What is Anycast DNS? | How Anycast works with DNS

Using Anycast with DNS helps speed up the DNS resolution process for users and ensures DNS reliability.

學習目標

閱讀本文後,您將能夠:

  • Understand how Anycast works
  • Learn how Anycast makes DNS resolving faster and more efficient
  • Explain why Anycast helps mitigate DNS flood DDoS attacks

複製文章連結

What is Anycast DNS?

In Anycast, one IP address can apply to many servers. Anycast DNS means that any one of a number of DNS servers can respond to DNS queries, and typically the one that is geographically closest will provide the response. This reduces latency, improves uptime for the DNS resolving service, and provides protection against DNS flood DDoS attacks.

What is Anycast?

Typically, any device or server that connects directly to the Internet will have a unique IP address. Communication between network-connected devices is 1-to-1; each communication goes from one specific device to the targeted device on the other end of the communication. Anycast networks, in contrast, allow multiple servers on the network to use the same IP address, or set of IP addresses. Communication with an Anycast network is 1-to-many.

Anycast DNS

Ordinarily, an IP address functions like a street address: it specifies the one specific location where the message is going. But suppose a friend had multiple residences around the country. Imagine a letter addressed to one of her houses could go to any one of those other houses based on which one was closest to the sender, even though the letter was addressed to a house in another city. This is sort of how Anycast routing works: one IP address can be associated with multiple locations.

For example, a request to an IP address within the Cloudflare CDN can be responded to by any data center Cloudflare operates, instead of one specific server. For more on Anycast and how a CDN can use it, see "What is Anycast?"

How does Anycast DNS work?

DNS 代表網域名稱系統,這是將網域名稱(網站名稱)轉譯為機器可讀之英數字元 IP 位址的系統。這稱為「解析」網域名稱,而 DNS 解析程式則是管理解析的伺服器。當使用者想要載入網站時,用戶端裝置就需要查詢 DNS 解析程式,以取得該網站的 IP 位址。

Anycast 可加快 DNS 的解析速度。透過 Anycast DNS,DNS 查詢將會前往 DNS 解析程式的網路,而非前往某個特定解析程式,然後會路由傳送至最靠近的可用解析程式。DNS 查詢和回應將會按照最佳化路徑,以便盡快回答查詢。

Anycast 也能協助 DNS 解析服務保持高度的可用性。若某個 DNS 解析程式離線,網路中的其他解析程式仍可回答查詢。

Cloudflare offers DNS resolving on our distributed CDN with data centers in 250 cities. Because the CDN is Anycast, DNS queries can be resolved from any data center in the network. Any DNS resolver in the network can respond to any DNS query.

How does DNS resolving work without Anycast?

若 DNS 解析服務沒有使用 Anycast,可能會使用 Unicast 路由傳送。在 Unicast 路由傳送中,每個 DNS 伺服器具有一個 IP 位址,而每個 DNS 查詢則前往特定的伺服器。若該解析程式故障或無法使用,用戶端將必須查詢其他 DNS 解析程式,增加 DNS 解析流程的時間。

How does Anycast DNS provide resilience against DDoS attacks?

DDoS 攻擊可透過 DNS 洪水攻擊,以 DNS 解析程式作為目標。這些攻擊通常使用 IoT 裝置的大規模殭屍網路,以透過 DNS 查詢癱瘓或「淹沒」DNS 解析程式。(DNS 洪水攻擊與 DNS 放大攻擊不同,DNS 放大攻擊使用開放 DNS 解析程式來放大 DDoS 攻擊。在這類攻擊中,解析程式本身不是目標。)

Anycast 與 Unicast

Anycast network 可提供 DDoS 保護,因為流量可散佈於整個網路。換言之,對於某個 IP 位址的請求可由許多伺服器來回答,因此原本會淹沒一個伺服器的上千個請求可分攤給許多伺服器。所以 Anycast DNS 並不容易受到大部分 DNS 洪水攻擊的影響,因此 Cloudflare DNS 服務可成功防禦 DDoS 攻擊。