As I work with Operators all over the world, I'm amazed at two worrying. First, Operators are still treating DNS as an afterthought. Everyone knows that if DNS is down, the network is down. Too many people are taking DNS's resiliency for granted. DNS "just works" is assumed to be norm until it does not work. Operators (Carriers, ISPs, Cloud Operators, Mobile Operators, etc) really need to put the robustness of their DNS architectures (in plural) into focus. Simple attacks against DNS are one of the easiest forms of Denial of Service (DOS) attacks.
Second, Operators who are focused on DNS resiliency are missing one of the most robust DNS solutions on the market. AnswerX is Akamai's investment into quality DNS. It's rich feature set, open source scaling, and cost effective pricing gives Operators an alternative. Most Operators have no idea that carrier grade and cost effective DNS alternative exists. Many of the "buy a special DNS box" options on the market limit the Operator's DNS resiliency architectures. The AnswerX DNS option is an easy option for all Operators to include in their RFPs, planning, and solutions considerations.
What we'll be doing in this and the blogs to come is to solve the AnswerX knowledge gap. We'll have a series of articles that walk through why AnswerX's modern devops oriented approach give Operators DNS resiliency options which do not exist with other platforms. Through these articles, we'll eliminate the AnswerX "secret" so that all Operators are aware of their options.
Operators need a DNS Alternative
Everyone and everything on the Internet requires DNS. Yet, Carriers, ISPs, Service Providers, and Cloud Operators struggle to find a cost effective and programmable DNS solution with a future-proof roadmap that scales like the Open Source DNS. ISC BIND, Unbound, and PowerDNS are the three industry open source foundations. But, most Operators who deploy open source DNS never pay for support. It is a myth to think "open source is free." It is not "free." Someone has to code the new features, functions, and bug fixes. If there is no open source funding, then the open source becomes a slave to an unknown number of volunteers who may or may not have time to maintain a feature list or fix bugs. Businesses have a hard time to rely on an "unknown support mode."
The alternative for Operators are the big commercial DNS providers. These vendors sell "specialized" DNS boxes with a multitude of features function, and capabilities. But, they also charge a premium for the hardware, software, features, usage, integration, and support. This CAPEX intensive DNS approach limits the Operator's flexibility (specialized DNS boxes cost more). What if the Operator needs to expand their POPs? What if they need elastic scaling in their cloud? What if their 4G network requires expanded data centers? All of these "DNS resiliency/performance" architectures are limited with the "specialized DNS box" approach. What Operators really need is a DNS solution that provides all the features and allows deployment throughout their network without specialized hardware. What Operators need is a DNS solution that scales predictably from a resourcing and cost perspective. What Operators need is a DNS solution that enables architecture flexibility using standard Unix servers and VMs that can be expanded without blowing out the Operator's budget. Enter Akamai's DNS Secret - AnswerX.
AnswerX is a DNS platform that provides Operators with a scalable DNS Resolver (rDNS) solution priced competitively with the open source DNS. AnswerX has proven to scale to massive DNS capacity loads. AnswerX works on standard off the shelf Unix platforms and runs in VMs. AnswerX is a modern resolver with programmable policy, supporting DNSSEC, IPv6, and full subscriber aware policy controls. It can be used for DNS firewall functionality, extensive logging, and a platform for service creation. AnswerX is sold as software working on standard servers (no specialized hardware). The software is built to process millions of transactions per second on standard hardware.
Operators now have a DNS resolver solution that allows them to deploy as much capacity as needed where they need it. DNS resolver architectures can now match the Operator's topology, where new AnswerX servers can be implemented with just a new Unix boxes deployed (just like open source). AnswerX is the happy balance of "open source scalability" and premium commercial support by Akamai - a company that understands "scale."
Rethinking the DNS Resolver - Beyond the "Internet Phone Book"
Operators need to rethink the usefulness of the DNS Resolver. The "typical" thinking is that the DNS Resolver is the "after thought" in today's network that "just works" ... until it does not. When it does work, everyone calls because "the network is down." Justifying the cost to expand and maintain DNS runs in a cycle. A crisis happens - DNS goes down - emergency funding is granted - capacity increased - return to "afterthought." This approach is limited thinking. We've been limited by legacy thinking about what we can and cannot do with the capabilities of the DNS Resolver. The DNS resolver is a legitimate tool for a whole range of functions. The DNS resolver can be used for business intelligence, security (blocking malware domains), anti-SPAM (blocking SPAM before the email arrives), and a wide range of other services.
When an Operator "re-thinks" of the DNS Resolver (rDNS) as a multifunctional tool, they are able to put rDNS into the forefront. It is no longer an afterthought when rDNS data is used in the company's business intelligence. rDNS is no longer neglected when it is integral to understanding customer's behavior. rDNS becomes a business essential and funded when services are built on top of it and rDNS moves from a "cost" to a "revenue" tool.
Akamai's AnswerX has been a quiet pioneer in the modern evolution of the DNS Resolver. The AnswerX solution expands the understanding of what an Operator can unleash when they rethink DNS. For example,
Imagine if you could use common off the shelf Unix for all your DNS deployments in your network. Within that architecture, you use DevOps oriented nested policy checks before the DNS resolution, DEVOPs scripts that you control, update, write, and use to add value. That DEVOPs DNS script has a policy that then gets applied one of many subscriber DBs linked to Radius, OCS, DHCP, PCRF. The script is now linked to your subscriber's profile - allowing the Operator to build unique subscriber profiles. The Operator then linked that policy to the DNS "return" traffic and compares it to a reputation DB which then decides how you which to respond. Now the Operator has a tool to check against band domain names (i.e. like malware). That check can be compared to another historical table of how you responded to that domain in the past. All of this can then be used to trigger customer communication (redirection, triggers for SMS, E-mail, and other function) with one of many appropriate tools selected by the Operator. Of course, everything is logged for your business, security, and operational intelligence systems.
What we imagine exists today with Akamai's AnswerX Platform. AnswerX is a carrier grade solution designed for today's abuse. AnswerX fortifies the Operator's recursive DNS service infrastructure against damaging DDoS attacks and provides resilience in the face of network abnormalities. AnswerX enables services such as parental controls, business control, SMB specialized services, and other innovations with an on-net technology solution. AnswerX is an intelligent recursive DNS solution that resides on-net close to the end-user with extensibility, flexibility, scalability, and performance. Unlike DIY DNS software and legacy commercial platforms, AnswerX delivers service with a data-driven policy engine and optimizes content delivery with vertical integration into the Akamai content delivery network.
AnswerX is a platform, with scalable add-ons like Visualizer for DNS analytics, Name Controls for content filtering and Search Guide to help users find websites. Better yet, AnswerX is not exclusive. It is designed to integrate with other platforms. This allows each Operator to customize their rDNS solution to use their tools, their solutions, and their intelligence to provide the best service to their customers.
How can you find out more? Start with these links: