6

I have played with DNS a lot lately, and I have found that some big companies' web sites use the Akamai NS as the Name Server for their WWW servers, for example:

$>nslookup
> www.redhat.com
Server:     192.168.43.1
Address:    192.168.43.1#53

Non-authoritative answer:
www.redhat.com  canonical name = www.redhat.com.edgekey.net.
www.redhat.com.edgekey.net  canonical name = www.redhat.com.edgekey.net.globalredir.akadns.net.
www.redhat.com.edgekey.net.globalredir.akadns.net   canonical name = e86.b.**akamaiedge**.net.
Name:   e86.b.**akamaiedge**.net
Address: 2.23.96.112

> www.ynet.co.il
Server:     192.168.43.1
Address:    192.168.43.1#53

Non-authoritative answer:
www.ynet.co.il  canonical name = ynet.co.il.d4p.net.
ynet.co.il.d4p.net  canonical name = a39.g.**akamai**.net.
Name:   a39.g.**akamai**.net
Address: 81.218.31.170

I have looked up at the Akamai website, but couldn't find the exact problem this is supposed to solve for its users, but I could understand that it is related to security (maybe to prevent DDOS attacks).

Does anybody know what kinds of attacks it is supposed to solve? or maybe I am just wrong and there isn't any relation to security but to outsourcing the DNS management?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Hanan N.
  • 1,129
  • 5
  • 12
  • 22
  • As this question is 8 years old, you might consider reviewing the newer answers that provide more recent info, which appear relevant. Up to you, though. – schroeder Aug 31 '19 at 07:46

3 Answers3

14

Akamai is one of the largest CDN companies in the world. CDN networks make web sites perform faster by bringing content closer to web sites visitors, through different technologies.

CDN can shield web sites from surges in traffic whether it was benign traffic (a site hosting a hot video), or malicious when the site is under DDoS attacks. This protection comes from the size/scalability of CDN vs a regular web site's (10000s of servers vs 10s).

For the content web sites want to be served via CDN they will create a CNAME that points to an A record that belongs to the CDN (as the output of nslookup above).

David Refoua
  • 153
  • 1
  • 13
Bassec
  • 616
  • 3
  • 5
8

It's a couple of things. The answers above are right, but also missing an important feature.

It is for DDoS prevention. DNS is one of the last unencrypted, unauthenticated, UDP protocols in common use on the Internet. That makes it great for reflected or bot-directed attacks. Using a DNS service can help keep those from hitting your data center.

It is for optimization: we can steer the response to a server near you. There can be lots of A/AAAA records for each name, and we might give out different ones in London than in Berlin.

There's also a misfeature of the DNS protocol: you can't have a CNAME and an MX record for the same name. Well, if we can tell whether you're a mail server looking to relay or an end client looking for a web site, we can show you one or the other. Look at https://www.akamai.com/us/en/products/security/fast-dns.jsp for words like "zone apex mapping" to read more.

(Note: I work for Akamai Information Security; this is neither my personal statement, nor Akamai's, but the product of editing by others)

Brian Sniffen
  • 101
  • 1
  • 2
  • You can't have a CNAME with any other type of record, so no MX, no A... and no SOA either, so you can't have a CNAME for the bare domain. – Ángel Aug 29 '19 at 21:04
  • True. There’s more complexity there, including serving an A record for the apex, and what that A record serves. – Brian Sniffen Aug 30 '19 at 22:26
5

From what I understand in there, its seems to be a service for optimisation.

It seems to be some kind of Content Delivery Network used to host the same content in different place to deliver it faster to clients around the world.

M'vy
  • 13,033
  • 3
  • 47
  • 69