Seminar "Akamai DNS: Providing Authoritative Answers to the World’s Queries"

Lucas Bleme
Akamai DNS: Providing Authoritative Answers
to the World’s Queries

View Slide

Authors
Kyle Schomp, Onkar Bhardwaj, Eymen Kurdoglu, Mashooq Muhaimen and Ramesh K. Sitaraman
SIGCOMM '20 - Annual conference of the ACM Special Interest Group on Data Communication on the
applications, technologies, architectures, and protocols for computer communication

View Slide

Agenda
Problem
(motivation)
Architecture Anycast
Resiliency
Attack
Resiliency
Related Works Final Evaluation

View Slide

Problem: Akamai DNS
Recursive resolver DNS Root nameserver DNS TLD nameserver Authoritative Nameserver
mywebsite.com

View Slide

Problem: Akamai DNS

View Slide

● High Available network (24/7)
● Resilient authoritative DNS
● Scalable DNS queries: serving 15-20% of all web traffic
● Reconfigurable network
Erik Nygren, Ramesh K Sitaraman, and Jennifer Sun. 2010. The Akamai Network:
A Platform for High-Performance Internet Applications. ACM SIGOPS Operating
Systems Review 44, 3 (2010), 2–19.
Problem: Akamai DNS

View Slide

Overall architecture
Point of
Presence

View Slide

Anycast prefixes (A B C D E F G …) from different PoPs
A E
F
B
C
G
F
B
A D
C
E
D
A
B
G
F A
Point of
Presence

View Slide

ex1.com delegated to A B C D E F
A E
F
B
C
G
F
B
A D
C
E
D
A
B
G
F A
Point of
Presence

View Slide

ex1.com can be still resolved by F
A E
F
B
C
G
F
B
A D
C
E
D
A
B
G
F A
Point of
Presence

View Slide

Akamai DNS architecture

View Slide

Single PoP architecture

View Slide

● Failover withdrawing and advertising anycast prefixes
Anycast resiliency

View Slide

● Failover time < 1 sec. for 76% of measurements
Anycast resiliency

View Slide

● BGP update causes 200 msec difference between 2/21 PoPs.
Anycast resiliency

View Slide

● Traffic shift for single machine failures withdrawing IP anycast
● Monitoring agents with limited server suspension permissions
to prevent broad outages
Anycast resiliency

View Slide

● Uses input-delayed nameservers to prevent input-induced failures
● Answer DNS queries with intentionally stale data ensuring that Akamai DNS remains
available
● Higher Multi-Exit Discriminator (MED) values prevent input-delayed NS to respond stale
data
Anycast resiliency

View Slide

● No PoP supports more than 2 anycast cloud
● Query scoring and prioritized processing
● Overprovision bandwidth to avoid saturated links during volumetric attacks
Attack resiliency

View Slide

Attack resiliency

View Slide

● Random subdomain attacks prevented using NXDOMAIN
filters
Attack resiliency

View Slide

Related Work
Matt Calder, Ashley Flavel, Ethan Katz-Bassett, Ratul Mahajan and Jitendra Padhye. Analyzing
the Performance of an Anycast CDN. IMC '15: Proceedings of the 2015 Internet Measurement
Conference.
Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. A Day at the Root of
the Internet, ACM SIGCOMM Computer Communication Review 38, 5 (2008), 41–46.
Erik Nygren, Ramesh K Sitaraman, and Jennifer Sun. 2010. The Akamai Network: A Platform for
High-Performance Internet Applications. ACM SIGOPS Operating Systems Review 44, 3 (2010),
2–19.

View Slide

Final Evaluation
Guiding design principles through experiments lead to a robust authoritative
DNS system.
Avoiding single points of failure, using automated mitigation strategies and
continuing to operate in a degraded state instead of stopping operating at all
are the key design principles that allowed such a resilient and high available
DNS system.

View Slide

Thank you! https://speakerdeck.com/andreybleme
Lucas Bleme
[email protected]
Akamai DNS: Providing Authoritative Answers
to the World’s Queries

View Slide

Seminar "Akamai DNS: Providing Authoritative Answers to the World’s Queries"

Seminar "Akamai DNS: Providing Authoritative Answers to the World’s Queries"

Lucas Bleme

More Decks by Lucas Bleme

Other Decks in Science

Featured

Transcript