What is anycast DNS?
In anycast, one IP address can apply to many servers. Anycast DNS means that any one of a number of DNS servers can respond to DNS queries, and typically the one that is geographically closest will provide the response. This reduces latency, improves uptime for the DNS resolving service, and provides protection against DNS flood DDoS attacks.
What is anycast?
Typically, any device or server that connects directly to the Internet will have a unique IP address. Communication between network-connected devices is 1-to-1; each communication goes from one specific device to the targeted device on the other end of the communication. Anycast networks, in contrast, allow multiple servers on the network to use the same IP address, or set of IP addresses. Communication with an anycast network is 1-to-many.
Ordinarily, an IP address functions like a street address: it specifies the one specific location where the message is going. But suppose a friend had multiple residences around the country. Imagine a letter addressed to one of her houses could go to any one of those other houses based on which one was closest to the sender, even though the letter was addressed to a house in another city. This is sort of how anycast routing works: one IP address can be associated with multiple locations.
For example, a request to an IP address within the Cloudflare CDN can be responded to by any of the 165 PoPs (points of presence) Cloudflare operates, instead of one specific server. For more on anycast and how a CDN can use it, see "What is anycast?"
How does anycast DNS work?
DNS stands for domain name system, and it's the system that translates domain names (the names of websites) into alphanumeric IP addresses that machines can read. This is known as "resolving" a domain name, and DNS resolvers are the servers that manage the resolving. When a user wants to load a website, the client device needs to query a DNS resolver for the IP address of that website.
Anycast makes DNS resolving much faster. With anycast DNS, a DNS query will go to a network of DNS resolvers rather than to one specific resolver, and will be routed to whichever resolver is closest and available. DNS queries and responses will follow optimized paths in order to answer queries as quickly as possible.
Anycast also helps keep DNS resolving services highly available. If one DNS resolver goes offline, queries can still be answered by other resolvers in the network.
Cloudflare offers DNS resolving on our distributed CDN with over 160 data centers. Because the CDN is anycast, DNS queries can be resolved from any data center in the network. Any DNS resolver in the network can respond to any DNS query.
How does DNS resolving work without anycast?
If a DNS resolving service does not use anycast, it likely uses unicast routing. In unicast routing, every DNS server has one IP address, and every DNS query goes to a specific server. If that resolver is down or unavailable, the client will have to query additional DNS resolvers, adding time to the DNS resolving process.
How does anycast DNS provide resilience against DDoS attacks?
DDoS attacks can target DNS resolvers via DNS flood attacks. These attacks usually use large botnets of IoT devices to overwhelm or "flood" DNS resolvers with DNS queries. (A DNS flood attack is different from a DNS amplification attack, which uses open DNS resolvers to amplify DDoS attacks. In such an attack, the resolvers themselves are not the target.)
Anycast networks provide DDoS protection because traffic can be spread across the whole network. To put it another way, a request to one IP address can be answered by many servers, so thousands of requests that would overwhelm one server are divided up among many servers. Anycast DNS is therefore not susceptible to most DNS flood attacks, and Cloudflare DNS services are resilient to DDoS attacks for this reason.