Back to guides
Concept

One Address, Answered From Everywhere.

A large public resolver hands out a single IP address, yet that one address lives in dozens of cities at the same time. The trick is called anycast, and it is most of the reason a public resolver can feel instant from anywhere on earth and stay up while under attack. Here is how one address ends up in many places, and how the network quietly sends you to the nearest copy.

ONE IP, ANNOUNCED FROM MANY SITES · each user reaches the nearest copy User in Europe asks 9.9.9.9 Frankfurt site the nearest copy 9.9.9.9 User in N. America asks 9.9.9.9 New York site the nearest copy 9.9.9.9 User in Asia asks 9.9.9.9 Singapore site the nearest copy 9.9.9.9 ONE IDENTICAL ADDRESS, ANNOUNCED BY EVERY SITE Each user reaches the nearest copy. Routing, not the user, picks which one.

Same address, same answer. What changes is which physical copy is close enough to serve it.

Anycast is the plain idea that an address does not have to name one machine. It can name a job, and let the network find whichever copy of that job is nearest.

What anycast is

Normally an IP address points to a single place on the internet, and packets sent to it all arrive at that one place. Anycast breaks that assumption on purpose. The operator stands up the same service in many locations, and every one of them claims the very same address. Now the address does not identify a machine; it identifies a role, and the copies are interchangeable. Whichever one you land on gives you the same answer, because they are all running the same resolver.

For DNS this is a natural fit. A lookup is a small, self-contained question that any copy of the resolver can answer on its own, with no need to remember your last request. So it does not matter which site you reach; the reply to where is example.com is the same in Frankfurt as it is in Singapore. That interchangeability is exactly what lets one advertised address be served from dozens of places without anyone noticing the seams.

How your query finds the nearest copy

You do not choose the site, and neither does your device. The choice is made by the routing between networks. Each location announces the resolver's address into the global routing system, and every other network on the internet hears many of those announcements for the same address. When your query heads out, the networks it crosses simply forward it toward whichever announcement looks closest by their own routing measure, and it lands at that site. Send the same query a moment later and it takes the same short path, so in practice you keep hitting the copy near you.

The word to keep in mind is near in the network sense, not the map sense. Closest usually means fewest hops along the paths carriers have built, which tracks geography most of the time but not always. If the nearest site goes down or gets congested, its announcement fades and the routing quietly shifts your queries to the next-closest one, often without a single failed lookup. Nothing on your machine has to notice; the address never changed.

Why public resolvers rely on it

Three reasons, and the first is speed. A DNS lookup sits at the very front of almost everything you do online, as laid out in how DNS actually works: nothing loads until the name resolves. Shaving the round trip by answering from a nearby city, rather than one across an ocean, makes the whole web feel quicker, because you feel that delay before every fresh connection.

The second is staying up under load. Because the same address exists in many places, a flood aimed at it does not converge on one target. Each site absorbs only the traffic routed to it, so a denial-of-service attack gets divided across the whole footprint instead of drowning a single server, and a site pushed past its limit can be drained while the rest keep answering. That is why serious public resolvers are built on anycast: it is the difference between one point of failure and none.

The third is that it resists blunt blocking. When an address is served from many networks in many countries, there is no single wire to cut. This is one of several reasons a lookup can behave differently depending on where you are, a theme covered in can DNS be blocked or censored.

What it means for you

Mostly it means the resolver is fast and dependable without you doing anything, which is the point. The one subtlety worth knowing is that anycast decides which copy of your resolver you reach, but it does not decide how a website then picks a server for you. That second job is often helped along by EDNS Client Subnet, a separate mechanism with its own privacy cost. Anycast getting you to a nearby resolver and ECS revealing your rough location to content networks are easy to confuse, but they are different steps solving different problems.

It is also not a content delivery network, even though the routing idea is cousins with one. Anycast here is about reaching the resolver quickly; a CDN is about reaching the website's files quickly, once the resolver has told you where they are. Both make the internet feel local, but they act at different moments in the same request.

What anycast does not do

It is a delivery trick, not a privacy one. Anycast decides which copy of a resolver you talk to; it says nothing about whether that conversation is readable on the way. A plain lookup to an anycast address is still sent in the clear and can still be seen or tampered with by the network between you and the nearest site. Reaching the resolver faster is not the same as reaching it privately, which is the whole reason encrypted DNS exists as a separate layer on top.

Nor does it change who runs the resolver or what they do with your queries. Every copy is operated by the same party under the same policy, so the trust question is identical no matter which site answers you. Anycast makes a resolver fast and hard to knock over; it does not make it more or less worthy of that trust. That part is still yours to weigh, exactly as in what a resolver is.

Fast is good; private is the part you set

Anycast is what makes a public resolver quick and resilient. Encryption is what keeps the lookups on that fast path unreadable. The second one takes a couple of minutes to turn on.

Set up encrypted DNS

Related: what a DNS resolver is, how DNS actually works, and can DNS be blocked or censored.