Content Delivery has become a required strategy for many online services. From fast loading web pages to media streaming, CDNs can accelerate content downloads, making sites more engaging and more useful. But a user has to first be able to reach the CDN and for that to happen you need DNS.
Although CDNs get resources much closer to users on average than a data center or hosting site, there is always the public internet to traverse between the user’s home network, typically their ISP, and the edge of the CDN network. Many times, access across these paths can experience issues that slow down access to the CDN or block connection all together. No problem is as pervasive and affecting as Distributed Denial of Services (DDoS) attacks, which fill up a network with query traffic that prevents “good” traffic from getting through to the CDN.
All paths between users and CDNs are established by a combination of CDN IP addresses and the ISP’s choice of transit vendors. The CDN’s IP addresses live in DNS tables and each ISP accesses DNS information to determine where the user is to be sent. With CDNs, a lot of the dynamic nature of the solution is within the CDN infrastructure, but access to that infrastructure comes from the DNS lookup. So, the relationship between a CDN’s architecture and policies and the DNS architecture and management becomes increasingly important.
When a DDoS attack occurs, DNS lookups can become very slow or even not available. No DNS response means that the user can’t be connected to the CDN. So, no matter how efficient the CDN network itself is, no access means no service.
A top-notch DDoS solution can limit the impact of DDoS events on CDNs in the following ways:
- Advanced, cloud-based DNS solutions use a distributed nameserver network (Anycast) where all nameservers respond to DNS queries. This means that if you can geographically limit an attack to a small part of the DNS infrastructure, the rest of the network can still respond with consistency and performance.
- Large, well managed cloud-based DNS solutions can absorb pretty big chunks of volumetric data and still have room to process valid traffic. This is especially true of DNS solutions that use multiple Tier 1 transit at multiple global POPs with large connection pipes.
- Using multiple DNS networks that work together to access CDNs can also be an effective approach by using a common nameserver pool (secondary DNS). If one set of DNS nameservers isn’t available, the other DNS solution very well may be unaffected and carry on the DNS functions without significant effect to consistency and performance.
So, it’s clear that DNS solutions can have an important impact on managed DDoS attacks that can affect availability, security and performance. Adding other DDoS protection services like DDoS scrubber sites, can also add effective ways of absorbing and filtering very large volumes of DDoS generated traffic to keep your business up and running. These services carry additional costs and often introduce more latency than a DDoS mitigating DNS solution. But in the battle against ever-increasing DDoS attacks, a combination of multiple, highly effective DNS and DDoS scrubber site solutions should be seriously considered.