Resolution for a Faster Site, How DNS Affects Page Load Time

1. Resolution for a Faster Site
How DNS Affects Page Load Time
Ido Safruti
ido@akamai.com
Web Performance Products, Akamai

2. ©2013 AKAMAI | FASTER FORWARDTM
I will not talk about
• DNS pre-fetching (its great, use it!)
• Optimizing for # of domains
• Other FEO stuff
• The pain of redirects on mobile, and HTTPS

3. ©2013 AKAMAI | FASTER FORWARDTM
I’ll also won’t be talking about
Daddy’s Nasty Sons

4. ©2013 AKAMAI | FASTER FORWARDTM
Why is DNS important?

5. ©2013 AKAMAI | FASTER FORWARDTM
The phonebook of the Internet

6. ©2013 AKAMAI | FASTER FORWARDTM
We just assume it always works

7. ©2013 AKAMAI | FASTER FORWARDTM

8. ©2013 AKAMAI | FASTER FORWARDTM

9. ©2013 AKAMAI | FASTER FORWARDTM

10. ©2013 AKAMAI | FASTER FORWARDTM

11. ©2013 AKAMAI | FASTER FORWARDTM

12. ©2013 AKAMAI | FASTER FORWARDTM
Location of DNS root servers, including anycast nodes, identified by their one-letter names. (2008)

13. ©2013 AKAMAI | FASTER FORWARDTM
Resource records
• TTLs
• Common types:
• A
• AAAA
• CNAME
• NS
• A/AAAA can have multiple records
• More on that later
• Results can be different in different locations/times
http://en.wikipedia.org/wiki/Domain_Name_System#DNS_resource_records

14. ©2013 AKAMAI | FASTER FORWARDTM
Let’s see some Data

15. ©2013 AKAMAI | FASTER FORWARDTM
Getaddrinfo() times, Chrome
Windows: upward blip of 1.45% of samples in around 1s (95.90 percentile), due
to Windows DNS retransmission timer.
Mac: 2 upward blips: 2.11% in around 300ms (91.51 percentile), and another of
1.07% at 1s (97.36 percentile), due to retransmission timers.
Linux: upward blip of 1.81% in around 4250-4900ms (99.26 percentile).
OS Mean 10% 25% 50% 75% 90%
Windows 644 <=1 12 43 119 372
Mac 230 0 5 28 67 279
Linux 293 2 12 37 89 279
Source: Will Chan, http://goo.gl/ByZmX Mar 15, 2012

16. ©2013 AKAMAI | FASTER FORWARDTM
DNS failure - Mac
Device: Mac OSX 10.8.4 (mountain lion), Safari 6.0.5
Connection: 3 name servers, all not responding
Time Activity
---- ---------
0 -> DNS1
1 -> DNS1 (retransmit)
3 -> DNS2
1 -> DNS2 (retransmit)
3 -> DNS3
1 -> DNS3 (retransmit)
3 -> DNS1
9 -> DNS1 (retransmit)
----
21

17. ©2013 AKAMAI | FASTER FORWARDTM
DNS failure - Windows
Device: Windows 7 (IE9)
Connection: 3 name servers, all not responding
Time Activity
---- ---------
0 -> DNS1
1 -> DNS2
1 -> DNS3
2 -> DNS1, DNS2, DNS3
4 -> DNS1, DNS2, DNS3
4 -> DNS1
1 -> DNS3
1 -> DNS2
2 -> DNS1, DNS2, DNS3
4 -> DNS1, DNS2, DNS3
----
24

18. ©2013 AKAMAI | FASTER FORWARDTM
Nav Timing data

19. ©2013 AKAMAI | FASTER FORWARDTM
DNS time vs page load time
Source: Akamai RUM data
0
2000
4000
6000
8000
10000
12000
14000
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
0 - 10
msec
10 - 25
msec
25 - 50
msec
50 - 75
msec
75 -
100
msec
100 -
200
msec
200 -
300
msec
300 -
400
msec
400 -
500
msec
500 -
600
msec
600 -
700
msec
700 -
800
msec
800 -
900
msec
900 -
1000
msec
> 1000
msec
DNSTimeDistribution
PageLoadTime

20. ©2013 AKAMAI | FASTER FORWARDTM
DNS time by browser type
Source: Akamai RUM data
Only hits with a base page download time <= 169ms
0
100
200
300
400
500
600
700
p25_dns median_dns p75_dns p90_dns
Chrome
Firefox
Internet Explorer
Android Webkit
Chrome Mobile
IEMobile

22. ©2013 AKAMAI | FASTER FORWARDTM
Distance of users from resolvers – method 1
OC:6.5%
AF:6.9%
SA: 5.0%AS:6.25%
EU: 0.9%
>2000 miles NA: 1.9%
July 2012, Akamai

23. ©2013 AKAMAI | FASTER FORWARDTM
Distance of users from resolvers – method 2
OC: 6.8%
AF: 7.3%
SA: 4.7%AS: 5.4%
EU: 1.4%
>2000 miles NA: 1.7%
July 2012, Akamai

24. ©2013 AKAMAI | FASTER FORWARDTM
DNS usage
Alexa Top 10,000 DNS Marketshare - May 6, 2013
Provider Rank
Websites
(out of
10,000)
Marketshar
e
Marketshare
Change
DynECT 1 440 4.40% +6 / +1.382%
AWS Route 53 2 381 3.81% 14 / 3.815%
UltraDNS 3 361 3.61% -2 / -0.551%
DNSPod 4 336 3.36% 5 / 1.511%
CloudFlare 5 314 3.14% 23 / 7.904%
GoDaddy DNS 6 287 2.87% -10 / -3.367%
DNS Made Easy 7 246 2.46% 0
Akamai 8 217 2.17% 10 / 4.831%
Rackspace Cloud DNS 9 156 1.56% -2 / -1.266%
Verisign DNS 10 106 1.06% 5 / 4.95%
Softlayer DNS 11 79 0.79% 0
Namecheap 12 76 0.76% 0
easyDNS 13 76 0.76% -1 / -1.299%
Enom DNS 14 66 0.66% -1 / -1.493%
Cotendo Advanced DNS 15 47 0.47% -11 / -18.966%
Savvis 16 42 0.42% 0
Nettica 17 30 0.30% 0
ZoneEdit 18 29 0.29% 0
Internap 19 27 0.27% 0
ClouDNS 20 21 0.21% 3 / 16.667%
DNS Park 21 17 0.17% 1 / 6.25%
No-IP 22 12 0.12% 0
Zerigo DNS 23 10 0.10% 0
EuroDNS 24 7 0.07% 0
Worldwide DNS 25 5 0.05% -1 / -16.667%
DTDNS 26 2 0.02% 0
CDNetworks DNS 27 2 0.02% 1 / 100%
Total 3392 33.92%
Source: Cloud Harmony
9 of top 10 run their own DNS.
The only one that doesn’t?
Hint: they have a DNS service
Amazon.com

25. ©2013 AKAMAI | FASTER FORWARDTM
Fortune 500 DNS Marketshare - May 6, 2013
Provider Rank
Websites
(out of
500)
Marketsh
are
Marketshare
Change
UltraDNS 1 36 7.20% 1 / 2.857%
Verisign DNS 2 24 4.80% 0
Akamai 3 13 2.60% 0
DynECT 4 8 1.60% 0
DNS Made Easy 5 6 1.20% 0
Savvis 6 4 0.80% 0
GoDaddy DNS 7 4 0.80% 0
Internap 8 4 0.80% 0
Rackspace Cloud DNS 9 2 0.40% 0
AWS Route 53 10 2 0.40% 0
easyDNS 11 1 0.20% 0
No-IP 12 1 0.20% 0
Enom DNS 13 1 0.20% 0
ZoneEdit 14 1 0.20% 0
Total 107 21.40%
Alexa Top 1,000 DNS Marketshare - May 6, 2013
Provider Rank
Websites
(out of
1,000)
Marketsha
re
Marketshare
Change
DynECT 1 79 7.90% 0
UltraDNS 2 63 6.30% 1 / 1.613%
Akamai 3 48 4.80% 0
AWS Route 53 4 34 3.40% -1 / -2.857%
DNSPod 5 32 3.20% 0
DNS Made Easy 6 21 2.10% 0
GoDaddy DNS 7 14 1.40% 0
Cotendo Advanced DNS 8 11 1.10% -1 / -8.333%
Verisign DNS 9 10 1% 0
easyDNS 10 10 1% 0
CloudFlare 11 8 0.80% 1 / 14.286%
Rackspace Cloud DNS 12 7 0.70% 0
Namecheap 13 6 0.60% 0
Softlayer DNS 14 5 0.50% 0
Enom DNS 15 5 0.50% 0
Internap 16 3 0.30% 0
Savvis 17 3 0.30% 0
Nettica 18 2 0.20% 0
ClouDNS 19 2 0.20% 0
ZoneEdit 20 2 0.20% 0
DTDNS 21 1 0.10% 0
EuroDNS 22 1 0.10% 0
No-IP 23 1 0.10% 0
Worldwide DNS 24 1 0.10% 0
Total 369 36.90% Source: Cloud Harmony

