What is Virtual DNS and how does it work?

What is Virtual DNS?

Virtual DNS (Virtual DNS) is a DNS proxy that increases performance, security and global distribution for DNS providers, registrars, and enterprises that maintain their own DNS infrastructure.

By proxying requests to the origin nameservers, Virtual DNS provides DDoS mitigation, high availability, reliability, global distribution and caching, while still giving an organization total control over their DNS.

How does Virtual DNS work?

Virtual DNS takes the same approach to proxying DNS requests and protecting DNS servers as CloudFlare takes for proxying web requests and protecting web servers. It is used by DNS hosting providers and registrars, as well as enterprises that choose to run their own DNS infrastructure but want to deploy an additional layer of security. Virtual DNS protects upstream nameservers from DDoS attack and reduces load on the upstream nameservers by caching DNS responses in all of CloudFlare’s 100+ global points of presence.

Virtual DNS leverages Cloudflare’s global DNS and proxying infrastructure to provide performance and security services for a DNS provider's nameservers. DNS queries destined for the provider's nameservers will first be sent to the nearest Cloudflare point-of-presence to the website visitor. If the proper DNS response is available in Cloudflare's cache, Cloudflare will return the response to the visitor. If the DNS response is not available in cache, Cloudflare will query the provider's nameservers in the background to fetch the DNS response and send it back to the visitor. Simultaneously, that response will be temporarily cached on Cloudflare to be automatically returned when the next query for that record comes along. Malicious requests to the nameservers can be identified and blocked at Cloudflare before those requests ever make it to the provider's nameservers.

How does Virtual DNS choose which backend name server to upstream queries to

Virtual DNS round robins between the customer's name servers, but includes an algorithm that is most likely to choose the fastest server from that metal and the least likely to choose the slowest server from that metal.

How long does Virtual DNS cache stale object for

It depends on the cache invalidation rate, how quickly new items are being added to the cache, removing old ones. We have a set allocated memory for DNS cache, and we don't push out anything from cache forcefully, even when the TTL expires, so there's a good chance that we may still have some records in cache, even if they are not fresh.

Virtual DNS will serve stale objects from cache if the origin nameservers are offline.

Does Virtual DNS cache SERVFAIL

No. If the customer responds with a SERVFAIL, Virtual DNS will try again on the next request.

Does Virtual DNS support EDNS-Client-Subnet?

Yes. Often DNS providers want to see a client's IP via EDNS-Client-Subnet because they serve geographically-specific DNS answers based on the client's IP. With EDNS-Client-Subnet enabled, Virtual DNS will send the client's IP subnet along with the DNS query to the origin nameserver. Note that Virtual DNS does not set the EDNS header, it just forwards EDNS.

When EDNS is enabled, Virtual DNS gives out the geographically correct answer in cache based on the client IP subnet. To do this, Virtual DNS segments its cache. For example, a resolver says it's looking for an answer for client 1.2.3.0/24. Virtual DNS will proxy it to the origin and origin returns the answer. Virtual DNS will cache the answer only for that /24 so when 1.2.9.0/24 asks, it will go to the origin again. Note that this limits the effectiveness of the cache.

To enable EDNS, the customer needs to enable EDNS at their origin DNS servers.  If Virtual DNS sees a query with EDNS-Client-Subnet set and Virtual DNS knows the origin supports it, Virtual DNS will let it through.

How does Virtual DNS know if the origin supports it? Once an hour, Virtual DNS lets EDNS-Client-Subnet through to see if the origins support it.

To disable EDNS-Client-Subnet, you need to disable EDNS-Client-Subnet at your origin DNS servers. Virtual DNS will detect this.

Who can use Virtual DNS?

Virtual DNS is useful for DNS providers, hosts, registrars, TLD's and enterprises who run their own DNS infrastructure.

How do I sign up for Virtual DNS?

Virtual DNS is an Enterprise product that is available for both existing Cloudflare customers and new customers interested in Virtual DNS.

Contact our sales team: +1 888 99 FLARE or let us know you are interested here: cloudflare.com/enterprise-service-request.

 

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk