Anycasted DNS Resolver

[Tanner Ryan]

I use HE'S DNS resolver to great performance but I have a few questions.

1) Can people hijack domains on the resolvers 74.82.42.42 and 2001:470:20::2 via dns.he.net?

2) If I use the DNS resolvers 74.82.42.42 and 2001:470:20::2 it goes out of my ISP's network, through the Hurricane Electric port at Toronto Internet Exchange, goes to Chicago where my DNS requests are processed. If I type in Toronto in my dns server section (216.66.38.58 and 2001:470:0:c0::2) my DNS requests goes out of my ISP'S network, through the HE port at Toronto Internet Exchange and gets processes from tor1.he.net.  Even though the requests enter Hurricane electrics network at the same place (TORIX) why does the anycasted addresses route through tor1 than chi1?

Also does the addresses 216.66.38.58 and 2001:470:0:c0::2 still cache like Chicago?

[kcochran]

1) Resolvers operate independently of dns.he.net.  There's no special preference in queries for dns.he.net versus anyone else.  These are plain 'ol "go to the roots first for unknowns not in cache" resolvers.

2) Could be your provider has some preference for the Chicago instance of that route, or load-balances that way.

3) Anycast addresses will have unicast instance IPs.  While you can also hit the unicast IP, it's not recommended as then you lose the utility of the anycast one.

[Tanner Ryan]

Thank you for the quick supply and support. I will switch to the anycasted servers instead of the direct tor1 servers.