cdn edge
01 Oct 2018

Understanding CDN DNS Routing – Unicast Versus Anycast

CDN DNS routing is what makes the performance optimization offered by Content Delivery Networks possible. It gives CDNs the ability to dynamically route traffic to their nodes across the world enabling them to improve the user experience of website visitors with faster site load times. DNS Unicast or Anycast are two possible routing solutions which CDNs utilize to accomplish this. However, what is the difference between the two and which one provides the better solution?

CDN DNS Unicast Routing

Sites using CDNs configured with DNS Unicast use recursive DNS queries which redirect visitors to their closest node. This process involves setting up an alternate DNS record for their domain utilizing the DNS CNAME record type. When a website visitor types in the URL or clicks on a link which references the primary web server, the user’s configured DNS provider then redirects them to the CDN service which hosts the site’s content. Once the user reaches the CDN, they are then routed to the closest node which is determined by ascertaining their location based on their IP address.

The primary advantages of using DNS Unicast is that it allows the CDN provider to offer their customers transparency, simplicity, and flexibility. A DNS based CDN service is entirely transparent providing end users with a seamless experience. Even though different servers located all over the world host the web content, the site or service is accessible from a single domain name. Configuring a CDN via DNS Unicast is also simple to incorporate into the standard DNS resolution process. With DNS infrastructure universally available across the Internet, creating a CDN service which works via DNS is both cost-effective and efficient. Furthermore, deployment can take place rapidly as the CDN provider does not need to invest in any specialized hardware or software.

DNS configured CDNs do however have some limitations. The primary disadvantage facing these services is that the universal availability of DNS is a double-edged sword which can make it difficult to ascertain the site visitor’s correct originating IP address. This issue arises as a result of the recursive mechanism used in modern DNS architecture. As previously established, the CDN uses the originating IP address to determine which is the closest node to a site visitor. The problem with a CDN utilizing DNS Unicast is that the availability of global DNS service providers could mask the site visitor’s correct geographic location. This issue arises due to the DNS Unicast mechanism where the DNS server responds to the IP address of the resolver and not that of the actual client. For example, a client based in Australia could be configured to use a DNS resolver based in Europe. In this instance, once the visitor’s request has reached the CDN platform, the service will incorrectly assume the originating IP to be in Europe and not Australia sending the client to the incorrect node.

CDN DNS Anycast Routing

CDN service providers who configure their platform with Anycast set a single IP address for all their nodes. Unlike a DNS Unicast-based CDN where every node has a unique IP address and recursive DNS routes the client to the closest node, Anycast uses the Border Gateway Protocol (BGP) to route clients using the natural network flow of the Internet. BGP is a network level protocol which is used by Internet edge routers to exchange routing and reachability information so that every node on the network, even though it is autonomous, knows the state of their closest network neighbors. Anycast uses this information to efficiently route traffic based on hop count ensuring the shortest traveling distance between the client and its final destination.

A CDN configured with Anycast still uses DNS. The primary difference being that with Anycast only a single IP address is advertised by the CDN provider whereas with Unicast each node has a unique IP address. This CDN routing approach uses the originating client IP instead of the IP of the DNS resolver which ensures the CDN directs the client to the closest possible node.

Due to its architecture, Anycast offers some advantages over Unicast-based routing. First and foremost, due to its efficient use of network hops, it allows for speedier connectivity. The complexity in setting up an Anycast solution is also significantly reduced as every node in the network receives a single DNS server configuration. It also offers DDoS protection and High-Availability as the multiple-node, single IP address architecture provides network-level redundancy.

Multi-Purpose CDNs – Reverse Proxy Services with Anycast

Due to their architecture and their role in the Internet ecosystem, CDNs are essentially reverse proxies. If we consider the network topology of a CDN platform, CDNs are positioned in front of the primary service the user is accessing. This positioning gives Anycast-based CDNs the ability to offer several solutions over and above their standard role as a website speed optimization service.

Multi-purpose CDN’s utilize their global network to provide a variety of reverse proxy type services to their customers. As stated, if Anycast is the routing technique deployed, these CDN’s can offer DDoS mitigation and High-Availability services in addition to their site optimization offering by implementing rate limiting technologies. Their positioning on the Internet also gives Anycast-based CDNs the ability to offer their customers a web application firewall service. With this offering customers can create rules granting or denying access to their websites based on user, region or service, helping them prevent data breaches and malware infections.

Some multi-purpose CDN’s also offer ancillary security services such as the ability to set encryption technologies such as SSL on the CDN front end. As encryption is essential in today’s online world and sites configured with HTTPS rank higher on search engines like Google, this offering provides both a cost-effective and straightforward way for websites to encrypt their traffic. It is, however, important to note that this solution does not provide end-to-end encryption unless an SSL certificate is also configured on the originating web server. If no SSL certificate is present on the primary service, traffic from the server to the CDN is unencrypted, but users receive encrypted traffic as they do not access the primary service directly.

CDNs can provide a wide range of services due to their location within the Internet’s architecture. However, the services they offer are determined by which routing solution they implement. Anycast based CDNs can provide a wide variety of services due to their single IP address architecture, but these multi-purpose CDNs possess some limitations. As all content, both static and dynamic, needs to be routed through the CDN so that the security services they offer can protect the entire website, sites load slower than they do with a conventional CDN and there is a limitation on the caching mechanism available to their customers.

Selecting the Right CDN

When selecting a CDN service, it is essential for customers to understand which routing technology the CDN is utilizing. Multi-purpose CDNs have the ability to provide a range of offerings, but these can impact site load times. Anycast-based CDNs offer better performance than their Unicast counterparts, but the improved speed detrimentally affects your ability to manage the placement of users. If you need full control, then a Unicast-based CDN is your best option.