26. ©2013 AKAMAI | FASTER FORWARDTM
Source: Catchpoint DNS direct agents, testing the [ab].ns.facebook.com name servers
Asia stats influenced
by China

27. ©2013 AKAMAI | FASTER FORWARDTM

28. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
IPv6
http://www.flickr.com/photos/yukop/7350636534/

29. ©2013 AKAMAI | FASTER FORWARDTM
Standard request flow
-> Request A record
-> Request AAAA record
<- Receive CNAME/A record
<- Recursively resolve
Resolver (caching) will send full recursive in a single response.
Host will cache each record with appropriate TTL
Apps/Browser – receives host/IP, but no TTL.

30. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Dual stack DNS behavior - basics
OS: Windows XP 5.1.2600 Service Pack 3
Connection: tcpopen foo.rd.td.h.labs.apnic.net
Time (ms) Packet Activity
0 → DNS Query for AAAA record foo.rd.td.h.labs.apnic.net
581 ← AAAA response 2a01:4f8:140:50c5::69:72
4 → DNS Query for A record for foo.rd.td.h.labs.apnic.net
299 ← A response 88.198.69.81
3 → SYN to 2a01:4f8:140:50c5::69:72
280 ← SYN + ACK response from 2a01:4f8:140:50c5::69:72
1 → ACK to 2a01:4f8:140:50c5::69:72
------
1168
Source: Geoff Huston

31. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Dual stack DNS behavior - basics
OS: Mac OSX 10.8.4 (mountain lion)
Connection: tcpopen foo.rd.td.h.labs.apnic.net
Time (ms) Packet Activity
0 → DNS Query for A record for foo.rd.td.h.labs.apnic.net
0 → DNS Query for AAAA record foo.rd.td.h.labs.apnic.net
521 ← AAAA response 2a01:4f8:140:50c5::69:72
0 ← A response 88.198.69.81
1 → SYN to 2a01:4f8:140:50c5::69:72
166 ← SYN + ACK response from 2a01:4f8:140:50c5::69:72
1 → ACK to 2a01:4f8:140:50c5::69:72
------
689

32. ©2013 AKAMAI | FASTER FORWARDTM
DNS failure – Mac – IPv4 + IPv6 - Chrome
Device: Mac OSX 10.8.4 (mountain lion), Chrome 27
Connection: 3 name servers, all not responding
Time Activity
---- ---------
0 -> DNS1 A
0 -> DNS1 AAAA
1 -> DNS1 A (retransmit)
0 -> DNS1 AAAA (retransmit)
3 -> DNS2 A
0 -> DNS2 AAAA
1 -> DNS2 A (retransmit)
0 -> DNS2 AAAA (retransmit)
3 -> DNS3 A
0 -> DNS3 AAAA
1 -> DNS3 A (retransmit)
0 -> DNS3 AAAA (retransmit)
3 -> DNS1 A
0 -> DNS1 AAAA
9 -> DNS1 A (retransmit)
0 -> DNS1 AAAA (retransmit)
----
21 not available because DNS lookup failed

33. ©2013 AKAMAI | FASTER FORWARDTM
DNS failure – Mac – IPv4 + IPv6 - Firefox
Device: Mac OSX 10.8.4 (mountain lion), Firefox 22
Connection: 3 name servers, all not responding
Time Activity
---- ---------
0 -> DNS1 A
0 -> DNS1 AAAA
1 -> DNS1 A (retransmit)
0 -> DNS1 AAAA (retransmit)
3 -> DNS2 A
0 -> DNS2 AAAA
1 -> DNS2 A (retransmit)
0 -> DNS2 AAAA (retransmit)
3 -> DNS3 A
0 -> DNS3 AAAA
1 -> DNS3 A (retransmit)
0 -> DNS3 AAAA (retransmit)
3 -> DNS1 A
0 -> DNS1 AAAA
9 -> DNS1 A (retransmit)
0 -> DNS1 AAAA (retransmit)
----
21 “Server not found”

34. ©2013 AKAMAI | FASTER FORWARDTM
DNS failure – Mac – IPv4 + IPv6 - Firefox (DNS on IPv6)
Device: Mac OSX 10.8.4 (mountain lion), Firefox 22
Connection: 3 name servers, all not responding
Time Activity
---- ---------
0 -> DNS1 A, AAAA
1 -> DNS1 (retransmit)
3 -> DNS2
1 -> DNS2 (retransmit)
3 -> DNS3
1 -> DNS3 (retransmit)
3 -> DNS1
9 -> DNS1 (retransmit)
9 -> DNS2
1 -> DNS2 (retransmit)
3 -> DNS3
1 -> DNS3 (retransmit)
3 -> DNS1
1 -> DNS1 (retransmit)
----
39 “Server not found”

35. ©2013 AKAMAI | FASTER FORWARDTM
DNS failure – Mac – IPv4 + IPv6 - Safari
Device: Mac OSX 10.8.4 (mountain lion), Safari 6.0.5
Connection: 3 name servers, all not responding
Time Activity
---- ---------
0 -> DNS1 A, AAAA
1 -> DNS1 A, AAAA (retransmit)
3 -> DNS2 A, AAAA
1 -> DNS2 A, AAAA (retransmit)
3 -> DNS3
1 -> DNS3 (retransmit)
3 -> DNS1
9 -> DNS1 (retransmit)
27 -> DNS2
81 -> DNS2 (retransmit)
243 -> DNS3
...

36. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Protocol failure – OS “native” behavior
OS: Windows XP 5.1.2600 Service Pack 3
Connection: tcpopen foo.rx.td.h.labs.apnic.net
Time Activity
0 → DNS AAAA? foo.rx.td.h.labs.apnic.net
581 ← AAAA 2a01:4f8:140:50c5::69:72
4 → DNS A? foo.rx.td.h.labs.apnic.net
299 ← A 88.198.69.81
3 → SYN 2a01:4f8:140:50c5::69:dead
3000 → SYN 2a01:4f8:140:50c5::69:dead
6000 → SYN 2a01:4f8:140:50c5::69:dead
12000 → SYN 88.198.69.81
298 ← SYN+ACK 88.198.69.81
0 → ACK 88.198.69.81
--------
22185
Source: Geoff Huston

37. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Protocol failure – OS “native” behavior
OS: Mac OS X 10.7.2
Connection: tcpopen foo.rxxx.td.h.labs.apnic.net
Time Activity
0 → DNS AAAA? foo.rxxx.td.h.labs.apnic.net
4 → DNS A? foo.rxxx.td.h.labs.apnic.net
230 ← DNS AAAA 2a01:4f8:140:50c5::69:dead
2a01:4f8:140:50c5::69:deae
2a01:4f8:140:50c5::69:deaf
20 ← A response 88.198.69.81
3 → SYN 2a01:4f8:140:50c5::69:dead (1)
980 → SYN 2a01:4f8:140:50c5::69:dead (2)
1013 → SYN 2a01:4f8:140:50c5::69:dead (3)
1002 → SYN 2a01:4f8:140:50c5::69:dead (4)
1008 → SYN 2a01:4f8:140:50c5::69:dead (5)
1103 → SYN 2a01:4f8:140:50c5::69:dead (6)
2013 → SYN 2a01:4f8:140:50c5::69:dead (7)
4038 → SYN 2a01:4f8:140:50c5::69:dead (8)
8062 → SYN 2a01:4f8:140:50c5::69:dead (9)
16091 → SYN 2a01:4f8:140:50c5::69:dead (10)
32203 → SYN 2a01:4f8:140:50c5::69:dead (11)
8031 → SYN 2a01:4f8:140:50c5::69:deae (repeat sequence of 11 SYNs)
75124 → SYN 2a01:4f8:140:50c5::69:deaf (repeat sequence of 11 SYNs)
75213 → SYN 88.198.69.81
297 ← SYN+ACK 88.198.69.81
0 → ACK 88.198.69.81
--------
226435
Source: Geoff Huston

38. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Dual stack on Mac + Safari
OS: Mac OS X 10.7.2
Browser: Safari: 5.1.1
URL: www.rd.td.h.labs.apnic.net
Time Activity
IPv4 IPv6
0 → DNS A? www.rd.td.h.labs.apnic.net
1 → DNS AAAA? www.rd.td.h.labs.apnic.net
333 ← AAAA 2a01:4f8:140:50c5::69:72
5 ← A 88.198.69.81
1 → SYN 88.198.69.81
270 → SYN 2a01:4f8:140:50c5::69:72
28 ← SYN+ACK 88.198.69.81
0 → ACK 88.198.69.81
1 → [start HTTP session]
251 ← SYN+ACK 2a01:4f8:140:50c5::69:72
0 → RST 2a01:4f8:140:50c5::69:72
-----
639ms (time to connect)
Source: Geoff Huston

39. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Dual stack on Mac + Safari, broken IPv6
URL: www.rxxx.td.h.labs.apnic.net
Time Activity
IPv4 IPv6
0 → DNS A? www.rxxx.td.h.labs.apnic.net
0 → DNS AAAA? www.rxxx.td.h.labs.apnic.net
299 ← AAAA 2a01:4f8:140:50c5::69:dead
2a01:4f8:140:50c5::69:deae
2a01:4f8:140:50c5::69:deaf
2 → SYN 2a01:4f8:140:50c5::69:dead
0 ← A 88.198.69.81
270 → SYN 2a01:4f8:140:50c5::69:deae
120 → SYN 2a01:4f8:140:50c5::69:deaf
305 → SYN 88.198.69.81
300 ← SYN+ACK 88.198.69.81
0 → ACK 88.198.69.81
1 → [start HTTP session]
-----
1297
Source: Geoff Huston

40. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Dual stack on Mac + Chrome
OS: Mac OS X 10.7.2
Browser: Chrome 16.0.912.36
URL: www.rd.td.h.labs.apnic.net
Time Activity
IPv4 IPv6
0 → DNS A? www.rd.td.h.labs.apnic.net
0 → DNS AAAA? www.rd.td.h.labs.apnic.net
299 ← A 88.198.69.81
1 ← AAAA 2a01:4f8:140:50c5::69:72
1 → SYN 88.198.69.81 (port a)
1 → SYN 88.198.69.81 (port b)
250 → SYN 88.198.69.81 (port c)
48 ← SYN+ACK 88.198.69.81 (port a)
0 → ACK 88.198.69.81 (port a)
0 → [start HTTP session (port a)]
-----
600
Source: Geoff Huston

41. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Dual stack on Mac + Chrome, broken IPv6
URL: xxx.rx.td.h.labs.apnic.net
Time Activity
IPv4 IPv6
0 → DNS A? xxx.rx.td.h.labs.apnic.net
0 → DNS AAAA? xxx.rx.td.h.labs.apnic.net
298 ← AAAA 2a01:4f8:140:50c5::69:dead
0 ← A 88.198.69.81
11 → SYN 2a01:4f8:140:50c5::69:dead (a)
0 → SYN 2a01:4f8:140:50c5::69:dead (b)
250 → SYN 2a01:4f8:140:50c5::69:dead (c)
51 → SYN 88.198.69.81 (d)
1 → SYN 88.198.69.81 (e)
250 → SYN 88.198.69.81 (f)
48 ← SYN+ACK 88.198.69.81 (d)
0 → ACK 88.198.69.81 (d)
0 → [start HTTP session (d)]
-----
909
Source: Geoff Huston

