Visualizing a Better Internet

SIDN uses ThousandEyes to understand
worldwide latency and Internet traffic routes
for the .nl top-level domain.

About the Company

Stichting Internet Domeinregistratie Nederland runs the .nl zone top-level domain, meaning every time you navigate to a Dutch website or send an email to someone with a .nl address SIDN is involved.
Industry: Technology Headquarters: Arnhem, The Netherlands Use Case: Web Server Monitoring, DNS, BGP
Download PDF
SIDN, or Stichting Internet Domeinregistratie Nederland, is one of those organizations you've probably never heard of, but is nonetheless fundamental to how you use the Internet. Every day their domain name servers (DNS) process billions of queries and everytime you navigate to a Dutch website, or send an email to someone with a .nl address, SIDN is involved, making sure you reach the right address.

In 1986 the Dutch Centre for Mathematics and Information (CWI) registered cwi.nl to become the first active website on the .nl zone which was, at that point, the only active country zone outside the US. Ten years later, as the number of Internet users and websites continued to grow, SIDN was established and took on the responsibilities of managing the .nl DNS zone from CWI.

Fast forward more than 20 years and things at SIDN have moved forward considerably, as they have on the Internet. SIDN now has more than 5.8 million domain names registered across multiple domains and is the 5th largest country code top-level domain in the world. In addition, they established SIDN Labs—their research arm dedicated to applied research and technological development of the Internet—working with the Internet measurement community, Internet Engineering Task Force (IETF), and collaborating with various universities. Besides that, SIDN has also branched out in their acquisition of Connectis, the Netherland's leading secure login provider, in 2017.
SIDN

"ThousandEyes is the only party with enough DNS monitoring
coverage worldwide, commercially available with support,
to give us the service visibility we need."

Marc Groeneweg
Project Manager

Improving Domain Name Server Performance Through Research

But things rarely stand still in the world of technology and so SIDN Labs is continually looking for ways to improve its service, and ultimately provide value to the Netherlands society, economy and beyond.

It was with this in mind that two of their researchers, Giovane Moura and Moritz Müller set out to investigate how they could better engineer the service provided by their authoritative name servers. These name servers work in partnership with DNS (Domain Name Server) Resolvers to translate the address you type into your browser to an IP address that can be used to navigate your route over the Internet. As Marc Groeneweg, Project Manager at SIDN puts it "DNS is part of a customer journey in visiting a website, so while domain resolution is just a fraction of the total time you spend getting to a website, any delay impacts the overall experience."

Performance is key, and so RTT, or Round-trip Time, is an important metric. Giovane's and Moritz's research was focused on how they could improve this. After studying the behavior of thousands of active resolvers on the Internet, they concluded that DNS operators should not rely on the selection strategies of recursive resolvers.

"You cannot have great global latency for everybody if you run your authoritative name server with IP unicast. You cannot avoid DNS queries going to sites that are geographically too far for some people, and that's when we realized we needed to do more anycast and have more sites closer to our biggest clients," says Giovane. "With anycast, you have one IP address and you have multiple servers distributed across the globe. BGP (Border Gateway Protocol) will match you to the closest site geographically. So let's say we have one unicast site here in Amsterdam, if you have queries from San Francisco you have to travel all across America, across the Atlantic Ocean, and eventually you get here in 120 milliseconds. With anycast you can have one site in Amsterdam and one in San Francisco and then BGP can match all the California queries to the San Francisco site to deliver much lower latency."

You can find a blog post on Moritz and Giovane's research with a link to the paper, which was published at the prestigious ACM IMC 2017 conference, here https://www.sidnlabs.nl/a/weblog/recursives-in-the-wild-engineering-authoritative-dns-servers. ThousandEyes BGP Route Visualization
Figure 1: Border Gateway Protocol (BGP) is used to route information between different destination networks on the Internet.

"DNS is part of a customer journey in visiting a website, so while domain
resolution is just a fraction of the total time you spend getting to a website,
any delay impacts the overall experience."

Marc Groeneweg
Project Manager

Putting Research Into Action

In running such a large domain, SIDN gets queries from within the Netherlands and Europe, but also all over the world including North America, where many cloud providers are based. As such, they needed to ensure there was strong performance and presence here and the decision was made to start their migration to anycast in their NS5 node which serves North America.

To roll this out effectively SIDN decided they needed to be able to monitor RTT (Round-trip Time) from lots of different viewpoints around the world and be able to investigate how traffic was routing across the Internet easily so they could quickly isolate potential performance issues. To do this, they selected ThousandEyes as their network monitoring and intelligence partner. As Marc says, "ThousandEyes is, in my opinion, the only party with enough DNS monitoring coverage worldwide, commercially available with support, to give us the service visibility we need. It's brilliant to see with the visualization of BGP, how the traffic really flows, not to assume that because we have a node in Boston the whole region of Boston will have performance gain from the Boston node. That's not necessarily true, there is so much more involved with Internet routing."

DNS resolution time charts
Figure 2: Using ThousandEyes SIDN was able to track response times of their IPv4 and IPV6 NS5 nodes
and even break those response times down by regions to see variation in performance.

"It's brilliant to see with BGP visualization how DNS traffic really flows,
and not assume that because we have a node in Boston
the whole Boston region will see improved performance."

Marc Groeneweg
Project Manager
A DNS Server test was configured to run from over forty Cloud Agents to the target name server (ns5.dns.nl). These agents were picked to give a mixture of IPv4 and IPv6 data and global visibility. Each of the ThousandEyes agents sends multiple DNS requests to ns5.dns.nl asking for the .nl SOA record. From this, they gather important information such as the .nl serial number, nameserver availability and DNS resolution time. At the same time network tests map the path from each agent to the NS5 nameserver and gather loss, latency and jitter metrics.

The final piece of the puzzle is BGP data sourced from monitors located across the world to capture routing changes that can impact performance and availability. In order to operationalize the data, SIDN worked with ThousandEyes to configure proactive alerts and a high-level dashboard that displays global latency of their platform.

Path Visualization from Cloud Agents
Figure 3: Routes mapped across the Internet from 40+ Cloud Agents to the SIDN NS5 IPV4 & IPV6 nodes.

Sharing Network Insights to Improve Partner Performance

The collaboration capabilities within the ThousandEyes platform have also come in useful to the team at SIDN with sharelinks enabling them to team with partners and suppliers to solve potential issues with easily shared network monitoring data. Marc adds "It's great to have the visualization and correlation between the events you see and the BGP routing and path visualization. What I've done is taken snapshots and shared them with our partners to look into them, letting them know: 'I see something strange in the routing to your node, can you look into it?' That's very beneficial to our partners also."

Now, with the rollout of anycast on NS5 complete, SIDN is starting to look at the rest of their network and partners to see how anycast can deliver greater performance for inbound queries from all over the world.

Measurable DNS Performance Results

"Our goal when we started the project was to reduce RTT (Round-trip Time), which was then at 165 milliseconds worldwide, to less than 100 milliseconds. We managed to initially reduce our RTT to 95 milliseconds overall, and currently it stands at 77 milliseconds!" says Marc. The dashboard view from ThousandEyes below shows the change in performance, with the response times prior to rolling out anycast shown on the left and the improvement on the right.

With Internet adoption, domain registration, devices, integrations and queries only set to continually grow in the coming years, how the Internet functions will become even more important to the quality of our lives. SIDN is ensuring it is architecting for success in its crucial role for the people of the Netherlands and beyond, and is able to visualize this complex technological landscape with network monitoring and intelligence from ThousandEyes. DNS server resolution time map
Figure 4: High level dashboard monitoring response times of NS5 from regions across the world
showing the improvement from 165 milliseconds worldwide to 77 milliseconds.

"As a research organization, we are mostly used to working on large
datasets with backend systems. However, the visualizations provided by
ThousandEyes are what our operations team needs to be efficient."

Marc Groeneweg
Project Manager

We Help Leading Companies Thrive in a Connected World