Expanding AuthDNS - Impact of Adding a New Node in the Philippines

Introduction

Next to the K root-server, the RIPE NCC operates an authoritative name server for a number of important zones, including reverse DNS for IP address space managed by the RIPE NCC. Like K-root, this name server is anycasted. We have various nodes across the globe that all listen to and reply from the same address, and the route to this address is announced from all these locations. These route announcements propagate through the global Iinternet via the BGP routing protocol. Next, it is up to the route selection process of individual providers to choose which of the route(s) to AuthDNS available to them will be used to resolve DNS queries.

In a previous RIPE labs article, we discussed the architecture of the anycast service and what motivated us to apply the model of core nodes managed by the RIPE NCC supplemented with nodes hosted by providers or at exchange points. In summary, our decision comes down to the fact that this approach:

1. Distributes the load caused by the steadily increasing number of queries - this keeps growth of bandwidth and infrastructure needs at the core at a manageable level
2. Improves resiliency - in that disruptions in global connectivity have less impact on providers who have a route to a local instance
3. Reduces the impact of DDOS attacks

Over the past few years, the AuthDNS cluster has expanded to 36 nodes at 28 locations, four of which host core nodes (twelve in total). Last December we published results from a first analysis, where we used RIPE Atlas to learn which nodes were reached in some specific regions. Now we take a deeper dive and  look at what impact the latest addition of a node in the Philippines, hosted at Maharlika IX, receiving transit from DoubleSquare Networks, had on the AuthDNS ecosystem. Both to DNS clients in the country and on the cluster as a whole. For this analysis we used data captured at each respective AuthDNS node.

Who is using the new node?

Soon after activation our routine statistics showed the new node received an average of 6,000 queries per second. That put the node in the top three of most queried AuthDNS nodes hosted at IXPs, and the top 15 of all AuthDNS nodes. Of the first questions that came to mind, we started by asking which organisations found their way to this new instance, and from which countries were the queries originating.

To answer these questions, we turned to the usage data collected at each AuthDNS node and annotated the ‘per source IP address’ (v4 or v6) totals for 1 July 2025 with some additional parameters:

• The AS number seen announcing the address block containing the source IP, based on BGP tables collected by RIPE NCC’s RIS project
• The name or service that the AS is generally known by
• The country code where the organisation holding the AS number is incorporated
• The country code where, according to the IPinfo Lite dataset, the IP address is used

For organisations that primarily offer services in one country, the two country codes are usually identical. However, for companies that operate internationally, the country code of the (legal) home base only provides the correct location for a subset of the resources. This especially applies to organisations like Google, Amazon, Cloudflare, etc. who are present in many data centres spread all across the world.

Figure 2 shows the distribution of queries made to the new node aggregated by organisation. The vast majority, 96.5%, originate in networks announced by Google’s AS15169.  Although Google is incorporated in the USA, these queries all originate from the broader East/South East Asia region, as we will see later. They are therefore well in scope, not a sign of hosts in the USA sending AuthDNS queries across the Pacific Ocean to get answers from the Philippine node.

Following Google at a distance, we find Cloudflare (1.0%) and Taiwan’s Homeplus (0.7%) as second and third largest contributors. Given that we also have an AuthDNS node in Taipei, installed at STUIX, Homeplus’s usage of the instance in Manilla may seem odd at first glance. However, with anycast it all comes down to how routes propagate in BGP.  Homeplus may not have a route to the instance in Taipei or for some reason BGP path selection opted for a route to the Philippines instead. Then, at fourth place comes Converge - the first Philippines based operator  - with 0.3% of all queries.

Turning to the geolocaton based on source IP addresses, figure 3a shows how most queries to the new AuthDNS node originate, respectively, from Hong Kong, Singapore, and Taiwan. With the knowledge that 96.5% of queries originate in Google, we can conclude the corresponding sources are predominantly located in South East Asia.

For the 3.5% of queries made by other organisations (figure 3b), clients in the Philippines account for almost half (1.7% of total), followed by Taiwan, Japan, Singapore, and Thailand.  After these, we find Saudi Arabia as the first country well outside the region to have queries answered from AuthDNS in the Philippines. However, with just 0.06% of the total, this usage is marginal. By and large the new node serves clients in the East and South East Asia regions.

Changes for Philippine clients

The observation that 48% of the non-Google queries originate from the Philippines, from multiple organisations, gives us good reason to think that the BGP route to the new instance finds its way around. However, this statistic is only part of the story. Equally interesting is the question of how many queries from the Philippine based DNS clients continue to reach AuthDNS nodes in other countries. We therefore looked at data from the full set of 36 AuthDNS nodes and counted how many queries on each node had source IP addresses located in the Philippines, both before the node was activated (1 June) and after (1 July). Figure 4 and 5 shows the results.

