Why You Shouldn’t Use Global Anycast DNS in China
Anycast is a standard table stakes feature of all authoritative DNS services. This makes sense. Inbound queries should always be routed to the best server available, which is usually the server closest geographically. However, there is one notable exception. This is China.
The Internet in mainland China is cut off from the rest of the world. All DNS queries entering or leaving mainland China must pass a series of filters and other controls before being passed on for resolution. These filters and controls result in a huge performance penalty if queries are allowed to be resolved at all.
Risks of Global Anycast DNS in China
Some authoritative DNS providers address this issue by extending their networks into mainland China to address traffic within mainland China. These additional Points of Presence (PoPs) are connected to the global anycast network, but primarily serve mainland Chinese users because they use geographic traffic steering.
At first glance, this approach seems logical. Anycast DNS queries from mainland China will be answered by the closest server, so the more PoPs there are in China, the more likely it is that they will be answered by servers inside the filter and control system.
This approach isn’t perfect. Global brands also offer applications, services, and content in nearby countries. Even though there are many PoPs in mainland China, Border Gateway Protocol (BGP) often directs users in mainland China to verification servers in neighboring countries based on general Internet conditions and the number and cost of “hops” required to find a resolver. The performance penalty is significant as that traffic passes through filters and control systems.
In this sense, anycasting of authoritative DNS services in mainland China is a bit of a mistake. If you don’t intentionally steer Chinese users to domestic servers, there’s always a risk of poor performance.
NS1 Connect Approach: Name Server Acceleration
IBM® NS1® offers a unique approach to resolving DNS queries in China. This is to determine the location of the query source, eliminating the risk of performance issues due to anycast. We call this nameserver acceleration.
NS1’s DNS infrastructure is essentially two separate but related networks: NS1’s Anycast Managed DNS Service and Managed DNS Service for China. Instead of blindly relying on BGP to find a resolver, we use our own traffic steering techniques to figure out which network should respond to the query.
If the request comes from China (as determined by geolocation of the source IP), the response will be from one of our DNS servers located in China. Otherwise, a server in the global anycast network responds to the request.
How name server acceleration works
When a user in mainland China initiates a DNS query, the first “hop” goes to the local resolver. In the second “hop” the resolver performs an IP address lookup.
This second hop is often when BGP routes traffic to a nearby country. NS1 adds a step to the resolution process to prevent this from happening.
Typically, the nameserver for a top-level domain (TLD) returns both the domain name and the IP address stored in a “glue record” to reduce lookups. Nameserver acceleration is configured to remove these glue records.
If the recursive resolver does not obtain the required glue record, it performs a separate lookup to find the missing IP address. When a resolver looks up the IP address of an authoritative name server on NS1, it responds with an IP address based on the resolver’s location.
If that resolver is located in China, NS1 will respond with the IP address of a China-based name server. If the resolver is outside China, the response will be returned to the IP address of a server on NS1’s global anycast network.
Performance Impact
Now you might be asking, “Don’t extra lookups actually hurt performance?” It is true that inserting additional steps into the query resolution process takes more time. However, we found that the performance impact was so minimal that it was hardly worth mentioning. And compared to the performance penalty caused by filters and control systems, it’s definitely worth doing.
The numbers clearly support this. Below is some data pulled from IBM NS1 Connect® and its key competitors on DNS response times in Mainland China. As you can see, our approach offers significant benefits. On average, our service is more than 3 times faster than any other network.
DNS management angle
If you are a global enterprise with a significant user base in mainland China, Nameserver Acceleration makes NS1 the obvious choice for your DNS service. But this is not the only reason.
NS1’s Managed DNS for China does all of this through a single control plane. All the technical magic and fancy traffic maneuvering happens within our platform. From a management perspective, China’s queries sit alongside the rest of the network.
Not all DNS providers can say that. Due to Chinese regulations on content delivery, many of them require completely separate accounts and credentials to specifically manage queries originating from China. Because NS1 is a pure DNS provider, it can provide a single control plane without an ICP license.
Learn more about the unique benefits of NS1 Managed DNS for China.
Explore NSI Managed DNS for China here.