Visualizing a Better Internet

Improving Domain Name Server Performance Through Research

But things rarely stand still in the world of technology and so SIDN Labs is continually looking for ways to improve its service, and ultimately provide value to the Netherlands society, economy and beyond.

It was with this in mind that two of their researchers, Giovane Moura and Moritz Müller set out to investigate how they could better engineer the service provided by their authoritative name servers. These name servers work in partnership with DNS (Domain Name Server) Resolvers to translate the address you type into your browser to an IP address that can be used to navigate your route over the Internet. As Marc Groeneweg, Project Manager at SIDN puts it "DNS is part of a customer journey in visiting a website, so while domain resolution is just a fraction of the total time you spend getting to a website, any delay impacts the overall experience."

Performance is key, and so RTT, or Round-trip Time, is an important metric. Giovane's and Moritz's research was focused on how they could improve this. After studying the behavior of thousands of active resolvers on the Internet, they concluded that DNS operators should not rely on the selection strategies of recursive resolvers.

"You cannot have great global latency for everybody if you run your authoritative name server with IP unicast. You cannot avoid DNS queries going to sites that are geographically too far for some people, and that's when we realized we needed to do more anycast and have more sites closer to our biggest clients," says Giovane. "With anycast, you have one IP address and you have multiple servers distributed across the globe. BGP (Border Gateway Protocol) will match you to the closest site geographically. So let's say we have one unicast site here in Amsterdam, if you have queries from San Francisco you have to travel all across America, across the Atlantic Ocean, and eventually you get here in 120 milliseconds. With anycast you can have one site in Amsterdam and one in San Francisco and then BGP can match all the California queries to the San Francisco site to deliver much lower latency."

You can find a blog post on Moritz and Giovane's research with a link to the paper, which was published at the prestigious ACM IMC 2017 conference, here https://www.sidnlabs.nl/a/weblog/recursives-in-the-wild-engineering-authoritative-dns-servers.

Putting Research Into Action

In running such a large domain, SIDN gets queries from within the Netherlands and Europe, but also all over the world including North America, where many cloud providers are based. As such, they needed to ensure there was strong performance and presence here and the decision was made to start their migration to anycast in their NS5 node which serves North America.

To roll this out effectively SIDN decided they needed to be able to monitor RTT (Round-trip Time) from lots of different viewpoints around the world and be able to investigate how traffic was routing across the Internet easily so they could quickly isolate potential performance issues. To do this, they selected ThousandEyes as their network monitoring and intelligence partner. As Marc says, "ThousandEyes is, in my opinion, the only party with enough DNS monitoring coverage worldwide, commercially available with support, to give us the service visibility we need. It's brilliant to see with the visualization of BGP, how the traffic really flows, not to assume that because we have a node in Boston the whole region of Boston will have performance gain from the Boston node. That's not necessarily true, there is so much more involved with Internet routing."

A DNS Server test was configured to run from over forty Cloud Agents to the target name server (ns5.dns.nl). These agents were picked to give a mixture of IPv4 and IPv6 data and global visibility. Each of the ThousandEyes agents sends multiple DNS requests to ns5.dns.nl asking for the .nl SOA record. From this, they gather important information such as the .nl serial number, nameserver availability and DNS resolution time. At the same time network tests map the path from each agent to the NS5 nameserver and gather loss, latency and jitter metrics.

The final piece of the puzzle is BGP data sourced from monitors located across the world to capture routing changes that can impact performance and availability. In order to operationalize the data, SIDN worked with ThousandEyes to configure proactive alerts and a high-level dashboard that displays global latency of their platform.

Sharing Network Insights to Improve Partner Performance

The collaboration capabilities within the ThousandEyes platform have also come in useful to the team at SIDN with sharelinks enabling them to team with partners and suppliers to solve potential issues with easily shared network monitoring data. Marc adds "It's great to have the visualization and correlation between the events you see and the BGP routing and path visualization. What I've done is taken snapshots and shared them with our partners to look into them, letting them know: 'I see something strange in the routing to your node, can you look into it?' That's very beneficial to our partners also."

Now, with the rollout of anycast on NS5 complete, SIDN is starting to look at the rest of their network and partners to see how anycast can deliver greater performance for inbound queries from all over the world.

Measurable DNS Performance Results

"Our goal when we started the project was to reduce RTT (Round-trip Time), which was then at 165 milliseconds worldwide, to less than 100 milliseconds. We managed to initially reduce our RTT to 95 milliseconds overall, and currently it stands at 77 milliseconds!" says Marc. The dashboard view from ThousandEyes below shows the change in performance, with the response times prior to rolling out anycast shown on the left and the improvement on the right.

With Internet adoption, domain registration, devices, integrations and queries only set to continually grow in the coming years, how the Internet functions will become even more important to the quality of our lives. SIDN is ensuring it is architecting for success in its crucial role for the people of the Netherlands and beyond, and is able to visualize this complex technological landscape with network monitoring and intelligence from ThousandEyes.