Anywhere, Anytime, Anycast
by Alex Applegate on Jun 12, 2023 10:34:13 AM
One of the most critical technologies that DNSFilter depends upon to provide exceptionally fast, exceptionally reliable service is a network configuration referred to as Anycast.
Anycast is a kind of network architecture that is uncommon at the levels that many of our customers may be familiar with. While it’s not particularly a secret ingredient in our secret sauce—many of our industry contemporaries depend on it as well—it is an elegant solution to a number of issues in large-scale networks.
One part mosaic, one part puzzle
You may already be familiar with some of the networking devices, configurations, and protocols used in common networks. Hubs, switches, routers, gateways. TCP, UDP, DNS, IP addresses, ARP, netbios, SMB, CORBA. Mix in a bit of host files, routing tables, and cache, and you’ll have just about all the ingredients you need for basic networking on a private Local Area Network. But the Internet is not a basic private LAN, it’s an open*, decentralized**, interconnected network of networks.
The network or networks is where things change for the capital “I” Internet. Most of us are probably familiar with the configuration of our local Wi-Fi network or a wired LAN. But for normal everyday things, we need to direct all of that traffic to an ISP where we are magically connected to the broader internet.
In an effort to maintain some level of control and keep things as fast as possible, ISPs and large businesses register to host a specific block of assigned IP addresses and connect them to an assigned “Autonomous System” (AS), and each AS advertises itself by a specific Autonomous System Number (ASN). Each of these AS’s operate using what is referred to as Border Gateway Protocol, or BGP.
BGP is a routing system that is (generally) pointed to multiple different other AS’s and can determine the fastest route by which to get from point A to point B through the global maze, typically by measuring latency between servers. Without BGP, the routing for the Internet would essentially be random until the packet arrived at its final destination, and time-to-delivery would be wildly variable and much more susceptible to route outages.
Staying on the straight and narrow path
Most of the time when computers talk to each other, they do so using what is called Unicast—that is one computer sending communications along a single path to another single computer. But a global network would become ineffective quickly under such a configuration.
Downed lines, server outages, and simple distance-related latency would have doomed the Internet to failure before it ever got started. And as we all know, there are those on the Internet who like to cause chaos, and sometimes servers get overloaded even without any malicious intent.
Other messaging modes were established, namely Multicast, Anycast, and Broadcast—each of which addresses a different aspect of the messaging delivery issue in a different way. As can be inferred, a Broadcast communication model sends the message in question to every device within range indiscriminately—to all addresses and to all channels (although still limited by network protocol and port assignment). This can be used for alerts and things like advertising when a new device has joined a network.
A Multicast message is one sent from one machine to several others at once, with communication and delivery expected with all of them. This kind of messaging can be useful in geographic distribution or synchronization between an authoritative server and multiple redundant systems.
Slightly less obvious than the others is the Anycast message distribution. In this configuration, a server is connected to several other servers. Like with Multicast, it can communicate with all of them as needed. But when using Anycast, only a single server-to-server connection is established, using the single connection that is determined to be most favorable. The full routing capability of each of the subordinate servers is equally available, and which server may be the best connection can change and does regularly.
This configuration could defeat DDoS attacks, perform some degree of load balancing, or achieve the fastest performance (although the protocol can’t actually see any application-level data such as load, it makes inferred decisions based on indirect observations).
An Anycast configuration is critical to the effectiveness of DNSFilter’s query resolution speed. We have Anycast servers strategically located around the globe, handling both the routing of the users’ queries to us and resolving the DNS queries in the fastest manner possible.
Hopefully, you’ve enjoyed this brief peek into the deeper corners of the Internet and maybe learned something as well.
And if you’d like to experience the magic of Anycast with DNSFilter, start a free trial here.
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.