DNS Issues on Chinese Internet
Tuesday, 14 February 2017DNS system is invisible to ordinary visitors but critical for website operation. Because the network condition in China is quite different from rest of the world, foreign developers might not realise that some recommended web design and optimisation practice in the West are totally unworkable in China. And DNS is among the top items on checklist of Chinese Internet optimisation for Western business.
Taking my blog "www.duguoyu.com" as an example. If you check the DNS report you will see that my domain is resolved by 2 name servers through CloudFlare services:
eva.ns.cloudflare.com
[173.245.58.114] [TTL: 172800 - 2 Days] [United States]
lee.ns.cloudflare.com
[173.245.59.129] [TTL: 172800 - 2 Days] [United States]
I chose CloudFlare for 2 reasons:
1, CloudFlare Global CDN service (reverse proxy) helps my website remain unblocked in Mainland China, even this blog is hosted by a blocked web service provided by Google (Blogger);
2, Free SSL certificate secures my website so that all traffic are delivered through HTTPS connection.
The general performance of CloudFlare outside of China market is good, which can be proofed by public monitor service like Pingdom. My blog scores A 100 in Pingdom test, it took 1.54 s to load the page and the site is faster than 80% of all tested sites. DNS resolving took 229 ms, ordinary performance.
While the situation in China seems to be different. I use a China-based web monitoring service to record DNS failures. The alert messages below show how bad the general condition is:
【360】您创建的DNS监控项www.duguoyu.com于2月12日09:38在北京联通等2个监测点出现异常:总响应时间超过阈值
【360】您创建的DNS监控www.duguoyu.com于2月12日09:45从异常状态恢复,异常持续时间:6分钟54秒
【360】您创建的DNS监控www.duguoyu.com于2月10日21:33从异常状态恢复,异常持续时间:9分钟27秒
【360】您创建的DNS监控www.duguoyu.com于2月10日22:54从异常状态恢复,异常持续时间:10分钟43秒
On average there will be a DNS failure alert once every 2 days, and each single failure notice will last about 10 minutes. While in reality, the CloudFlare DNS performance is worse than that. After testing and tracing network condition, I understand that this is not the fault of CloudFlare, which has already found Baidu as its Chinese partner. Cloudflare stated that:
Cloudflare does not offer a Chinese version our service, but our partner Baidu offers a localized version of our service called Yunjiasu (百度云加速). Yunjiasu offers the same features and functionality as Cloudflare (CDN, DNS, DDoS protection, WAF, etc), tailored for the China market. Please visit http://su.baidu.com/ for more information.
Cloudflare 不提供中文服务, 中国客户应该使用百度云加速。 百度云加速是第一个在中国和海外为网络性能提供加速,安全和智能服务的中文服务。 云加速提供与 Cloudflare同样的功能 (CDN、 DNS、 DDOS、 Web安全防护等), 并且专门为中国网络和市场需求进行了优化。
如果您希望改善您的中国网站、移动端应用、以及互联网应用程序的性能和安全, 请访问http://su.baidu.com/注册您的账户。
It happen to be that I'm also a long-time user of Baidu Yunjiasu. I joined client support QQ group of Yunjiasu on the first day when Baidu released its DNS product, which was copied from CLoudFlare with permission and agreement. According to my own experience and feedback from other clients, Yunjiasu was not a stable service in its early days, and its free version lacks of some important features, such as free SSL certificate. So the question is how to leverage China network support through Baidu infrastructure while keep all DNS-related features and functions under CloudFlare's umbrella. In order to meet such market demand, CloudFlare has extended its value-added services in China market, on its website it mentioned:
"If you do not have an ICP license today, our Customer Success Team can walk you through the application process."
"For customers who care most about optimizing HTTPS performance inside of China, you can choose to place your private SSL keys in our China data centers, just as you do on the global Cloudflare Network. Flexible, Full and Strict SSL options are all available on the China Network.
For customers who want to take extra security measures, we are working on leveraging our Keyless SSL technology to provide customers the option of sending encrypted traffic on the China Network without storing their private SSL keys within China (coming soon!)."
I sent a support ticket to CloudFlare, and got their official response regarding enabling China network:
Yunjiasu is Cloudflare China network, and it's only available with Cloudflare Enterprise plan right now.
If you are interested, then you can fill in the below form for further inquiry.
https://www.cloudflare.com/plans/enterprise/contact/
Since this is my personal blog, I'd leave as it is, without tweaking SSL optimisation in China because most of my readers are located outside of China. For eCommerce websites which would like to improve their DNS performance in China, CloudFlare's recommendation might be useful. And please ensure you always set up a China-based monitor to record and report the network condition.
Labels: optimisation, tech
Posted by Guoyu @ 14:51,
