EDNS0 Client-Subnet for DNS based CDNs

Slides:



Advertisements
Similar presentations
Challenges of OTT video delivery in the dual-stacked world
Advertisements

1 Server Selection & Content Distribution Networks (slides by Srini Seshan, CS CMU)
Jan 17, 2001CSCI {4,6}900: Ubiquitous Computing1 Announcements.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System
June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD
1 Routing and Scheduling in Web Server Clusters. 2 Reference The State of the Art in Locally Distributed Web-server Systems Valeria Cardellini, Emiliano.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
An Engineering Approach to Computer Networking
20101 The Application Layer Domain Name System Chapter 7.
CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.
Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
1 DNS,NFS & RPC Rizwan Rehman, CCS, DU. Netprog: DNS and name lookups 2 Hostnames IP Addresses are great for computers –IP address includes information.
Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
Traffic Engineering for CDNs Matt Jansen Akamai Technologies APRICOT 2015.
Content Distribution March 8, : Application Layer1.
CS 4396 Computer Networks Lab
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
1. 1.Charting the CDNs(locating all their content and DNS servers). 2.Assessing their server availability. 3.Quantifying their world-wide delay performance.
{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.
DNS: Domain Name System
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
SAINT ‘01 Proactive DNS Caching: Addressing a Performance Bottleneck Edith Cohen AT&T Labs-Research Haim Kaplan Tel-Aviv University.
Architecture of DNS CS 718 Activity 4 Submitted by Parag Abhyankar Anup S. Kunte
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Application-Layer Anycasting By Samarat Bhattacharjee et al. Presented by Matt Miller September 30, 2002.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
CDN Brokering* Presented By Nick Arnold Authors Alexandros Biliris, et. Al.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
2: Application Layer1 Chapter 2 outline r 2.1 Principles of app layer protocols r 2.2 Web and HTTP r 2.3 FTP r 2.4 Electronic Mail r 2.5 DNS r 2.6 Socket.
Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
DNS based IP NetLocation Service China Telecom Guangzhou Institute
CDN: Content Distribution Networks  References:  CS613 textbook, “Computer Networking – A Top-Down Approach”, 6 th edition. Chapter  The text.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.
EE 122: Lecture 20 (Domain Name Server - DNS) Ion Stoica Nov 15, 2001 (* based on the some on-line slides of J. Kurose & K. Rose and of Raj Jain)
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
Information-Centric Networks Section # 3.2: DNS Issues Instructor: George Xylomenos Department: Informatics.
Content Delivery Networks: Status and Trends Speaker: Shao-Fen Chou Advisor: Dr. Ho-Ting Wu 5/8/
1 Brian Hartvigsen Manager, Site Reliability Engineering Real World Impacts of EDNS Client Subnet.
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.
COMP2322 Lab 3 DNS Steven Lee Feb. 19, Content Understand the Domain Name System (DNS). Analyze the DNS protocol with Wireshark. 2.
COMP 431 Internet Services & Protocols
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.
Akamai & ISPs Patrick W. Gilmore, Chief Network Architect UKNOF25 April 18, 2013.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
EDNS Client Subnet (ECS) in CDN solution
Chapter 9: Domain Name Servers
Content Distribution Networks
IMPLEMENTING NAME RESOLUTION USING DNS
EE 122: Domain Name Server (DNS)
Content Distribution Networks
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Engineering a Content Delivery Network
Content Delivery and Remote DNS services
Computer Networks Primary, Secondary and Root Servers
An Engineering Approach to Computer Networking
Engineering a Content Delivery Network
Presentation transcript:

EDNS0 Client-Subnet for DNS based CDNs Matt Jansen Akamai Technologies HKNOG 1, Hong Kong, September 1st 2014

The Akamai Intelligent Platform The world’s largest on-demand, distributed computing platform delivers all forms of web content and applications The Akamai Intelligent Platform: 150,000+ Servers 2,000+ Locations 1,200+ Networks 700+ Cities 92 Countries http://www.akamai.com/html/about/facts_figures.html Typical daily traffic: More than 2 trillion requests served Delivering over 21 Terabits/second 15-30% of all daily web traffic

