DNS – The Phone Book for Internet Users
Conventional views have sometimes described DNS as a tactical network component that doesn’t require much design or long-term thinking. With a closer and more critical look, however, one can see that DNS infrastructure, which serves as the “phone book” for Internet users, can become an asset to network operators that plays an important role in making or breaking the overall subscriber experience.
The emergence of viable off-network public and commercial DNS offerings from providers such as Google is causing network operators to evaluate DNS alternatives that could potentially impact cost and revenue models as well as the operator’s ability to attract and retain subscribers. For instance, operators may consider ramifications such as loss of control over user experience and lost revenues when users do migrate away from the network’s internal DNS service.
In spite of the increased availability of off-net options, network operators can invest in an internal DNS platform and enjoy the benefits of offering a best-in-class embedded DNS service. Those benefits include:
- Opportunities to increase revenue from helping end users find websites and content more easily.
- Better experience control, given that all Internet experiences begin with a DNS operation.
- More cost effective network policy control at the name address level.
- Increased differentiation with consumer-controlled web safety features.
- Highly reliable and consistent browsing experiences for subscribers.
First-Class Quality of Experience Begins with DNS
All Internet experiences begin with a DNS lookup, and in some cases many DNS lookups. It, therefore, stands to reason that a first-class DNS service would not only enable but also be required for end users to achieve a first-class experience with carrier-grade reliability, security and lightning-fast response times. But first-class DNS service requires a DNS platform that performs above and beyond what may be offered by more generic off-network DNS.
In light of that, there are a number of major requirements that network operators should consider when evaluating and choosing a DNS service meant to deliver the highest possible quality of experience (QoE) to subscribers. These are:
- Subscriber awareness – Does the DNS service provide intelligence at the subscriber level while maintaining the ability to offer the service at scale?
- Adaptability to changing standards – Does the service accommodate the shifting Internet landscape to address emerging trends and standards?
- Design and features optimized for network operators – Is the service truly “carrier grade”? Does it deliver the scale, reliability, and functionality to set it apart from more generic offers?
- Superior performance – Will it grow to support expanding subscriber populations and complex DNS transactions dictated by new premium service offers?
- CDN Integration – How does the DNS service integrate with a content delivery network (CDN) to ensure faster, more reliable and more secure delivery of web content, video, and other Internet traffic?
- Security – Is it able to detect and/or prevent attacks such as DDoS amplification and does it proactively monitor usage in order to block unauthorized access and usage?
- Value-add – Does the DNS service enable a path to tiered services or deliver capabilities for which subscribers will gladly pay?
- Flexible Migration – Can the DNS platform co-exist with existing DNS infrastructure and how simple or complex is it to gradually migrate?
- Support – Does the DNS solution vendor have the track record, expertise, and resources to fully support a large-scale DNS deployment? Is support available 24/7?
As shown in the following sections, Akamai AnswerX is a recursive DNS platform that delivers in all of these crucial areas.Simply put, it is unique in its ability to not only help network operators deliver premium Internet QoE, but also help those operators monetize some of the value-add capabilities it offers.
A core value provided by AnswerX is that of a subscriber-aware DNS service. With subscriber awareness comes the ability to introduce customer-specific DNS behavior:
- NXDOMAIN monetization with permanent, subscriber-aware opt out / preference management.
- Notification functionality for various use cases such as initial subscriber provisioning, DMCA violation messaging, phishing domain protection, bandwidth usage limit notifications, bill payment issues, etc.
- Content filtering with simple rating category preferences similar to motion picture ratings (e.g. G, PG, PG-13, R) and time of day controls.
Subscriber awareness also gives AnswerX the ability to protect the DNS environment through functions such as query load limiting and CIDR range allows/deny (or more fine-grained controls) for customers versus non-customers or anonymous users.
Adaptability to Changing Standards
With the coming of IPv6 and DNSSEC amidst rapidly evolving and escalating Internet security concerns, the global DNS environment is changing more rapidly than it has in quite some time. Emerging standards such as EDNS Client Subnet (ECS) are also making DNS a more effective tool for delivering content faster and more efficiently to end-users.
AnswerX supports recent as well as emerging standards and provides built-in features to enable the transitions to IPv6, DNSSEC and ECS. With these features, AnswerX greatly simplifies DNS administration tasks for service providers, provides carrier-grade support, and improves CDN performance to reduce total cost of ownership and maximize subscriber experience.
