$30 off During Our Annual Pro Sale. View Details »

Seminar "Akamai DNS: Providing Authoritative Answers to the World’s Queries"

Seminar "Akamai DNS: Providing Authoritative Answers to the World’s Queries"

Presentation of the paper "Akamai DNS: Providing Authoritative Answers to the World’s Queries", presented at the Networking seminar at DCC/UFMG 2021/01.

Presentation (PT-BR): https://www.youtube.com/watch?v=1e5gTxnr-m8
Original paper: https://www.akamai.com/it/it/multimedia/documents/technical-publication/akamai-dns-providing-authoritative-answers-to-the-worlds-queries.pdf

Lucas Bleme

July 12, 2021
Tweet

More Decks by Lucas Bleme

Other Decks in Science

Transcript

  1. Lucas Bleme
    Akamai DNS: Providing Authoritative Answers
    to the World’s Queries

    View Slide

  2. Authors
    Kyle Schomp, Onkar Bhardwaj, Eymen Kurdoglu, Mashooq Muhaimen and Ramesh K. Sitaraman
    SIGCOMM '20 - Annual conference of the ACM Special Interest Group on Data Communication on the
    applications, technologies, architectures, and protocols for computer communication

    View Slide

  3. Agenda
    Problem
    (motivation)
    Architecture Anycast
    Resiliency
    Attack
    Resiliency
    Related Works Final Evaluation

    View Slide

  4. Problem: Akamai DNS
    Recursive resolver DNS Root nameserver DNS TLD nameserver Authoritative Nameserver
    mywebsite.com

    View Slide

  5. Problem: Akamai DNS

    View Slide

  6. ● High Available network (24/7)
    ● Resilient authoritative DNS
    ● Scalable DNS queries: serving 15-20% of all web traffic
    ● Reconfigurable network
    Erik Nygren, Ramesh K Sitaraman, and Jennifer Sun. 2010. The Akamai Network:
    A Platform for High-Performance Internet Applications. ACM SIGOPS Operating
    Systems Review 44, 3 (2010), 2–19.
    Problem: Akamai DNS

    View Slide

  7. Overall architecture
    Point of
    Presence

    View Slide

  8. Anycast prefixes (A B C D E F G …) from different PoPs
    A E
    F
    B
    C
    G
    F
    B
    A D
    C
    E
    D
    A
    B
    G
    F A
    Point of
    Presence

    View Slide

  9. ex1.com delegated to A B C D E F
    A E
    F
    B
    C
    G
    F
    B
    A D
    C
    E
    D
    A
    B
    G
    F A
    Point of
    Presence

    View Slide

  10. ex1.com can be still resolved by F
    A E
    F
    B
    C
    G
    F
    B
    A D
    C
    E
    D
    A
    B
    G
    F A
    Point of
    Presence

    View Slide

  11. Akamai DNS architecture

    View Slide

  12. Single PoP architecture

    View Slide

  13. ● Failover withdrawing and advertising anycast prefixes
    Anycast resiliency

    View Slide

  14. ● Failover time < 1 sec. for 76% of measurements
    Anycast resiliency

    View Slide

  15. ● BGP update causes 200 msec difference between 2/21 PoPs.
    Anycast resiliency

    View Slide

  16. ● Traffic shift for single machine failures withdrawing IP anycast
    ● Monitoring agents with limited server suspension permissions
    to prevent broad outages
    Anycast resiliency

    View Slide

  17. ● Uses input-delayed nameservers to prevent input-induced failures
    ● Answer DNS queries with intentionally stale data ensuring that Akamai DNS remains
    available
    ● Higher Multi-Exit Discriminator (MED) values prevent input-delayed NS to respond stale
    data
    Anycast resiliency

    View Slide

  18. ● No PoP supports more than 2 anycast cloud
    ● Query scoring and prioritized processing
    ● Overprovision bandwidth to avoid saturated links during volumetric attacks
    Attack resiliency

    View Slide

  19. Attack resiliency

    View Slide

  20. ● Random subdomain attacks prevented using NXDOMAIN
    filters
    Attack resiliency

    View Slide

  21. Related Work
    Matt Calder, Ashley Flavel, Ethan Katz-Bassett, Ratul Mahajan and Jitendra Padhye. Analyzing
    the Performance of an Anycast CDN. IMC '15: Proceedings of the 2015 Internet Measurement
    Conference.
    Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. A Day at the Root of
    the Internet, ACM SIGCOMM Computer Communication Review 38, 5 (2008), 41–46.
    Erik Nygren, Ramesh K Sitaraman, and Jennifer Sun. 2010. The Akamai Network: A Platform for
    High-Performance Internet Applications. ACM SIGOPS Operating Systems Review 44, 3 (2010),
    2–19.

    View Slide

  22. Final Evaluation
    Guiding design principles through experiments lead to a robust authoritative
    DNS system.
    Avoiding single points of failure, using automated mitigation strategies and
    continuing to operate in a degraded state instead of stopping operating at all
    are the key design principles that allowed such a resilient and high available
    DNS system.

    View Slide

  23. Thank you! https://speakerdeck.com/andreybleme
    Lucas Bleme
    [email protected]
    Akamai DNS: Providing Authoritative Answers
    to the World’s Queries

    View Slide