How CDNs Work When content is requested from CDNs, the user is directed to the optimal server to serve this user There’s 2 common ways to do that: anycast: the content is served from the location the request is received (easy to build, requires symmetric routing to work well) DNS based: the CDN decides where to best serve the content from based on the resolver it receives the request from, and replies with the optimal server

How DNS based CDNs Work Users querying a DNS-based CDNs will be returned different A (and AAAA) records for the same hostname depending on the resolver the request comes from This is called “mapping” The better the mapping, the better the CDN

How Akamai’s CDN works Example of Akamai mapping Notice the different A records for different locations: [NYC]% host www.symantec.com www.symantec.com CNAME e5211.b.akamaiedge.net. e5211.b.akamaiedge.net. A 207.40.194.46 e5211.b.akamaiedge.net. A 207.40.194.49 [Boston]% host www.symantec.com e5211.b.akamaiedge.net. A 81.23.243.152 e5211.b.akamaiedge.net. A 81.23.243.145

Akamai uses multiple criteria to choose the optimal server How Akamai’s CDN works Akamai uses multiple criteria to choose the optimal server These include standard network metrics: Latency Throughput Packet loss as well as internal ones such as: CPU load on the server HD space network utilization

Mapping (simplified) end-user 2 root/tld/intermediate NS (recursive lookup until reaching authoritative NS) example.com? 1 end-user example.com? a212.g.akamai.net NS 1.2.3.4? best cluster = 5.6.7.8 5.6.7.8 ISP NS 1.2.3.4 3 a212.g.akamai.net 5 5.6.7.8 request content 6 Akamai NS deliver content 4 Local Akamai Cluster at ISP 5.6.7.8 end-user requests www.example.com from ISP NS ISP NS recursively (multiple iterations) looks up www.example.com being referred to authoritative Akamai NS (by cname) ISP NS asks authoritative Akamai NS Akamai NS looks up IP of requestor (ISP NS) and replies with IP of optimal cluster to serve content (local cluster in that ISP) ISP NS replies to end-user who requests content from local Cluster

The Problem: 3rd Party DNS servers All of this works very well if the end-user used their provider’s DNS servers. However if the end-user is making use of a 3rd party DNS service like Google DNS (28 locations worldwide) https://developers.google.com/speed/public-dns/faq#locations OpenDNS (20 locations worldwide) http://www.opendns.com/network-map/ a DNS-based CDN does not know which network the request originated from, and can therefore in the best case serve it in the rough geographic area

How 3rd party (open) resolvers typically work end-user request to 8.8.8.8 request from 74.125.190.1 NS 74.125.190.1? best cluster = ? Google DNS Frontend 8.8.8.8 Backend 74.125.190.1 Akamai NS global ‘frontend’ anycast address, local unique ‘backend’ address for recursive queries CDN can tell which NS location it came from (by backend-ip) but not which end-user location or network -> have to serve from a large infrastructure cluster (typically located at the big IXs) to ensure we can reach any end-user

Use of 3rd party DNS servers relatively small numbers in most countries with a mature internet ecosystem: USA, Germany, Netherlands, Singapore: less than 1% but very high percentage of users in developing countries and/or countries performing some form of DNS-based web-filtering: Turkey: 22%, Indonesia: 22%, Bangladesh: 25% Hong Kong: 2%

Use of 3rd party DNS servers in Hong Kong ISP DNS Google OpenDNS Others ISP F 96.1% 1.9% 0.2% 1.8% ISP A 95.9% 2.0% ISP C 94.8% 2.9% 2.1% ISP D 92.8% 3.1% 0.4% 3.8% ISP E 92.0% 5.8% ISP B 76.0% 15.7% 7.9%

Use end-user IP instead of NS IP for mapping End User Mapping Use end-user IP instead of NS IP for mapping Problem: at the time of authoritative DNS answer end-user IP is not known yet HTTP redirect Map based on DNS Measure RTT of initial request from end-user received (and therefore IP known), if over threshold: Redirect to better positioned server to reach end-user IP Problem: slow, not suitable for small objects

