Old but Gold: Prospecting TCP to Engineer and Real-time Monitor DNS Anycast (extended) ISI Technical Report ISI-TR-739bUpdate April 2021

DNS1 latency is a concern for many service operators: CDNs exist to reduce service latency to end-users, but must rely on global DNS for reachability and load-balancing. Today, DNS latency is monitored by active probing from distributed platforms like RIPE Atlas or commercial services. While Atlas coverage is wide, its 10k sites see only a fraction of the Internet. In this paper we show that passive observation of TCP handshakes can measure live DNS latency, continuously, providing good coverage of current service clients. Estimating RTT from TCP is an old idea, but applying this approach to DNS has never scrutinized like this before. We show that there is sufficient TCP DNS traffic today to provide good operational coverage (particularly of IPv6), and very good temporal coverage (better than existing approaches), enabling near-real time evaluation of DNS latency. We also show that DNS servers can optionally solicit TCP to broaden coverage. We quantify coverage and show that estimates of DNS latency from TCP is consistent with UDP latency. Our approach finds previously unknown, real problems: DNS polarization is a new problem where a hypergiant sends global traffic to one anycast site rather than taking advantage of the global anycast deployment. Correcting polarization in Google DNS cut its latency from 100ms to 10ms; correcting polarization from Microsoft cut Azure latency from 90ms to 20ms. Finally, real-time use of our approach for a European country-level domain has helped detect and correct a BGP routing misconfiguration that detoured European traffic to Australia. We incorporated our approach into ENTRADA, our open source data warehouse for DNS. We release our monitoring tool (Anteater), which has been operational for the last 2 years on this country-level top-level domain. 1This report is an updated version of the June 2020 report. In this version, we extend §2.2, by using far larger datasets to compare DNS/UDP and DNS/TCP round-trip times. This new version also includes Appendix G, which includes screenshots of Anteater, our monitoring tool. Moreover, it updates Anteater and releases it as freely. It also includes our changes to Knot DNS to solict TCP queries from clients to increase coverage, and it adds TCP RTT support to dnsanon v1.12. Finally, it clarifies the relationship between our work and prior work at .cz [28, 29]