How the Cloudflare China Network DNS works?

Overview

  • What is China DNS?

Cloudflare is able to deploy DNS service in Mainland China to improve the TTFB performance.

  • What are NS options in China?

Currently, we have three China DNS settings, which are Default, China_Only flag (DNS China Only), and in-China NS.

  • Why China DNS?

The DNS query will be resolved in Mainland China instead of global DNS servers. We’re seeing over 70% improvement when using China DNS. Here is our public facing blog: Upgrading the Cloudflare China Network: better performance and security through product innovation and partnership

  • Is China DNS required for China Network?

No

Nameservers in China Introduction

General (Default setting)

DNS Type Example NS Servers Global Eyeball China Eyeball Performance Concern
Full Setup Global Cloudflare ANYCAST DNS server: name1.ns.cloudflare.com Global Anycast IP China Unicast IP For both Full or Partial setup, as the DNS query will cross border from China to Global (Most likely reach US SJC or LAX Colos), there would be some extra latency.
Partial Setup zone is set CNAME to zone.cdn.cloudflare.net whose NS in turn is ns1.cloudflare.net … etc Same as above Same as above Same as above
  • How do we verify that China eyeballs are indeed get resolved to China IP ?

    • If you can read Chinese, test using some free websites as boce.com; 17ce.com or itdog.cn; Or
    • Since our DNS server supports ECS (DNS Client Subnet China ), you can use dig command with an ECS supported DNS server (such as 8.8.8.8) to verify
      • Simulate a China eyeball DNS query: dig +short +subnet=42.81.54.0/24 DomainName @8.8.8.8
      • Simulate an US eyeball DNS query: dig +short +subnet=4.2.2.0/24 DomainName @8.8.8.8
      • You can check what county the result IP belong to by using: curl -s “ipinfo.io/IP” | jq “.country”

China ONLY Flag (DNS China Only)

  • What is this China ONLY Flag?

    • China ONLY Flag is to force DNS resolve to China IPs for all global eyeball, no matter from inside China or Rest of the World.
    • It is a zone settings and would work for all DNS types (Full or Partial).
DNS Type China ONLY Flag Example NS Servers Global Eyeball China Eyeball Performance Concern
Full Setup Enabled No change China Unicast IP China Unicast IP No change as this only affect how DNS resolves.
Partial Setup Enabled No change Same as above Same as above Same as above
  • Should I request to enable this option?
    • If the zone is using partial setup and wants to make sure DNS only resolve to China IPs, currently, this is the only option.
    • if the zone is using full setup, then you should consider between using the China In-Country DNS server option vs this China ONLY Flag.

China In-Country DNS (In-China NS)

  • What does the in-Country DNS option mean?

    • China in-country DNS is used to eliminate the cross border path for DNS, thus to improve the DNS latency for you. Please note at this moment, only FULL setup zone can enable such option.
    • This works best when you are using *.cn domains.
    • Once enabled, Cloudflare will assign 2 inside China NS servers to you. Please note you need to work with your DNS provider to modify these NS records.
DNS Type China In-Country DNS Example NS Servers Global Eyeball China Eyeball Performance Concern
Full Setup Enabled Inside China DNS server: ns*.dns.cf-ns.com; ns*.dns.cf-ns.net; ns*.dns.cf-ns.tech China Unicast IP THIS IS BY DESIGN China Unicast IP The goal of this option is to keep the DNS query and response all inside China, thus to improve the latency.
Partial Setup Could not enable This Scenario is NOT Supported.
  • Should I request to enable this option ?

    • If the zone is dedicated to China eyeballs, or 90% or more total traffic are coming from China. This option is recommended.
  • What is needed to enable in-Country DNS?

    • Cloudflare needs to be your authoritative DNS provider, meaning the zone has to be on FULL setup. Also it has to be on the Enterprise plan.
    • The zone must be active before assigning in-China NS, otherwise, NP will throw error.
    • Meanwhile, since our DNS service is built upon JD Cloud’s infrastructure, the zone is required to go through content vetting process and enable China Network, before using China DNS.
  • What if I only have CNAME setup, can they still use China in-Country DNS setup?

    • Unfortunately no. And using cdn.cloudflare.net for partial zones in China introduces DNS resolution issues because cloudflare.net is not resolved in mainland China.
  • Do I need to do anything for in-Country DNS setup?

    • You need to update in the domain registrar once got the assigned in-Country DNS pair.
  • How could we verify that I have correctly setup these in-Country NS servers?

    • You may test to verify if the zone could be correctly resolved.
    • Anyone can use dig NS +trace zonename to verify the NS setups. The NS records should ONLY show the in China ones and not any Cloudflare Global NS.
  • Why my domain matter?

    • Because the recursive nature of DNS lookups and the fact that most TLD NS servers for .cn domain (a.dns.cn etc) resides inside China.
  • Why does it works best with *.cn domain?

    • A DNS query for *.cn domain will most likely stay inside China.

FQAs

  • China Only Flag vs. China In-Country DNS

Similarity: Both are sending HTTP requests, no matter from where, to the JDC PoPs only.

Difference: After enabling China_only flag, the DNS request is still resolved in global name servers. While for in-china NS, the DNS resolution happens inside mainland China. So the DNS time will be different.

  • Does China Network support DNSSEC?

If the zone uses Global NS or China Only Flag, then it supports DNSSEC;

If the zone uses in-China NS, then it does NOT support DNSSEC.

  • If the root domain has been assigned in-China name servers, does each subdomain require an extra pair of ns?

For example, if cloudflare.cn is using China DNS, as long as customera.cloudflare.cn is enabled on China Network, even if it’s a LTZ zone, it will automatically share the benefit of China DNS. And if customer then adds a record of customerb under cloudflare.cn zone, customerb.cloudflare.cn will get China DNS, too.

However, if only customera.cloudflare.cn has China DNS, not the root domain cloudflare.cn, then customerb.cloudflare.cn will require an extra in-china name servers.

  • Does China network support DNS firewall?

This feature does not rely on China network enablement.

  • Why I see that China eyeballs still get resolved to US IPs, such as LAX or SJC?

This could happen if a Chinese eyeball using a DNS server that (1) does not support ECS and (2) is outside out of China. For example:

    • If a China user config its DNS server as level 3’s 4.2.2.1 (check this list to see which public open resolver supports ECS)
    • If a China office is using a DNS service, such as Cisco Umbrella and did not turn on ECS

For all other additional questions, please contact your account team.