The Solution: EDNS0 client-subnet https://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 The recursive resolver includes the end-user’s prefix in the request to the authoritative nameserver This allows the authoritative nameserver (the CDN) to process this information and optimize the reply not based on the requesting nameserver but the end-user’s prefix

The Solution: EDNS0 client-subnet Open standard (draft) Has to be supported by recursive resolver (3rd Party DNS) and by Authoritative NS (CDN) Privacy: only prefix, not full address transmitted

EDNS0 client-subnet implementation Option-Code = 8 Option-Length (in bytes) Family (1=v4, 2=v6) Source-Netmask Scope-Netmask Address request: e.g. 24 0 for privacy request = 0 to be echoed in reply reply can be <> request, 0 for not used

Mapping (EDNS0) end-user root/tld/intermediate NS (recursive lookup until reaching authoritative NS) 2 example.com? 1 end-user example.com? a212.g.akamai.net NS 8.8.8.8 (whitelisted for edns0) client subnet=1.1.1.0/24 best cluster = 5.6.7.8 a212.g.akamai.net client-subnet=1.1.1.0/24 5.6.7.8 Google NS 8.8.8.8 3 5 5.6.7.8 request content 6 deliver content 4 Akamai NS Local Akamai Cluster at ISP 5.6.7.8 end-user requests www.example.com from Google NS Google NS recursively looks up www.example.com being referred to authoritative Akamai NS (by cname) Google NS asks Akamai NS including client-subnet Akamai NS looks up client-subnet and replies with IP of optimal cluster to serve content (local cluster in that ISP) ISP NS replies to end-user who requests content from local Cluster

Privacy concerns Only prefix, not full IP transmitted CDN already gets your full IP anyways (in the subsequent HTTP request) Set source-netmask/address to 0.0.0.0/0 Google DNS honors forwards request with 0.0.0.0/0 OpenDNS ignores at time of writing Do not use client-subnet capable resolver if intention is to hide client origin

Security concerns Scanning/walking the mapping algorithm double whitelist (at recursive resolver & auth NS) enforced replacement of client-tagged edns0 option by Google & OpenDNS before being send to Akamai Amplification double whitelist echoing request in reply standard rate limiting methods work Cache pollution of recursive resolver can be a problem separate reply stored for each prefix

client-subnet more specific than Akamai Prefix-Length Google/OpenDNS currently always send client-subnet as /24 (for privacy/caching-efficiency reasons) Mapping system has view of internet from it’s partners with differing prefix-lenghts client-subnet more specific than Akamai e.g. Akamai has /20 from partner-> can be mapped scope-netmask send to resolver for caching purposes client-subnet less specific than Akamai e.g. Akamai has /26s from partner in different locations -> no clear choice to map -> will take first match also send scope-netmask to resolver for information

Improvements with edns0 client-subnet

Additional Use-Case can be used within a partner’s network instead of distributed DNS architecture A partner might have a widespread network (especially in countries spanning large geographical areas and/or different islands like Australia or Indonesia) Would like to deploy clusters around the network to localize traffic But central DNS infrastructure makes mapping traffic accurately difficult

Example for distributed architecture Batam Banjamarsin Makassar Jakarta (NS) Surabaya Denpasar Akamai Cluster Nameserver

Deploy additional NS in all locations Solutions Deploy additional NS in all locations Benefit: better DNS responses, can use anycast frontend IP to simplify administration/failover (announcing same frontend IP to all end-users) Drawback: some additional CAPEX & support-costs Virtual IPs on existing NS given to different geographic sets of end-users Benefit: no additional CAPEX, easy to implement Drawback: more difficult to administer, will require manual allocation of IPs to clusters on CDN side, no clear fallback EDNS0 client-subnet within the providers network Benefit: no additional CAPEX, only software change on the NS, can dynamically adapt by changing announcements, can scale for very small clusters in remote places Drawback: needs compatible NS software

Questions? Matt Jansen mj@akamai.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.