Module 5: Fast DNS 1

Module 5: Fast DNS 2

Assume that a client attempts to access a URL, say, www.akamai.com, and explain what happens:
First, the client performs a DNS lookup through its local name server.
The local name server redirects the request through a number of well known name servers
supporting the entire Internet.
And finally, these name servers redirect the request to the DNS service which hosts the URL the
client requested.
The DNS service then responds to the request with the actual IP address of www.akamai.com.
Only after this can the end user/client connect to the requested website (in this case,
www.akamai.com).

DNS lookup occurs in the context of every page load, and only after we have resolved the host
address can we connect to the server and start downloading content. So, very simply put, if your
DNS service is not available, then the rest of the page load can’t proceed. Another important point to
highlight is that improving the DNS lookup time can help better the performance by improving the
overall page load time.

Module 5: Fast DNS 3

The key areas that pose challenges for many organizations in terms of getting the most out of their
DNS infrastructure are:
1. Availability
2. Performance and
3. Security

Availability: Many organizations often rely on just two or three DNS servers, or name servers, to
resolve DNS requests from all of their end users. This means that any system outage will impact the
availability of the DNS service, without which, users can’t get to the their websites or applications.

Performance: When organizations deploy just two or three name servers in their data center, this
automatically implies that the name servers might be physically far away from a large percentage of
their end users. This means that every time an end user visits the website, their DNS request needs
to go around the world and back before they can actually load the page and use the site. This
automatically slows down their website.

Security: Just having two or three name servers responsible for directing all of their traffic to their
websites and applications, makes the organization’s DNS infrastructure a potential target for
attackers. This is because the DNS infrastructure is exposed to the Internet and is vulnerable to
distributed denial of service (DDoS) attacks and man-in-the-middle attacks, whereby an attacker
forges or manipulates DNS data to redirect users to another site.

These are the challenges that are addressed by Akamai Fast DNS.

Module 5: Fast DNS 4

Fast DNS is Akamai’s cloud-based DNS solution that provides authoritative DNS resolution of
customer domains and hostnames, in the midst of high-traffic events and DDoS attacks.

The key features of Fast DNS are:

1. Global Scale: The globally-distributed DNS platform has thousands of name servers
geographically distributed all over the world. The name servers are deployed in over 20 DNS clouds
and over 200 points of presence in 26 countries. Each customer is assigned 6 name servers – 5 from
the availability clouds and 1 from the performance cloud.

2. Availability: Due to the distributed platform we offer 24/7 DNS availability and unparalleled
resiliency.

3. IP Anycast: Fast DNS is built on IP Anycast technology. So, a DNS lookup request can be
resolved by multiple physical name servers deployed in multiple locations around the world and on
multiple networks. This results in a decentralized DNS service to end users.

4. Security Features: Fast DNS relies on a proprietary implementation of the DNS protocol and does
not run software based on Berkeley Internet Name Domain (BIND) like other DNS solutions. This is a
key advantage of using Fast DNS since BIND has several security vulnerabilities which attackers are
known to exploit. Besides that, we also implement Rate Controlling and filtering in our DNS Servers
which drops attacks. Additionally, we can provide DNSSEC.

5. Zone Apex Mapping: The Zone Apex Mapping feature publishes mapping data from the Akamai

Module 5: Fast DNS 5

platform directly to the Fast DNS servers. In other words, it gives you the possibility to serve your Top
Level Domain (TLD) over Akamai. This dramatically improves the performance for websites deployed
behind Akamai, as you no longer have to serve redirects and you can fully leverage Akamai Products
for Protection and Performance.

Module 5: Fast DNS 5

Fast DNS has two key components: Zone Transfer Agents and Akamai Name Servers.

Zone Transfer Agent (ZTA) runs on multiple machines in the Akamai Network. The ZTA process is
responsible for performing zone transfers from the primary name server(s) that you maintain, as well
as uploading these zones to Akamai name servers.

Akamai Name Servers run on multiple machines in many networks and locations on the Akamai
Network. The name servers accept the customer-provided zones from the Zone Transfer Agents, and
serve responses to DNS queries.

Module 5: Fast DNS 6

When a customer purchases Fast DNS, they start using Akamai’s name servers instead of their own.
But before the client can start querying Fast DNS for the DNS lookups, Fast DNS must be configured
or deployed.

