Let us start with traditional DNS hosting with any DNS hoster or ISP. How does traditional DNS name resolution works? When you type a human readable name http://www.anydomain.com on the address bar of internet explorer, that name is resolved to an Internet Protocol (IP) address hosted by an Internet Service Provider (ISP). The browser presented the website to the user. By doing so, the website exposed the public IP address to everyone. The good and bad guys know the IP address and can trace globally. A state sponsored hackers or private individual can launch a denial of service attack also known as DDoS on a website whose publicly IP address is known and traceable. The bad guys can send overwhelming number of fake service request to the original IP address of the human readable name http://www.anydomain.com and shut the website. In this situation, DNS server hosting DNS record http://www.anydomain.com will stop serving genuine DNS request resulting distributed denial of service (DDoS).

Akamai introduced Fast DNS that is dynamic DNS located almost every country, state, territory and regions to mitigate such risk of DDoS and DNS hijack.

Akamai Fast DNS offloads domain name resolution from on-premises infrastructure and traditional domain name provider to an intelligent, secure and authoritative DNS service.  Akamai has successfully prevented DDoS attack, DNS forgery and manipulation by complex dynamic DNS hosting and spoof IP addresses.

As of today Akamai has more than 150000+ servers located in more than 2000+ locations in the world that are very well connected in 1200+ networks in 700+ cities in 92 countries and in most cases, an Akamai edge server is just a hop away from the end users.

How does it works?

  1. User request http://www.anydomain.com
  2. User’s ISP respond the DNS name query http://www.anydomain.com
  3. User’s ISP resolves http://www.anydomain.com DNS Name to http://www.anydomain.com.edgekey.net hosted by Akamai
  4. Akamai Global DNS checks the CNAME http://www.anydomain.com.edgekey.net and the region of the request coming from
  5. Akamai Global then forward the request to the Akamai regional DNS Server for example Sydney, Australia
  6. Akamai regional DNS server forward the request to nearest Akamai edge server of the user location for example Melbourne, Australia
  7. Akamai local DNS server for example Melbourne, Australia resolve the original CNAME http://www.anydomain.com to http://www.anydomain.com.edgekey.net
  8. http://www.anydomain.com.edgekey.net resolve to cached (if cached) website http://www.anydomain.com by Akamai which then presented to user’s browser

Since Akamai uses dynamic DNS server, it is extremely difficult for a bad guy to track down the real IP address of the website and origin host of the website. In Akamai terminology, .au or .uk means that the website is hosted in that country (au or uk) but the response of the website is coming to the user from his/her geolocation hence IP address of the website will always be presented from the Akamai edge server of the user’s geolocation. In plain English, origin host and IP address is vanished in the complex dynamic DNS servers of Akamai. For example,

  1. http://www.anydomain.com.edgekey.net resolve to a spoof IP address hosted by Akamai DNS server
  2. The original IP address of http://www.anydomain.com is never resolved by Akamai DNS server or the ISP hosting the http://www.anydomain.com

Implementing Akamai Fast DNS:

  1. Create a Host A record in your ISP http://www.anydomain.com and point to 201.17.xx.xx public IP (VIP of Azure Web Services or any web services)
  2. Create an origin host record or CNAME record http://www.anydomain.com and point to xyz9013452bcf.anaydomain.com
  3. Now request Akamai to black magic http://www.anydomain.com and point to http://www.anydomain.com.edgekey.net
  4. Once Akamai completes the black magic, request your ISP to create another CNAME record xyz9013452bcf.anydomain.com and point to http://www.anydomain.com.edgekey.net

Testing Akamai Fast DNS: I am using http://www.akamai.com as the DNS name instead of a real DNS of record of any of my client.

