In the modern Internet, DNS latency is the “hidden tax” on user experience. During the AIORI-2 Hackathon, team Ping@St.Joseph’s from St. Joseph’s Institute of Technology tackled this head-on by building the Hyperfast DNS Load Balancer.
By leveraging eBPF/XDP—a revolutionary technology that allows packet processing directly in the Linux kernel—the team created a data plane capable of handling millions of queries per second (QPS) with sub-millisecond overhead, while maintaining strict adherence to RFC 1034/1035 and EDNS0 (RFC 6891).
1. The Architecture: Kernel-Level Speed, Cloud-Native Control
The project splits the workload into two distinct planes to maximize both performance and manageability:
- Data Plane (C/eBPF): Uses XDP (eXpress Data Path) to intercept DNS packets before they even reach the Linux networking stack. This “fast-path” bypasses traditional overhead, enabling lightning-fast forwarding.
- Control Plane (Go): A robust orchestrator that performs health checks on backend servers, updates eBPF maps in real-time, and exports telemetry.
2. High-Precision Telemetry & Observability
A load balancer is only as good as its visibility. The team integrated a full cloud-native monitoring stack to provide operators with real-time insights into network health.
| Metric | Tooling | Operational Value |
|---|---|---|
| Throughput | Prometheus | Real-time QPS tracking (Current: 15K sustained). |
| Health Status | Grafana | Visualizes backend uptime and automatic failover. |
| Drop Rates | eBPF Maps | Identifies packet drops at the kernel level for security/debugging. |
| Resource Usage | Prometheus | Monitors CPU/Memory to ensure the balancer doesn’t become a bottleneck. |
3. Standards Compliance: Beyond Raw Speed
Fast DNS is useless if it breaks modern features. Team Ping@St.Joseph’s prioritized EDNS0 (RFC 6891) transparency, ensuring that metadata like security extensions and larger payload sizes pass through the proxy untouched.
- RFC 1034/1035: Guaranteed base protocol integrity (RCODEs, IDs, and Opcodes).
- RFC 6891 (EDNS0): Crucial for modern resolvers and CDNs; ensures large DNSSEC-signed responses aren’t truncated.
- Health Hysteresis: Implemented failure/recovery thresholds to prevent “flapping,” where a slightly unstable backend causes rapid, disruptive routing changes.
4. Sprint Highlights & Results
The team demonstrated a highly stable environment under load:
- Sustained Load: ~15,000 QPS with zero packet drops.
- Low Latency: Sub-millisecond forwarding delay.
- Automatic Recovery: Backends were automatically removed and re-added to the rotation based on UDP health probes.
5. Lessons from the Fast-Path
One of the team’s key takeaways was that observability must come first. By building the Prometheus exporter before fine-tuning the XDP logic, they were able to use data-driven insights to catch bottlenecks early in the development cycle.
“Preserving DNS correctness mattered more than raw speed; transparency first, optimization next.” — Balachandhar D, Team Lead
6. Future Roadmap
The team plans to expand the project into a comprehensive edge security and routing tool:
- Encrypted DNS: Adding termination support for DoH (RFC 8484) and DoT (RFC 7858).
- DDoS Mitigation: Using XDP to drop malicious DNS amplification traffic at the earliest possible stage.
- Geo-Aware Routing: Integrating ECS (RFC 7871) to forward queries to the geographically closest backend.