42. ©2013 AKAMAI | FASTER FORWARDTM
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Dual stack on Mac + Chrome, broken IPv6
OS: Mac OS X 10.8.4
Browser: Chrome 27
Time Activity
IPv4 IPv6
0 → DNS A? www.rd.td.h.labs.apnic.net
0 → DNS AAAA? www.rd.td.h.labs.apnic.net
299 ← A 88.198.69.81
1 ← AAAA 2a01:4f8:140:50c5::69:72
1 → SYN 88.198.69.81 (port a)
1 → SYN 88.198.69.81 (port b)
250 → SYN 88.198.69.81 (port c)
48 ← SYN+ACK 88.198.69.81 (port a)
0 → ACK 88.198.69.81 (port a)
0 → [start HTTP session (port a)]
-----
600
Source: Geoff Huston

43. ©2013 AKAMAI | FASTER FORWARDTM
Dual Stack: OS behavior
DNS DNS Timeout TCP Timeout Preference
Windows Serial 21 IPv6
Mac OS
(as of Lion)
parallel 21* 75 Fastest*
iOS parallel 45-60 sec Fastest
Native OS behavior – based on “connect()”.
Important for native applications.
Lion and IPv6 http://goo.gl/7qxHC:
Results from getaddrinfo are now sorted using routing statistics (destination with the
lowest min round trip time wins)

44. ©2013 AKAMAI | FASTER FORWARDTM
Dual Stack: Browser
IE 9 Chrome Firefox Safari
# of
Connections
2 in parallel 2 in parallel + 1
slightly after
2 in parallel Single
connection
Preference IPv6 IPv6 IPv6 Fastest (Mac)
Dual stack –
happy eyeballs
No
Serial: wait for
timeout
start with IPv6,
+300ms IPv4
In parallel Start with first,
+calc time add
second, etc.
Remember
failed IPs
yes yes yes yes

45. ©2013 AKAMAI | FASTER FORWARDTM
http://www.flickr.com/photos/natwilson/4260384198/

46. ©2013 AKAMAI | FASTER FORWARDTM
Multiple records – DNS round robin
$ dig www.akamai.com
; <<>> DiG 9.8.3-P1 <<>> www.akamai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29543
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.akamai.com. IN A
;; ANSWER SECTION:
www.akamai.com. 900 IN CNAME www-
main.akamai.com.edgesuite.net.
www-main.akamai.com.edgesuite.net. 900 IN CNAME a152.dscb.akamai.net.
a152.dscb.akamai.net. 20 IN A 173.223.232.168
a152.dscb.akamai.net. 20 IN A 173.223.232.163
;; Query time: 94 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jun 19 01:24:27 2013
;; MSG SIZE rcvd: 142

47. ©2013 AKAMAI | FASTER FORWARDTM
Round Robin DNS
• Resolvers will shuffle results order – for LB effect
• Browsers respect the order of records
• Good for load-balancing
• Good for high availability!

48. ©2013 AKAMAI | FASTER FORWARDTM
Round Robin DNS
• Resolvers will shuffle results order – for LB effect
• Browsers respect the order of records
• Good for load-balancing
• Good for high availability!
• Good for high availability?

49. ©2013 AKAMAI | FASTER FORWARDTM
http://www.flickr.com/photos/coast_guard/3220493384/
What happens when
things break?

50. ©2013 AKAMAI | FASTER FORWARDTM
IE on Windows (XP – Windows 7)
• 2 parallel connections for each record
• Retransmit SYN until TCP time-out: 21 seconds
• Only on time-out – try next host.

51. ©2013 AKAMAI | FASTER FORWARDTM

52. ©2013 AKAMAI | FASTER FORWARDTM
IE on Windows (XP – Windows 7)
• 2 parallel connections for each record
• Retransmit SYN until TCP time-out: 21 seconds
• Only on time-out – try next host.
• Now, consider dual stack with 3 IPv6 records, and 3 IPv4.
• IPv6 is prioritized.
• If IPv6 is not working – 63 seconds until fallback to IPv4.
• Yes… 21 seconds isn’t that much fun either.

