BIND Per-Domain Forwarding (For iTunes / Akamai Speed Issues)

The use of public DNS servers, such as Google DNS or OpenDNS, can provide increased security and reliability.  They can also work around the DNS Hijacking employed by many ISPs (often to serve ads) [yes, OpenDNS by default hijacks some DNS queries (for the typo correction), but this can be disabled in their “Advanced Settings” pane].

One potential downside to these services is that CDNs (such as Akamai) often make use of the query origin to determine the best site from which to serve content.  Using the public DNS service can cause slower than expected content delivery since the CDN incorrectly identifies the origin of your traffic.  Apple makes use of Akamai services to distribute iTunes / App Store content, this can easily slow iTunes downloads or the viewing of content via Apple TVs.

If you are running your own BIND DNS server you can continue to make use of the public DNS service while redirecting Akamai queries to your ISP’s DNS servers.  This allows you to continue to reap the benefits of the public DNS system while still allowing Akamai to properly direct your requests to the correct servers for your location / connection.

To do this first you must first identify your ISP’s DNS server IP address(es) [a.b.c.d and a.b.c.f in this example]. Then, in /etc/bind/named.conf.local (on Debian systems, location may vary on others) add a new zone entry for akamai.net:

zone "akamai.net" {
  type forward;
  forward first;
  forwarders {
    a.b.c.d;
    a.b.c.f;
  };
};

After that just restart BIND to make the changes take effect.  The use of “forward first;” tells BIND to attempt to forward the request but then fall back to local resolution if the forward fails.


Seeing the Difference

The effects of this can be easily seen using dig (and optionally traceroute).

Querying a1.phobos.apple.com using Google DNS (8.8.8.8)

host:~ user$ dig @8.8.8.8 a1.phobos.apple.com
; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 a1.phobos.apple.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19856
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;a1.phobos.apple.com. IN A
;; ANSWER SECTION:
a1.phobos.apple.com. 21596 IN CNAME a1.phobos-apple.com.akadns.net.
a1.phobos-apple.com.akadns.net. 117 IN CNAME a1.phobos.apple.com.edgesuite.net.
a1.phobos.apple.com.edgesuite.net. 21597 IN CNAME a1.da1.akamai.net.
a1.da1.akamai.net. 17 IN A 23.62.236.152
a1.da1.akamai.net. 17 IN A 23.62.236.179
;; Query time: 76 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 19 19:37:52 2013
;; MSG SIZE rcvd: 185

Querying a1.phobos.apple.com using OpenDNS (208.67.222.222)

host:~ user$ dig @208.67.222.222 a1.phobos.apple.com
; <<>> DiG 9.8.3-P1 <<>> @208.67.222.222 a1.phobos.apple.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5923
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;a1.phobos.apple.com. IN A
;; ANSWER SECTION:
a1.phobos.apple.com. 63240 IN CNAME a1.phobos-apple.com.akadns.net.
a1.phobos-apple.com.akadns.net. 115 IN CNAME a1.phobos.apple.com.edgesuite.net.
a1.phobos.apple.com.edgesuite.net. 4007 IN CNAME a1.da1.akamai.net.
a1.da1.akamai.net. 8 IN A 23.67.253.168
a1.da1.akamai.net. 8 IN A 23.67.253.171
;; Query time: 34 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Mar 19 19:39:23 2013
;; MSG SIZE rcvd: 185

Traceroute

Use your ISP’s DNS IP in the dig command above, then use traceroute on each IP (23.62.236.152, 23.67.253.168, and your ISP’s DNS) to see the difference in hop count and ping time.

On my home connection a traceroute to a1.phobos.apple.com using the Google DNS result had 12 hops and a ping of 75ms, using OpenDNS gave 22 hops with a ping of 130ms.  Using the IP returned through my ISP’s DNS resulted in 6 hops with a ping of 32ms.

Comments are closed.