Architecting DNS for DDoS Durability and Resilience

My business depends on my domain name being 100% available. How do I ensure my domain name is durable to attack and resilient during Internet stress?

After many years of hard work from many Internet engineers and system administrators, Akamai Technologies has been working towards DNS infrastructure that would be ready for service 24/7, 365 days a year with beyond five 9s availability and the architecture to thwart any form of DNS attack.

DevOps Connect:DevSecOps @ RSAC 2022


The reality is that DNS remains at risk even as the Internet continues to fold into our everyday lives more and more in a way that augments, automates, improves, accelerates, and generally affects all people, places, and things. As the Internet evolves, its infrastructure ages and needs attention and upkeep, the people who operate it change roles, new networks come online, and attackers continue to abuse the Internet’s core mapping system, DNS. Even so, overall DNS traffic trends are up and show how this evolution continues to snowball.

dns blog.png

As a central point of control for your services, your domain name can be a magnet for abuse. Why bother launching a denial of service against a website when an attacker can hijack the domain name to send traffic to any arbitrary location. Abusers know that attacking the Internet’s central mapping system can wreak havoc on many people and things. Regular domain name security reviews are essential. Akamai summarizes best, current domain security practices in Protecting Your Domain Names. As part of this review, explore the DNS infrastructure that hosts your domains and ensure their DNS network is resilient and durable against attacks.

Akamai’s DNS infrastructure is an example of attack resiliency. For more than a decade, Akamai has been investing in DNS to enable our core Edge Services. As Akamai’s DNS survives constant attacks, we also do so for our customer’s DNS any time for any situation. This results in unparalleled robustness. In our white paper Designing DNS for Availability and Resilience against DDoS Attacks, we share how Akamai delivers primary and secondary authoritative DNS services that remain available through the largest DDoS attacks with unmatched global scale, a segmented IP Anycast architecture, and multiple DDoS controls including the ability to leverage other Akamai services when necessary.

We still envision a day when DNS is rock solid for all organizations and remain hard at work solving issues and making the Internet better for all. We look forward to sharing more insights with you over the upcoming year with API improvements for better DevOps, additional resource records that support a movement to encrypt more and more traffic, user interface improvements for ease of use, and smarter logic for traffic management.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Jim Gilbert. Read the original post at: