Subject: Re: Recommended DNS server for a medium 20-30k users isp Date: Fri, Aug 08, 2025 at 10:09:04AM -0700 Quoting William Herrin via NANOG (nanog@lists.nanog.org):
On Fri, Aug 8, 2025 at 9:42 AM Josh Luthman <josh@imaginenetworksllc.com> wrote:
I do Anycast for much much smaller. It's great to reboot one server and have the other take all of the load. 0 customer interruption, not even a single DNS query lost.
Hi Josh,
You don't need anycast routing to do that, or more precisely you don't need the route to persist in an anycast state for more than a few seconds during the handoff. You can implement dynamic but still unicast routing to the DNS servers without incurring the wrath of the anycast gods.
The elephant in the room is cascading failures. Other than that, I'd not want to be without anycast for its service level record. I don't have to be up in the middle of the night to patch my resolvers. I can take the most loaded one out of service at any time by shutting down BGP, waiting a couple seconds, and it will be completely drained from requests, and I can reboot. No customer or end user is going to notice. Regarding TCP, yes, this is a potential issue. You can think about it and it will grow in your mind, or you can do some observations and conclude that unless you messed your routing up really badly (which is not DNS' fault but still on-topic here) the mean session length for a client-to 1st hop resolver TCP session is going to be orders of magnitude shorter than the times between routing updates that make a certain router change its mind about which anycast node is the closest one. Further, I'd make an educated guess and say that the recursion traffic going from resolver to auth server is much more likely to hit TCP. And that is unicast all the way. Also, EDNS0. We usually have ~1200 bytes to play with. Not 512. YMMV. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 YOW!! Everybody out of the GENETIC POOL!