Design and Features Optimized for Network Operators
AnswerX was designed by a team of engineers that have spent most of their careers developing solutions for Internet service providers (ISPs). AnswerX was built specifically to address the needs of ISPs at massive scale. In fact, ISP operators who deploy AnswerX have surpassed 1 trillion queries in a week across their DNS farms.
AnswerX also includes several noteworthy features that combine to offer the best DNS customer experience available:
- Cache prefetching – AnswerX supports the prefetching of popular answers from cache. With this enabled, a cached DNS name that is approaching the end of its time-to-live (TTL) will be refreshed just before the TTL expires. In this case, subscribers are never forced to wait for the round-trip resolution of a popular name.
- Scalable Statistics – Like many DNS packages, AnswerX includes many statistics and is able to output them at various intervals. Additionally, AnswerX provides scalable “top N” statistics counters that can be assigned to almost any combination of events or time intervals. This gives the ISP the ability to monitor statistics that were either difficult to monitor, labor intensive or impossible to deliver in the past.
- Cache Pinning – With this feature enabled, operators can provide a list of domain names of their choosing which will always remain cached, regardless of traffic level, and will also be ‘always available’— even in the event of network anomalies. Domains to consider treating in this manner could be less busy but very important domains; for example, resolutions required for VoIP services to function.
Local Domain Support - AnswerX supports a BIND-like version of local domains. With this, you can enable the authoritative set of domains that only those with access to the recursive resolvers can use. Even more conveniently than BIND, AnswerX provides a centralized point of management. With an update of the local zone file in a single location (typically on a Record Keeping Server, or RKS), individual AnswerX servers will begin serving the new data with no reload or restart necessary.
Shared Answer Caches - AnswerX supports a shared cache model that allows authoritative responses from the network to be shared among peer AnswerX servers. Especially in the case of load-balanced farms of AnswerX servers, this can provide for a “snappier” web browsing experience, as there is no re-resolution necessary as subscribers transition from server to server via the load-balancing algorithm.
Location-Optimized Content Delivery – AnswerX can inform the content delivery network (CDN) with end user source IP addresses to help keep traffic local and close to the subscriber. Support for EDNS client subnet (ECS) communicates topology data points when the recursive name servers are not precisely representing user locations. This improves overall network performance by serving HTTP content from optimal locations.
AnswerX provides carrier-grade performance. Out-of-box configurations on inexpensive commodity hardware will easily support more than 50,000 queries per second, with average latencies less than BIND. Larger multi-core processors with advanced networking capabilities can approach 1 million queries per second. AnswerX supports popular operating systems, including Red Hat Enterprise Linux, Solaris 10 and FreeBSD.
As Akamai’s recursive DNS resolver, AnswerX tightly integrates with and complements the authoritative DNS technology built into the Akamai Intelligent Platform™, the world’s leading cloud services platform. Akamai’s authoritative DNS infrastructure efficiently and accurately maps content from Akamai’s worldwide base of web and media customers to a global network of 170,000+ servers to assure fast delivery of that content to the subscriber. The policy-driven intelligence provided by AnswerX enables better overall DNS performance and more highly granular content mapping by working in conjunction with the DNS extensions supported by Akamai. AnswerX policies also have the ability to play a key role in advanced persistent threat (APT) mitigation, an Akamai service critically important for enterprise or government entity websites that are frequently targeted by malicious groups or individuals for political or financial gain.
AnswerX complements Akamai’s other DNS-based services as well, including Fast DNS, which improves DNS responses by up to 75%, protects against DNS-based DDoS attacks and leverages Akamai DNSSEC to prevent DNS forgery and manipulation; and Global Traffic Manager (GTM), Akamai’s DNS-based load balancer designed to ensure high availability and responsiveness to user requests.
AnswerX also integrates with Akamai’s operator CDN solutions including Aura Licensed CDN (LCDN) and Aura Managed CDN (MCDN), which is used by network operators to deliver their own content (multiscreen video, VoD, 4k linear video broadcast, etc.) and offload network and transit costs from Internet-originated content such as large file downloads and streaming events. Operators can, for example, leverage AnswerX for value-add capabilities such as:
- Non-existent domain (NXDOMAIN) redirection to prevent theft of service via DNS hijacking.
- Parental Controls enabled through AnswerX Name Controls.
- Proactive subscriber notifications, such as security alerts or billing notifications.
AnswerX excels in its ability to provide security, delivering more security features than any of the alternative DNS solutions. Security controls are policy driven and dynamic and proactively ensure appropriate and fair use of DNS resources. Security features include the following:
- Port randomization, 0x20 randomization.
- Multiple outgoing IP randomization (in addition to ports).
- Kaminsky attack detection (adjustable) and auto-clearing and TCP fallback mitigation.
- Minimal Responses.
- Best-in-class response rate limiting (size based with slippage) for reflector attack prevention.
- Infrastructure cache mitigation of dribbling zombies, plus dribbling name servers (adjustable).
- Maximum NS server restrictions on remote domains.
- Secure query parsing (ignoring RCODE).
- Smart NS server waiting interval monitoring for purposely bad authoritative servers.
- Enhanced query compression of not just outbound requests, but responses to them.
- TCP stack monitoring for mitigating “pipeline stuffing” DOS attacks.
- Reputation data sources such as the Akamai Client Reputation data source.
AnswerX serves as a clever and cost effective services creation platform to improve search and content filtering with two optional add-ons: AnswerX Search Guide and AnswerX Name Controls. With AnswerX Search Guide, DNS can become a profit center simply by providing search service flexibility and choice to subscribers. Using relevant search experience and suggestions, AnswerX Search Guide simplifies and secures web navigation, even in cases of address bar typos or manually entered web addresses. The total solution also includes DNS policy control, end user landing experiences, analytics and monitoring. In conjunction with industry leading partners such as Yahoo!®, AnswerX Search Guide enables search services that subscribers can leverage not only to compensate for typos and name errors but also to create safer search experiences when combined with AnswerX Name Controls.
AnswerX Name Controls provides a mechanism for primary account owners to control which content can be viewed by which household members— a service that can be leveraged into premium service tiers that deliver more revenue. Users opt into intuitive rating categories, such as R or PG, for types of websites to allow or not allow certain types of content to be viewed on connected devices. When a device and its user attempts to view content outside of the default selection, AnswerX Name Controls presents a notification page along with a PIN override if the subscriber desires to view the content regardless of the recommendation. AnswerX Name Controls also protects subscribers from unwanted visits to malware and phishing websites that risk the safety of personal information.
Network operators with existing DNS can plan and migrate to AnswerX in a number of ways. Given its performance characteristics and ability to run in different operating environments, AnswerX can co-exist with other recursive servers, such as BIND, on the same hardware and operating system machine. It does so by clearing resources for its own operation through policy for security and quick performance. Another alternative is to introduce server nodes with AnswerX as part of the load-balanced cluster. Once validated, AnswerX can then be implemented across the entire footprint in a span of weeks with a straightforward programmatic effort.
Akamai provides 24/7 support for AnswerX via its help desk platform and has response level commitments based on severity levels with the only requirement being that licensees keep their software current to within two major releases. As Akamai announces a new release, customers can choose to accept the release and manage it themselves or make use of Akamai professional services to assist with the upgrade. Additionally, the Akamai professional services team can be engaged proactively, ensuring that systems continue to run smoothly as they scale up. Finally, the Akamai AnswerX product team is eager to engage; questions, comments and feature requests are always welcome and help to benefit the entire user community.
AnswerX is more than a generic recursive DNS solution. It is a best-in-class intelligent network asset specifically designed and built for network operators to manage and monetize DNS traffic. With its high performance, flexibility and broad set of supported functions, AnswerX offers a number of advantages, including:
- Best-in-class total cost of ownership (TCO).
- Best-in-class speed and performance.
- Integration with the Akamai Intelligent Platform™.
- Best-in-class security.
- Powerful service creation platform.
- EDNS client subnet (ECS) capabilities.
- …and many others.
A market trial is an effective means to validate the many advantages and capabilities of the AnswerX platform and can be used to establish a path towards eventual service differentiation. Akamai welcomes the opportunity to partner with network operators interested in planning and implementing a market trial for AnswerX. To learn more about AnswerX, please contact firstname.lastname@example.org or visit Akamai’s website.