Hi @agneev,

I can't speak to anything other than how CloudFront has you setup DNS records through the Route 53 UI. When you choose a DNS hostname with a CloudFront distribution, it's Route 53 that creates the alias record. It's all an integrated set of services you use their UI to create.

$ dig image.tmdb.org

; <<>> DiG 9.10.6 <<>> image.tmdb.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16223
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;image.tmdb.org.            IN  A

;; ANSWER SECTION:
image.tmdb.org.     45  IN  A   13.224.7.124
image.tmdb.org.     45  IN  A   13.224.7.29
image.tmdb.org.     45  IN  A   13.224.7.37
image.tmdb.org.     45  IN  A   13.224.7.92

;; Query time: 50 msec
;; SERVER: 192.168.4.1#53(192.168.4.1)
;; WHEN: Tue Oct 12 10:31:01 MDT 2021
;; MSG SIZE  rcvd: 163

Is my current set of replied IPs, which seem to be my closest POP. CloudFront is returning the SEA19-C2 edge for my requests, which is in Seattle. 50ms is about as good as I can expect given that I'm on Starlink and latency doesn't ever get a whole lot better than ~35ms.

Hey Travis 👋

Cloudfront relies on ECS to steer clients to a closer PoP. Cloudflare doesn't support that. Google, OpenDNS are among a handful that do. Here's a site that shows this.

To give you an example of a Cloudfront image-serving domain that hits the local cache:

# Using Google DNS
❯ kdig +short +tls @8.8.8.8 images.kitchenstories.io
dcj15sbom9jgt.cloudfront.net.
54.192.181.57
54.192.181.116
54.192.181.99
54.192.181.104
❯ ping 54.192.181.57
PING 54.192.181.57 (54.192.181.57) 56(84) bytes of data.
64 bytes from 54.192.181.57: icmp_seq=1 ttl=245 time=2.15 ms

# Using Cloudflare DNS
❯ kdig +short +tls @1.1.1.1 images.kitchenstories.io
dcj15sbom9jgt.cloudfront.net.
13.227.214.128
13.227.214.12
13.227.214.125
13.227.214.123
❯ ping 13.227.214.128
PING 13.227.214.128 (13.227.214.128) 56(84) bytes of data.
64 bytes from 13.227.214.128: icmp_seq=1 ttl=246 time=34.1 ms

Comparatively, image.tmdb.org doesn't return any Cloudfront CNAMEs and seems to return the same set of IPs regardless of the DNS.

❯ kdig +short +tls @1.1.1.1 image.tmdb.org
52.84.45.103
52.84.45.112
52.84.45.124
52.84.45.125
❯ kdig +short +tls @8.8.8.8 image.tmdb.org
52.84.45.125
52.84.45.103
52.84.45.112
52.84.45.124

❯ curl -v "http://image.tmdb.org/t/p/original/dzJtsLspH5Bf8Tvw7OQC47ETNfJ.jpg"
*   Trying 52.84.45.103:80...
...
< X-Cache: Hit from cloudfront
< Via: 1.1 d1807b809d16999d513cc543f4da6952.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: MRS52-P1
< X-Amz-Cf-Id: _v8G5heWamdUKdwx6aYza7FJ_0gx_IUZPIYDoYfH3wybUVtVCbzPDg==
# Connected to a data center in Marseille in France
# Ping latency: ~130ms

# Using a DNS rewrite
❯ dig +short image.tmdb.org
65.8.0.30
❯ curl -v "http://image.tmdb.org/t/p/original/dzJtsLspH5Bf8Tvw7OQC47ETNfJ.jpg"
*   Trying 65.8.0.30:80...
...
< X-Cache: Miss from cloudfront
< Via: 1.1 c6cf11c9a6d40f18c613fe75ae07110b.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: CCU50-C2
< X-Amz-Cf-Id: HgChPSfNEUFdgXE6WeWZFwnTf_k-d_7q0OKI9j9zwLFlUhK8hHWXxQ==
# Using a local data center

Since the DNS isn't returning IPs from this PoP, there's misses from the PoP cache, so there's no point of creating a DNS rewrite as of now.

All other domains that use Cloudfront hit the local PoP. I'm not familiar with Route 53, but maybe there's a way you could enable ECS, if there's such an option?

I found a support article that might be helpful.

Hey @travisbell, don't mean to rush you but is there an update on this?

Hi @agneev,

I suspect the reason you're not being forwarded to the POP you are expecting is the closest pop is because we are only paying for the "100" price class. The details on that are located here. We pay for POP's in North America, Europe and Israel.

If you run the same tests on www.themoviedb.org, are the results what you expect? We pay for the top price class on www.themoviedb.org, so it should perform differently than image.tmdb.org.

This hadn't occurred to me until I was reminded when I read through this support article.

Indeed Google DNS returns IPs for the local edge for www.themoviedb.org. I wasn't aware of Cloudfront pricing tbh.

Ok, perfect, happy to have been able to help figure this out.