What is Anycast DNS? | How Anycast works with DNS

Using Anycast with DNS helps speed up the DNS resolution process for users and ensures DNS reliability.

学习目标

阅读本文后,您将能够:

  • Understand how Anycast works
  • Learn how Anycast makes DNS resolving faster and more efficient
  • Explain why Anycast helps mitigate DNS flood DDoS attacks

复制文章链接

What is Anycast DNS?

In Anycast, one IP address can apply to many servers. Anycast DNS means that any one of a number of DNS servers can respond to DNS queries, and typically the one that is geographically closest will provide the response. This reduces latency, improves uptime for the DNS resolving service, and provides protection against DNS flood DDoS attacks.

What is Anycast?

Typically, any device or server that connects directly to the Internet will have a unique IP address. Communication between network-connected devices is 1-to-1; each communication goes from one specific device to the targeted device on the other end of the communication. Anycast networks, in contrast, allow multiple servers on the network to use the same IP address, or set of IP addresses. Communication with an Anycast network is 1-to-many.

Anycast DNS

Ordinarily, an IP address functions like a street address: it specifies the one specific location where the message is going. But suppose a friend had multiple residences around the country. Imagine a letter addressed to one of her houses could go to any one of those other houses based on which one was closest to the sender, even though the letter was addressed to a house in another city. This is sort of how Anycast routing works: one IP address can be associated with multiple locations.

For example, a request to an IP address within the Cloudflare CDN can be responded to by any data center Cloudflare operates, instead of one specific server. For more on Anycast and how a CDN can use it, see "What is Anycast?"

How does Anycast DNS work?

DNS 代表域名系统,它是将域名(网站名称)转换为机器可读取的字母数字 IP 地址的系统。这称为“解析”域名,DNS 解析器则是管理解析的服务器。当用户想要加载某个网站时,客户端设备需要向 DNS 解析器查询该网站的 IP 地址。

Anycast 能提高 DNS 解析速度。使用 Anycast DNS 时,DNS 查询将转到 DNS 解析器网络,而不是一个特定的解析器,并将路由到最接近的可用解析器。DNS 查询和响应将沿着优化的路径传送,以便尽快答复查询。

Anycast 还有助于保持 DNS 解析服务的高度可用性。如果一个 DNS 解析器离线,网络中的其他解析器仍可以答复查询。

Cloudflare offers DNS resolving on our distributed CDN with data centers in 250 cities. Because the CDN is Anycast, DNS queries can be resolved from any data center in the network. Any DNS resolver in the network can respond to any DNS query.

How does DNS resolving work without Anycast?

如果 DNS 解析服务不使用 Anycast,则有可能使用单播路由。在单播路由中,每一 DNS 服务器都有一个 IP 地址,每个 DNS 查询都转到特定的服务器。如果该解析器关闭或不可用,则客户端将不得不查询其他 DNS 解析器,从而增加了 DNS 解析过程所需的时间。

How does Anycast DNS provide resilience against DDoS attacks?

DDoS 攻击可以通过 DNS 洪水攻击来针对 DNS 解析器。这些攻击通常利用由 IoT 设备组成的大型僵尸网络,通过大量 DNS 查询来压垮或“冲击”DNS 解析器。(DNS 洪水攻击不同于 DNS 放大攻击,后者使用开放的 DNS 解析器放大 DDoS 攻击。在那种攻击中,解析器本身不是目标。)

Anycast 与 Unicast

Anycast 网络可以提供 DDoS 防护,因为流量可以分散到整个网络。换而言之,对一个 IP 地址的请求可以由许多服务器答复,因此数千个可能会压垮一台服务器的请求会分散到许多服务器。所以,Anycast DNS 不受大多数 DNS 洪水攻击的影响, Cloudflare DNS 服务也因此而能抵御 DDoS 攻击。