• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Anycasted DNS Resolver

Started by Tanner Ryan, November 17, 2014, 04:17:04 PM

Previous topic - Next topic

Tanner Ryan

I use HE'S DNS resolver to great performance but I have a few questions.

1) Can people hijack domains on the resolvers and 2001:470:20::2 via dns.he.net?

2) If I use the DNS resolvers and 2001:470:20::2 it goes out of my ISP's network, through the Hurricane Electric port at Toronto Internet Exchange, goes to Chicago where my DNS requests are processed. If I type in Toronto in my dns server section ( and 2001:470:0:c0::2) my DNS requests goes out of my ISP'S network, through the HE port at Toronto Internet Exchange and gets processes from tor1.he.net.  Even though the requests enter Hurricane electrics network at the same place (TORIX) why does the anycasted addresses route through tor1 than chi1?

Also does the addresses and 2001:470:0:c0::2 still cache like Chicago?


1) Resolvers operate independently of dns.he.net.  There's no special preference in queries for dns.he.net versus anyone else.  These are plain 'ol "go to the roots first for unknowns not in cache" resolvers.

2) Could be your provider has some preference for the Chicago instance of that route, or load-balances that way.

3) Anycast addresses will have unicast instance IPs.  While you can also hit the unicast IP, it's not recommended as then you lose the utility of the anycast one.

Tanner Ryan

Thank you for the quick supply and support. I will switch to the anycasted servers instead of the direct tor1 servers.