The roughly 50% increase in total volume of queries from the Philippines makes exact comparisons difficult. But the general trend is clear: millions of queries that used to be answered by AuthDNS nodes in Tokyo, Japan and Manama, Bahrain are now answered by the node at Maharlika IX, in Makati City. 

Nevertheless, on 1 July, the nodes in Tokyo, Amsterdam, London, and Paris together still answered 47% of all Philippine queries. Analysing the data, we see three operators together account for the bulk of this. As they do not peer at Maharlika IX, and also do not seem to pick up the transit route announced by DoubleSquare Networks, they continue to reach out to other AuthDNS nodes. 

For a  complimentary view of changes to Philippine based hosts we looked at results of an active measurement set up with RIPE Atlas. It queried AuthDNS from probes in the country and returned the IDs of the nodes that answered. Although the number of vantage points is orders of magnitude smaller than the number of unique source IPs detected in each node’s query data, geolocation of probes is more precise; meaning we can be sure all are located in the Philippines. In addition, RIPE Atlas provides insights into response times, which helps assess efficiency of the choices. 

Figure 6 shows how the choice of AuthDNS location recorded by 50 RIPE Atlas probes changed during the months of May and June 2025. The picture is similar to what we found earlier. The new instance in the Philippines caused local clients to shift away from the node in Bahrain. We also see how some probes reverted to querying Paris towards the end of June, after using other AuthDNS instances in the weeks before.

The corresponding response times - which, it should be noted, are largely taken up by the time it takes packets to travel to and from the DNS server - are shown in figure 7. For each probe we plot the median value of all measurements made during the day and colour the points by the AuthDNS location reached. For reference, we also add trend lines (averages) for all measurements reaching the same location.

It’s clear to see how the instance at Maharlika IX in Makati City is fastest to answer the queries. With no detours abroad, packets travel over much shorter distances. This also shows how, from a latency perspective, the locations in Europe and Bahrain are suboptimal choices, with response times between 200 and 400ms.

Changes observed in AuthDNS system

The last question we were interested in was what impact the new node had on the distribution of queries across the AuthDNS cluster as a whole. As we found earlier, over 725 million queries were answered from the Philippines on 1 July 2025. Which AuthDNS location did the DNS clients go to before that node was activated? Answering this question is not as straightforward as it may seem. The number of queries is always subject to change; on an organisation basis as well as per client (IP address). Moreover, due to the dynamic nature of routing protocols, a single client may end up querying more than one AuthDNS on the same day. Both factors make it hard to quantify exactly how many queries moved between AuthDNS nodes after activation of the new node in the Philippines. We can, however, still get a general idea by applying following heuristics:

 For each AuthDNS instance:

• count the number of queries seen on 1 June 2025 and 1 July 2025 made from IP
  addresses which now use the instance in the Philippines;
• interpret the difference as  the number of queries that switched to the new node;
• interpret all queries still seen on 1 July as queries that continue to reach the old node.

Aggregating these, we get two data points for each AuthDNS instance: total queries that moved to the instance in the Philippines and total queries that continued to use the old instance.

The Sankey diagram in figure 8 visualises the overall results. We can see how most of the DNS clients that reached out to the Philippines on 1 July, queried the Tokyo instance a month earlier. However, these clients also made a substantial number of queries to Tokyo and other instances on the very same day. As said before, the reason for this lies in the dynamics of Internet routing. Whether it was fluctuations in BGP or factors internal to the clients' networks, packets were directed to different AuthDNS locations during the day. 

For the nodes in Manama, Taipei and Lisbon, the diagram shows clients whose IP addresses were seen at the new node in Makati City, predominantly continued to query the old node. In comparison to the total, only a small amount of queries moved. This isn't necessarily bad though. For several networks we checked, we actually found it to be a good choice. From the perspective of these networks the Philippines is more distant, thus a full switch to the new node would significantly increase latencies for all queries.

Conclusion

The new node at Maharlika IX is doing well in serving the larger South East Asia region (Hong Kong, Singapore, Taiwan, Philippines). It also took over part of the load of the core AuthDNS nodes in Tokyo.  And while Google  accounts for the vast majority of queries, the remaining traffic shows the new node plays a major role in answering queries which originate in the Philippines themselves; it thus helps to keep those queries local with low response times.