What is Anycast DNS and why it matters

Anycast DNS is a traffic routing algorithm used for the speedy delivery of website content that advertises individual IP addresses on multiple nodes. User requests are directed to specific nodes based on such factors as the capacity and health of your server, as well as the distance between it and the website visitor.

There several advantages to anycast routing, including:

  • Faster connections – Routing users through the nearest intermediary node minimizes round-trip time (RTT), thereby decreasing the number of hops and reducing latency.
  • Simplified server configuration – Anycast lets a single DNS server configuration be distributed to all of your network nodes.
  • High availability – Advertising an IP address on multiple nodes creates redundancy, thereby providing backup in the event a node becomes overloaded or fails.
  • DDoS mitigation – Anycast provides intrinsic DDoS mitigation by offering failover alternatives if a node is attacked or goes down.

What is the Difference between Anycast and Unicast?

Most of the Internet works via a routing scheme called Unicast. Under Unicast, every node on the network gets a unique IP address. Home and office networks use Unicast; when a computer is connected to a wireless network and gets a message saying the IP address is already in use, an IP address conflict has occurred because another computer on the same Unicast network is already using the same IP. In most cases, that isn’t allowed.

Unicast vs Anycast routing

When a DNS authoritative server is using a unicast address, traffic is routed directly to the specific node. This creates a vulnerability when the network experiences extraordinary traffic such as during a DDoS attack. Because the traffic is routed directly to a particular data center, the location or its surrounding infrastructure may become overwhelmed with traffic, potentially resulting in denial-of-service to legitimate requests.

Using Anycast means the network can be extremely resilient. Because traffic will find the best path, an entire data center can be taken offline and traffic will automatically flow to a proximal data center.

How does an Anycast network mitigate a DDoS attack?

Anycast distributes the DDoS attack traffic across multiple data centers, preventing any one location from becoming overwhelmed with requests. If the capacity of the Anycast network is greater than the attack traffic, the attack is effectively mitigated. In most DDoS attacks, many compromised “zombie” or bot computers are used to form what is known as a botnet. These machines can be scattered around the web and generate so much traffic that they can overwhelm a typical Unicast-connected machine.

A properly Anycasted DNS Service increases the surface area of the receiving network so that the unfiltered denial-of-service traffic from a distributed botnet will be absorbed by each DNS Service Node. As a result, as a network continues to grow in size and capacity it becomes harder and harder to launch an effective DDoS against anyone using the service.

Sample timings:

Los Angeles: 11.33 ms
Dallas: 1.85 ms
New York: 2.33 ms
Singapore: 0.96 ms
London: 2.01 ms
Amsterdam: 2.93 ms
San Francisco: 10.32 ms
Sydney: 1.09 ms
Tokyo: 1.57 ms

Average: 3.82 ms

Sample of lookup times for from each of the cities listed.