.google.com. 300 IN A 74.125.239.48 Google
  • 65. ©2013 AKAMAI | FASTER FORWARDTM Anycast Hong-Kong London NYC ISP IX ISP T1N ISP
  • 66. ©2013 AKAMAI | FASTER FORWARDTM Anycast Hong-Kong London NYC ISP IX ISP T1N ISP 10.0.1.X 10.0.3.X 10.0.2.X example.com IN NS 10.0.1.1 10.0.2.1 10.0.3.1 67% chance of getting a far resolver!
  • 67. ©2013 AKAMAI | FASTER FORWARDTM Anycast Hong-Kong London NYC ISP IX ISP T1N ISP 10.0.1.X 10.0.3.X 10.0.2.X 10.0.10.X 10.0.10.X 10.0.10.X example.com IN NS 10.0.10.1 10.0.10.2
  • 68. ©2013 AKAMAI | FASTER FORWARDTM CDNs and Distributed Service Hong-Kong London NYC ISP IX ISP T1N ISP 10.0.1.X 10.0.3.X 10.0.2.X
  • 69. ©2013 AKAMAI | FASTER FORWARDTM CDNs and Distributed Services • Geo and network based mapping of users • Mapping is based on resolvers IP addresses – they issue the requests
  • 70. ©2013 AKAMAI | FASTER FORWARDTM CDNs and Distributed Services • Geo and network based mapping of users • Mapping is based on resolvers IP address • Challenges: • Corporate network/VPN – resolver at the corporate, not close to the user. • Centralized DNS resolvers at ISPs/carriers • Remote resolvers • Open resolvers – sparse, and remote from user!
  • 71. ©2013 AKAMAI | FASTER FORWARDTM CDNs and Distributed Services • Geo and network based mapping of users • Mapping is based on resolvers IP address • Challenges • Edns0 client subnet data. • Extension to DNS to deliver info about the requesting user. • Can make more informed decisions.
  • 72. ©2013 AKAMAI | FASTER FORWARDTM DNSSEC • Validates the record • Does NOT encrypt it • Prevents DNS spoofing/poisoning • Collapse to TCP if frame too large • Common concerns: • Slow • Not supported
  • 73. ©2013 AKAMAI | FASTER FORWARDTM DNSSEC Sample data from a day of DNS traffic of a US based customer: • Records are cacheable • Need to validate only once • Some resolvers will not validate… • Consider DNSSEC today! Total Percentage of DNS hits Total hits 4,487,728 100.00% Total IPv6 hits 204,477 4.56% Total DNSSEC hits 3,552,809 79.17% Total DNSSEC TCP 5,344 0.12% Non DNSSEC TCP 2,406 0.05%
  • 74. ©2013 AKAMAI | FASTER FORWARDTM http://www.flickr.com/photos/keithburtis/2614418536/
  • 75. ©2013 AKAMAI | FASTER FORWARDTM Key Takeaways • Use a distributed, “professional” DNS vendor, • unless you really know what you are doing. • Don’t set multiple records (round-robin) for IPv6! Just Don’t! • Multiple records (round robin) is good for load-balancing • Be careful when using it for failover/high availability • Set low TTLs (minutes) when using multiple records • If a server is down – take it out of the rotation! • Failover costs in performance – in some cases over 20 seconds delay. • Don’t delete a record, even when taking a server down for maintenance • Better to set a low TTL, and even giving a bogus address, to avoid negative TTL • Control your SOA record – to determine the TTL for negative caching.
  • 76. ©2013 AKAMAI | FASTER FORWARDTM Takeaways for your org/home network • Don’t enable IPv6 if it works only on your internal network • For corporate/VPN: • Configure the local DNS to be used ONLY for internal resources. • Prioritize using the carrier/default local resolver over the corp resolver.
  • 77. Thank you! Ido Safruti, ido@akamai.com