Re: [dns-operations] How DNS work

2020-11-09 Thread Stephane Bortzmeyer 
On Mon, Nov 09, 2020 at 03:34:32PM +,
 Jim Reid  wrote 
 a message of 60 lines which said:

> A well behaved resolving server will only send a handful of queries
> (if that) to the root every day - ie whenever it needs to lookup a
> TLD that hasn’t been cached.

And may be not even so, if they implement RFC 8198, or RFC 8806.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] How DNS work

2020-11-09 Thread Jim Reid 


> On 9 Nov 2020, at 04:15, Hoan Vu  wrote:
> 
> We really wanna know "what is round robin of DNS" and the nature of the rule 
> to choose the DNS Root of Resolver, what factor, algorithm,  that decide 
> the choice of DNS Root.

Why? Nobody needs to care about this - apart from the people who write DNS 
resolvers.

If you *really* want to know, consult the source code. There are quite a few 
open source DNS resolver implementations: BIND, unbound, Knot resolver, 
PowerDNS Recursor, etc.

For everyone else, all they need to know is their resolving servers generally 
query the authoritive server that answers quickest: ie the one that has the 
shortest round-trip time (RTT) for the query and response. This isn’t 
necessarily the authoritative server that’s physically closest. Factors beyond 
your control like network topology, hop count, bandwidth, routing/peering 
policies, server/router load, packet loss, etc. can sometimes mean an 
authoritative server 100km away is quicker to respond than one that’s only 100m 
away.

Resolving servers continuously monitor the RTT to all the authoritative servers 
for some domain and adjust where they send their queries based on what is 
happening in the network - for instance when a link fails or an unresponsive 
server comes back on-line.

“round robin in the DNS" is something very different from this. It’s mostly 
found in (stupid IMO) resolver configurations that use forwarding. In these, 
the server is given a list of servers and just forwards its queries to those 
servers. It mindlessly tries the first one in the list, then the next and so 
on. When it comes to the end of the list, the forwarder goes back to the start 
and cycles through the list again: hence round-robin. These forwarding 
configurations generally don’t care about RTTs and will usually forward queries 
to a server on this list even when they they know that server is dead.

> Suppose that we have one Root Secondary Node of Anycast in our country 
> (example DNS Root K), and we want to direct query of the DNS Cache to the 
> that DNS Root, how can we interfere the resolve process to do that (unless 
> otherwise configure only DNS Root K)

Don’t do that. Unless you’re forced to by law (ie “all DNS queries must remain 
inside our borders” or some stupid rule like that). Just let the resolving 
server decide for itself which servers are quickest to answer queries. It will 
do a far better job of that than you can. And also adapt in real time to 
outages, changes in network topology and so on. If you force a resolving server 
to always query a specific authoritative name server, that creates an avoidable 
and unnecessary single point of failure. It also complicates the management and 
configuration of the local server and day-to-day DNS operations.

If your DNS queries are not going to the nearest anycast node (for some 
definition of nearest) and that’s a concern, fix the underlying issue. Which is 
routing, not DNS. 

I also don’t understand why you seem to be so concerned about optimising 
queries to a root server. A well behaved resolving server will only send a 
handful of queries (if that) to the root every day - ie whenever it needs to 
lookup a TLD that hasn’t been cached.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] How DNS work

2020-11-09 Thread Stephane Bortzmeyer 
On Mon, Nov 09, 2020 at 11:15:12AM +0700,
 Hoan Vu  wrote 
 a message of 122 lines which said:

> And we have already do lab, and then the DNS Cache work out of
> order, the DNS Root is choiced rondomly.

As explained in the APNIC article, it depends on the resolver. BIND,
Knot, Unbound and the others do not use the same algorithm.

> the nature of the rule to choose the DNS Root of Resolver, what
> factor, algorithm, 

Sometimes, it is more or less documented, but you'll probably have to
read the source code and, as you did, experiment in the lab to find out.

> Our final taget to want to know can we control the operation of the
> DNS Cache. Suppose that we have one Root Secondary Node of Anycast
> in our country (example DNS Root K), and we want to direct query of
> the DNS Cache to the that DNS Root, how can we interfere the resolve
> process to do that

Well, if it is free software (like PowerDNS, Unbound, BIND, etc), you
have to modify the source code (not for the faint of heart).

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] How DNS work

2020-11-09 Thread Hoan Vu 
Dear!



We are learning the operation of the DNS, we have find the document of
Apnic *"The Root of the DNS"* (
https://labs.apnic.net/presentations/store/2017-03-12-root-servers-explained.pdf
, *slide:18 "Which Root!"*, document said that " *Which letter they pick is
up to the resolver. Some do round robin, some latch on to the one they
think is faster. There are no particular rules that resolvers use here.
It’s not clear that resolvers use any particular heuristic to guide their
choice of root server letter, nor is it clear that it matters in any case."*
And we have already do lab, and then the DNS Cache work out of order, the
DNS Root is choiced rondomly.

We really wanna know "what is round robin of DNS" and the nature of the
rule to choose the DNS Root of Resolver, what factor, algorithm,  that
decide the choice of DNS Root. Our final taget to want to know can we
control the operation of the DNS Cache. Suppose that we have one Root
Secondary Node of Anycast in our country (example DNS Root K), and we want
to direct query of the DNS Cache to the that DNS Root, how can we interfere
the resolve process to do that (unless otherwise configure only DNS Root K).

What about round robin to choose with the top level domain, second level
domain, ... ?

 Does the rule round robin depend on the DNS Software of DNS Cache
(resolver) or DNS Root, DNS top level domain,?

Thanks!
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations