Seminar "Akamai DNS: Providing Authoritative Answers to the World’s Queries"

Transcript

1. Lucas Bleme Akamai DNS: Providing Authoritative Answers to the World’s

   Queries

2. Authors Kyle Schomp, Onkar Bhardwaj, Eymen Kurdoglu, Mashooq Muhaimen and

   Ramesh K. Sitaraman SIGCOMM '20 - Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication

3. Agenda Problem (motivation) Architecture Anycast Resiliency Attack Resiliency Related Works

   Final Evaluation

4. Problem: Akamai DNS Recursive resolver DNS Root nameserver DNS TLD

   nameserver Authoritative Nameserver mywebsite.com

5. Problem: Akamai DNS

6. • High Available network (24/7) • Resilient authoritative DNS •

   Scalable DNS queries: serving 15-20% of all web traffic • Reconfigurable network Erik Nygren, Ramesh K Sitaraman, and Jennifer Sun. 2010. The Akamai Network: A Platform for High-Performance Internet Applications. ACM SIGOPS Operating Systems Review 44, 3 (2010), 2–19. Problem: Akamai DNS

7. Overall architecture Point of Presence

8. Anycast prefixes (A B C D E F G …)

   from different PoPs A E F B C G F B A D C E D A B G F A Point of Presence

9. ex1.com delegated to A B C D E F A

   E F B C G F B A D C E D A B G F A Point of Presence

10. ex1.com can be still resolved by F A E F

    B C G F B A D C E D A B G F A Point of Presence

11. Akamai DNS architecture

12. Single PoP architecture

13. • Failover withdrawing and advertising anycast prefixes Anycast resiliency

14. • Failover time < 1 sec. for 76% of measurements

    Anycast resiliency

15. • BGP update causes 200 msec difference between 2/21 PoPs.

    Anycast resiliency

16. • Traffic shift for single machine failures withdrawing IP anycast

    • Monitoring agents with limited server suspension permissions to prevent broad outages Anycast resiliency

17. • Uses input-delayed nameservers to prevent input-induced failures • Answer

    DNS queries with intentionally stale data ensuring that Akamai DNS remains available • Higher Multi-Exit Discriminator (MED) values prevent input-delayed NS to respond stale data Anycast resiliency

18. • No PoP supports more than 2 anycast cloud •

    Query scoring and prioritized processing • Overprovision bandwidth to avoid saturated links during volumetric attacks Attack resiliency

19. Attack resiliency

20. • Random subdomain attacks prevented using NXDOMAIN filters Attack resiliency

21. Related Work Matt Calder, Ashley Flavel, Ethan Katz-Bassett, Ratul Mahajan

    and Jitendra Padhye. Analyzing the Performance of an Anycast CDN. IMC '15: Proceedings of the 2015 Internet Measurement Conference. Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. A Day at the Root of the Internet, ACM SIGCOMM Computer Communication Review 38, 5 (2008), 41–46. Erik Nygren, Ramesh K Sitaraman, and Jennifer Sun. 2010. The Akamai Network: A Platform for High-Performance Internet Applications. ACM SIGOPS Operating Systems Review 44, 3 (2010), 2–19.

22. Final Evaluation Guiding design principles through experiments lead to a

    robust authoritative DNS system. Avoiding single points of failure, using automated mitigation strategies and continuing to operate in a degraded state instead of stopping operating at all are the key design principles that allowed such a resilient and high available DNS system.

23. Thank you! https://speakerdeck.com/andreybleme Lucas Bleme [email protected] Akamai DNS: Providing Authoritative

    Answers to the World’s Queries