[Updated March 4, 2020 5:23 PM]
Consider Addressing Delegation Servers with Varying Network Routes
Written by: Jim Gilbert and Barry Greene
Don't Forget DNS
Similar to diverse workforces performing at a higher level, diverse network service deployments perform at a higher level that is increasingly important as the Internet continues to augment our reality. Akamai has 20 years of edge service deployment experience. Akamai's Intelligent Edge has proven that the "edge" requires more than "servers" on the edge. Fast, intelligent, and secure edge services require a mix of approaches, principles, and designs that start with DNS in mind.
Fast, reliable, and secure edge services kickstart by optimizing DNS for the global edge. Website performance starts with DNS. Ironically, too much attention is spent on other areas of edge service deployments leaving DNS as an afterthought. As a result, website performance can often not meet expectations, all because of DNS neglect. Akamai sees too many organizations overlooking the DNS critical dependency for edge performance and security. Edge deployments can be a deterrent for DoS attacks but are still vulnerable to attacks if the hosting organization centralizes DNS. DoS attacking central DNS services, in effect, disrupts edge services, negating the advantage of massive edge deployments. To remain available through incidents such as DoS attacks, utilize a segmented, diverse DNS IP anycast architecture to always connect with users.
What is Authoritative DNS?
Unlike recursive DNS servers that work for users to find addresses for domain names, authoritative DNS servers hold the source of truth about domain data such as address records.
What is Authoritative DNS Diversity?
To achieve authoritative DNS diversity, the implementation network should use anycast combined with globally diverse physical name server locations. Akamai's global DNS diversity is combined with redundant network links, collocation with ISPs throughout the world, and robust peering arrangements. For example:
Multi-home and right-size DNS data centers -- When considering resilience against DDoS attacks, the diversity of network connectivity can be as important as the amount of capacity. Large DDoS attacks can overwhelm upstream ISPs and other networks before reaching a data center, causing congestion and service outages even if the data center remains unaffected. To preserve availability and respond to DNS queries from end-users during attacks, Akamai deploys Edge DNS name servers into large data centers with not only large amounts of capacity but connectivity through multiple networks.
Co-Locate inside ISPs -- In many cases, DNS clusters of name servers should be directly in the networks of individual ISPs. These name servers often broadcast their IP anycast traffic only within those networks and resolve DNS queries only for end users of those ISPs. While this arrangement limits the number of end users that any specific cluster of name servers can serve, it also preserves availability for those users when an IP anycast cloud is targeted by an attack outside that ISP. An attacker would have to have systems on that specific ISP's network in order to see those name servers, and even then, the available capacity is often enough to protect that one cloud.
Spread out your DNS customers -- Customers are assigned to diverse clouds - some with server locations unique to specific ISPs and some with a range of connecting machines. This architecture assures that the recursive name servers of a given client will always connect to an Edge DNS server.
Leverage edge service adjacencies -- Operating many different services beyond authoritative DNS, Akamai can deploy Edge DNS name servers into data centers that support multiple services. This provides Edge DNS access to a larger amount of network capacity when responding to large DDoS attacks -- both dedicated network capacity as well as public peering arrangements already place.
Sometimes More is Better for DNS Diversity
Unlike many things, more can have benefits. For authoritative DNS, service redundancy can expand by the number of delegation servers. For example, using two delegation servers offers two network paths to the authoritative answers whereas six delegation servers can offer six network paths to the authoritative answers. A wider edge distribution can also establish faster answers for global users too.
Ensuring Unique Network Paths for DNS Diversity
One technique to codify authoritative DNS diversity is to ensure that each name server address has its own routing path in distinct geographic locations. For IPv4, this means that each name server would ideally have its own /24 address. As an example, the following Edge DNS delegation server set has six network routes to a server that can provide an answer.
Each of these name servers would be in different Edge DNS locations spread throughout the world to enable diversity that balances performance and resilience.
Pushing your domain to six name servers adds one layer of diversity. Now think of each of the six anycasted name servers residing in distributed geographies. Edge DNS comprises thousands of name servers in hundreds of points of presence around the world using an IP anycast model to respond to DNS queries. IP anycast directs queries from end users to the closest point of presence for resolution. Along with faster performance, IP anycast provides several fundamental benefits for availability and resilience - which is why most authoritative DNS services use anycast. Akamai geographically distributes the six anycast name servers to promote diversity balanced with performance. This provides resilience if there are region specific network outages, Internet congestion points, DoS attacks, or other issues. A network requiring DNS DoS resilience moves from a few name servers in a few locations to a multitude of name servers located over the planet.
Steps to Check DNS Diversity
- Validate the NS records that your registrar contains. You might want to do this anyway - see Protecting Your Domain Names: Taking the First Steps.
- Check the (A)ddress records for the name server records. Useful tools include the command line dig tool or Hurricane Electric's BGP Toolkit.
- Look at the set of (A)ddress records to see if a distribution of network routes exists. You can do so by looking at the prefix across all the addresses. For IPv4, this is the /24 or first three parts of the address. Any prefixes that are the same share a network path.
What to Do
Depending on your results, you might be good to go or have more appetite for risk (e.g. OK if DNS is not available for a while) given the application and usage profile for the domain names the authoritative name servers enable. With a desire for less risk and interest to increase network diversity to servers that can answer authoritatively for your zone data, consider a next step of adding a Secondary DNS service. In this way, you can expand your current DNS workflow with an additional set of authoritative DNS servers that can durably provide answers about your zone information.
Akamai's Edge DNS for Authoritative DNS Diversity
Akamai's Edge DNS service delivers edge-based, authoritative domain services for thousands of organizations. Edge DNS is the most widely deployed service pushed to the edge of the Internet, and is built for domain name availability, security, resilience, and performance - 100% at all times. Domain names may utilize DNSSEC to minimize spoofing. DoS attacks cannot be allowed to knock down the domain names. Clients who are trying to get to the domain must be able to get that information as fast as possible.
To Learn More about Akamai's Edge DNS
To obtain more information about Akamai's Edge DNS service, use the "Get in Touch" icon on akamai.com to chat with someone at Akamai right now. Or, follow these links to materials:
- Edge DNS - Ensure fast and reliable user experiences.
- Edge DNS Secondary Implementation: Order or Operations for NS Zone & Registrar Records.
- Architecting DNS for DDoS durability and resilience - at the heart of any leading DNS solution is the capability to withstand massive DDoS attacks without a sweat.
Akamai's DNS Future is Growing
Edge DNS is an integral part of Akamai's Intelligent Edge Platform. Akamai's Edge DNS provides resilient - high performance authoritative DNS services to many of the top companies in the Fortune 1000. We are continually evolving our services to better optimize for multi-cloud and multi-CDN architectures. Tune in to Akamai's blogs and subscribe to Akamai's Community to follow updates, articles, and presentations on the Edge DNS evolution.
Explore Akamai's Diverse DNS Oriented Solutions
If you find this blog useful, continue your exploration with the below references. Everything Akamai deploys leverages a common Intelligent Edge DNS platform.
- Achieve domain stability and resilience with Akamai's Edge DNS service.
- Load balance your data centers, cloud deployments, and CDNs with Akamai's Cloud Based Global Server Load Balancing (GSLB) solution - Global Traffic Management.
- Massively scale your application with layer 7 load balancing using Akamai's Application Load Balancing (ALB) Cloudlet.
- Ensure that every device in your network checks a DNS security tool - ensuring domain name resolution is NOT malware, phishing, or a botnet. Akamai's Enterprise Threat Protection (ETP) and DNS Infrastructure (DNSi) and Security and Personalization Services (SPS) transform your basic DNS resolver into a security tool.
- Sign-up and Search Akamai's Community. This provides you access to a range of Akamai resources.
- DevOps Professionals are welcome to join developer.akamai.com. Akamai's DNS solutions are API and DevOps ready ... enabling cloud to cloud innovation. As an example, look for the Edge DNS APIs such as the Edge DNS Zone Management API.
Use this form to ask for Akamai help. We can have someone contact you to help with your DNS questions.