Fast DNS can be configured as either a primary DNS service, where customers replace their existing
DNS infrastructure or as secondary DNS service, in which case, they augment their DNS
infrastructure with a cloud front-end.

If Fast DNS is configured as a primary DNS, the customer will need to first upload zone data through
either the Luna Control Center or Akamai’s {OPEN} API. Next, the zone transfer agent will push out
this zone data to the Fast DNS name servers and provide a list of name servers (typically six) to the
customer. The customer must now register these name servers with their domain registrar.

When Fast DNS works as a secondary DNS service, the customer maintains all their zone data on
their master name server. Fast DNS zone transfer agents (ZTA) request the master for the zone data
and then push it out to Fast DNS name servers.

Module 5: Fast DNS 7

Now let’s see what happens when a client or end user needs the IP of a website, lets say,
www.akamai.com. The client/end user will first query the local name server. This will (as usual) query
the root name servers, which in turn, will direct the request to the .com name servers (if needed) and
they will redirect the request to one of the Fast DNS/Akamai name servers.

The Akamai or Fast DNS name server will resolve the request by going through the Akamai CNAME
chain to find and return the IP address of Edge server closest to the client.
Note that a Fast DNS name server can skip past the additional CNAMEs for websites deployed
behind Akamai, by using the feature called Zone Apex Mapping.
This feature has the ability to dramatically improve performance for web sites because mapping data
for the Akamai Intelligent Platform is published to the Fast DNS name servers. So, a name server
immediately redirects the DNS lookup request to the optimal Akamai Edge server in a single step.
This results in a dramatic reduction in the total response time.

Module 5: Fast DNS 8

Fast DNS offers DNSSEC as an add-on option. The DNS Security Extensions (DNSSEC) allow zone
administrators to digitally sign zone data using public key cryptography, thus proving their
authenticity. The primary premise of DNSSEC is to prevent DNS cache poisoning and DNS hijacking.

Fast DNS supports the following two scenarios:

• Sign and Serve DNSSEC: Akamai manages signing the zone, key rotation, and serving the zone.
• Serve DNSSEC: You manage signing the zone and key rotation, while Akamai serves the zone.

Module 5: Fast DNS 9

Availability: With Fast DNS, we have a massively scalable DNS infrastructure resolving user DNS
requests, with individual requests responded to by multiple name servers using IP Anycast
technology. In addition, Fast DNS name servers are distributed – geographically as well as across
multiple networks in order to provide additional resiliency against local conditions.

Performance: Improves DNS response by up to 75 percent by integrating with Akamai acceleration

solutions. This is because of the zone apex mapping feature of Fast DNS, which enables the client to
get to the optimal Edge server in a single step. Simply put, zone apex mapping integrates better with
the Akamai platform to provide the fastest performance for any web site or application on the Akamai
platform.

Security: Mitigates the risk of DDoS attacks by:

• Transferring the risk to Akamai.
• Absorbing DDoS attacks without any disruption in service, due to the scale of the Akamai
network.
• Blocking malicious traffic by rate limiting and restricting responses to known good DNS servers.

Module 5: Fast DNS 10

Customers can configure and manage their Fast DNS service through Akamai’s standard Luna
Control Center GUI, or can also use {OPEN} APIs to configure, report and manage Fast DNS.

Module 5: Fast DNS 11

This brings us to the end of the module. To summarize what we learned:

• Availability, Performance and Security are the conventional challenges of Fast DNS.
• Fast DNS is Akamai’s cloud-based DNS solution that provides authoritative DNS resolution of
customer domains and hostnames, in the midst of high-traffic events and DDoS attacks.
• The features of Fast DNS:
• Global Scale: Thousands of name servers deployed over 20 DNS clouds and over 200
points of presence in 26 countries
• IP Anycast: DNS resolution by multiple physical name servers deployed in multiple
locations around the world and on multiple networks
• Zone Apex Mapping: Allows Fast DNS name servers to skip past the additional CNAMEs
for websites deployed behind Akamai
• Fast DNS addresses the availability issue of conventional DNS by virtue of its massively scalable
DNS infrastructure, IP Anycast technology, and geographically distributed name servers. Zone
apex mapping, and proximity of DNS Servers to end users address the Performance challenge.
Fast DNS address security challenges of conventional DNS by transferring the risk to Akamai,
absorbing DDoS attacks and blocking malicious traffic.
• Fast DNS can be configured as a Primary or a Secondary service.

Module 5: Fast DNS 12