53. ©2013 AKAMAI | FASTER FORWARDTM
Chrome
• 3 parallel connections for each record (1 starting after ~100ms)
• Retransmit SYN until TCP time-out:
• 75 seconds on Mac
• 21 on Windows
• ?? On iOS
• With dual stack - happy eyeballs.
• 300ms: try alternate protocol
• Why not do the same for alternate host?

54. ©2013 AKAMAI | FASTER FORWARDTM
Firefox
• 2 parallel connections for each record (starting ~800ms apart)
• Retransmit SYN, adding 2 connections at a time – prior to time out,
• Total of 6-7 connections per host (SYN only)
• Connect to second host not before time-out time
• 90 seconds observed on Mac
• 21 on Windows
• With dual stack - happy eyeballs.
• ?? ms: try alternate protocol
• Why not do the same for alternate host?

55. ©2013 AKAMAI | FASTER FORWARDTM
Safari
• 1 connections for each host
• On Mac:
• Add connections to next hosts after derived time-out/rtt time (<< TCP timeout) 
• On Windows:
• Serialized – try new host only when connection timed out (21 sec)
• Retransmit SYN periodically on each connection
• Give up after timeout expires on all hosts
• Mac = 1 TCP timeout overall!
• Windows = # hosts X TCP timeout
• ?? On iOS

56. ©2013 AKAMAI | FASTER FORWARDTM
Native OS support
• 1 connections for each record
• Retransmit SYN periodically (based on OS schedule)
• Continue to next record after time-out
• Once all expired – give-up.

57. ©2013 AKAMAI | FASTER FORWARDTM
Recommendations for round robin DNS
• Helpful for load-balancing
• Gives some level of high-availability – if you know how to use it
• Don’t put a record if you know the IP is down!
• Manage your TTLs
• Don’t put multiple records on IPv6!!!
• Seriously – DON’T put multiple records on IPv6.

58. ©2013 AKAMAI | FASTER FORWARDTM
http://www.flickr.com/photos/fairfaxcounty/7456122122/

59. ©2013 AKAMAI | FASTER FORWARDTM
Local OS
• Local host caches DNS according to instructions
• Network change – SHOULD triggers DNS cache cleaning
• Moving to airplane mode will 

60. ©2013 AKAMAI | FASTER FORWARDTM
Browser cache
Browsers cache DNS records for performance reasons.
How?
• An application doesn’t get the TTL record from the resolver.
• IE: 30 min
• Chrome: 1 min
• Firefox: 1 min
• Safari: 15-60 seconds
• Chrome DNS client: read Will Chan’s post: http://goo.gl/ByZmX

61. ©2013 AKAMAI | FASTER FORWARDTM
Negative caching
When there is no response for a record, resolvers will cache the “no response”
for the TTL defined in the SOA, typically – 1 hour.
From RFC 2308: “its TTL is taken from the minimum of the SOA.MINIMUM
field and SOA's TTL.”
• Don’t refer to a host before you defined it!
• Don’t delete a record if you plan to use it!
• Change TTL to 1 sec, and set to some bogus value until ready.

62. ©2013 AKAMAI | FASTER FORWARDTM
Setting TTLS
http://www.flickr.com/photos/shortleafiscute/5831167984/

63. ©2013 AKAMAI | FASTER FORWARDTM
Setting TTLs
Alexa top 1000, TTLs of A records:
80% < 1 hour
They actually change quite frequently!
<1m <2.5m <5m <10m <1h <5h <1d <2d <5d >5d
193 152 34 229 169 154 39 13 4 1

64. ©2013 AKAMAI | FASTER FORWARDTM
Setting TTLs
• Short enough to accommodate failover
• Depends on your DNS performance – too short means more DNS activity
• Mobile

65. ©2013 AKAMAI | FASTER FORWARDTM
Facebook
www.facebook.com. 3600 IN CNAME star.c10r.facebook.com.
star.c10r.facebook.com. 60 IN A 173.252.112.23
www.google.com. 300 IN A 74.125.239.51
www.google.com. 300 IN A 74.125.239.50
www.google.com. 300 IN A 74.125.239.49
www.google.com. 300 IN A 74.125.239.52
www.google.com. 300 IN A 74.125.239.48
Google

66. ©2013 AKAMAI | FASTER FORWARDTM
Anycast
Hong-Kong
London
NYC
ISP
IX
ISP
T1N
ISP

67. ©2013 AKAMAI | FASTER FORWARDTM
Anycast
Hong-Kong
London
NYC
ISP
IX
ISP
T1N
ISP
10.0.1.X
10.0.3.X
10.0.2.X example.com IN NS
10.0.1.1
10.0.2.1
10.0.3.1
67% chance of getting
a far resolver!

68. ©2013 AKAMAI | FASTER FORWARDTM
Anycast
Hong-Kong
London
NYC
ISP
IX
ISP
T1N
ISP
10.0.1.X
10.0.3.X
10.0.2.X
10.0.10.X
10.0.10.X
10.0.10.X example.com IN NS
10.0.10.1
10.0.10.2

69. ©2013 AKAMAI | FASTER FORWARDTM
CDNs and Distributed Service
Hong-Kong
London
NYC
ISP
IX
ISP
T1N
ISP
10.0.1.X
10.0.3.X
10.0.2.X

70. ©2013 AKAMAI | FASTER FORWARDTM
CDNs and Distributed Services
• Geo and network based mapping of users
• Mapping is based on resolvers IP addresses – they issue the requests

71. ©2013 AKAMAI | FASTER FORWARDTM
CDNs and Distributed Services
• Geo and network based mapping of users
• Mapping is based on resolvers IP address
• Challenges:
• Corporate network/VPN – resolver at the corporate, not close to the user.
• Centralized DNS resolvers at ISPs/carriers
• Remote resolvers
• Open resolvers – sparse, and remote from user!

72. ©2013 AKAMAI | FASTER FORWARDTM
CDNs and Distributed Services
• Geo and network based mapping of users
• Mapping is based on resolvers IP address
• Challenges
• Edns0 client subnet data.
• Extension to DNS to deliver info about the requesting user.
• Can make more informed decisions.

73. ©2013 AKAMAI | FASTER FORWARDTM
DNSSEC
• Validates the record
• Does NOT encrypt it
• Prevents DNS spoofing/poisoning
• Collapse to TCP if frame too large
• Common concerns:
• Slow
• Not supported

74. ©2013 AKAMAI | FASTER FORWARDTM
DNSSEC
Sample data from a day of DNS traffic of a US based customer:
• Records are cacheable
• Need to validate only once
• Some resolvers will not validate…
• Consider DNSSEC today!
Total Percentage of DNS hits
Total hits 4,487,728 100.00%
Total IPv6 hits 204,477 4.56%
Total DNSSEC hits 3,552,809 79.17%
Total DNSSEC TCP 5,344 0.12%
Non DNSSEC TCP 2,406 0.05%

75. ©2013 AKAMAI | FASTER FORWARDTM
http://www.flickr.com/photos/keithburtis/2614418536/

76. ©2013 AKAMAI | FASTER FORWARDTM
Key Takeaways
• Use a distributed, “professional” DNS vendor,
• unless you really know what you are doing.
• Don’t set multiple records (round-robin) for IPv6! Just Don’t!
• Multiple records (round robin) is good for load-balancing
• Be careful when using it for failover/high availability
• Set low TTLs (minutes) when using multiple records
• If a server is down – take it out of the rotation!
• Failover costs in performance – in some cases over 20 seconds delay.
• Don’t delete a record, even when taking a server down for maintenance
• Better to set a low TTL, and even giving a bogus address, to avoid negative TTL
• Control your SOA record – to determine the TTL for negative caching.

77. ©2013 AKAMAI | FASTER FORWARDTM
Takeaways for your org/home network
• Don’t enable IPv6 if it works only on your internal network
• For corporate/VPN:
• Configure the local DNS to be used ONLY for internal resources.
• Prioritize using the carrier/default local resolver over the corp resolver.

78. Thank you!
Ido Safruti,
ido@akamai.com