Go to mxtoolbox.com and DNS lookup, http://www.akamai.com you will see

CNAME http://www.akamai.com  resolve to http://www.akamai.com.edgekey.net

Open command Prompt and ping http://www.akamai.com.edgekey.net

Since I am pinging from Sydney Australia, my ping responded by the Akamai edge server Sydney, result is

Ping http://www.akamai.com.edgekey.net

Pinging e1699.dscc.akamaiedge.net [118.215.118.16] with 32 bytes of data:

Reply from 118.215.118.16: bytes=32 time=6ms TTL=56

Reply from 118.215.118.16: bytes=32 time=3ms TTL=56

Open a browser and go to http://www.kloth.net/services/dig.php and trace e1699.dscc.akamaiedge.net

; <<>> DiG 9 <<>> @localhost e1699.dscc.akamaiedge.net A

; (1 server found)

;; global options: +cmd

.                                            375598   IN            NS           d.root-servers.net.

.                                            375598   IN            NS           c.root-servers.net.

.                                            375598   IN            NS           i.root-servers.net.

.                                            375598   IN            NS           j.root-servers.net.

.                                            375598   IN            NS           k.root-servers.net.

.                                            375598   IN            NS           m.root-servers.net.

.                                            375598   IN            NS           a.root-servers.net.

.                                            375598   IN            NS           l.root-servers.net.

.                                            375598   IN            NS           e.root-servers.net.

.                                            375598   IN            NS           f.root-servers.net.

.                                            375598   IN            NS           b.root-servers.net.

.                                            375598   IN            NS           g.root-servers.net.

.                                            375598   IN            NS           h.root-servers.net.

;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms

net.                                       172800   IN            NS           a.gtld-servers.net.

net.                                       172800   IN            NS           b.gtld-servers.net.

net.                                       172800   IN            NS           c.gtld-servers.net.

net.                                       172800   IN            NS           d.gtld-servers.net.

net.                                       172800   IN            NS           e.gtld-servers.net.

net.                                       172800   IN            NS           f.gtld-servers.net.

net.                                       172800   IN            NS           g.gtld-servers.net.

net.                                       172800   IN            NS           h.gtld-servers.net.

net.                                       172800   IN            NS           i.gtld-servers.net.

net.                                       172800   IN            NS           j.gtld-servers.net.

net.                                       172800   IN            NS           k.gtld-servers.net.

net.                                       172800   IN            NS           l.gtld-servers.net.

net.                                       172800   IN            NS           m.gtld-servers.net.

;; Received 512 bytes from 2001:7fd::1#53(2001:7fd::1) in 8 ms

akamaiedge.net.                  172800   IN            NS           la1.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           la3.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           lar2.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           ns3-194.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           ns6-194.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           ns7-194.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           ns5-194.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           a12-192.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           a28-192.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           a6-192.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           a1-192.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           a13-192.akamaiedge.net.

akamaiedge.net.                  172800   IN            NS           a11-192.akamaiedge.net.

;; Received 504 bytes from 2001:503:a83e::2:30#53(2001:503:a83e::2:30) in 14 ms

dscc.akamaiedge.net.          8000       IN            NS           n7dscc.akamaiedge.net.

dscc.akamaiedge.net.          4000       IN            NS           n0dscc.akamaiedge.net.

dscc.akamaiedge.net.          6000       IN            NS           a0dscc.akamaiedge.net.

dscc.akamaiedge.net.          6000       IN            NS           n3dscc.akamaiedge.net.

dscc.akamaiedge.net.          4000       IN            NS           n2dscc.akamaiedge.net.

dscc.akamaiedge.net.          6000       IN            NS           n6dscc.akamaiedge.net.

dscc.akamaiedge.net.          4000       IN            NS           n5dscc.akamaiedge.net.

dscc.akamaiedge.net.          8000       IN            NS           n1dscc.akamaiedge.net.

dscc.akamaiedge.net.          8000       IN            NS           n4dscc.akamaiedge.net.

;; Received 388 bytes from 184.85.248.194#53(184.85.248.194) in 8 ms

e1699.dscc.akamaiedge.net. 20        IN            A             23.74.181.249

;; Received 59 bytes from 77.67.97.229#53(77.67.97.229) in 5 ms

Now tracert 23.74.181.249 on a command prompt

Tracert 23.74.181.249

Tracing route to a23-74-181-249.deploy.static.akamaitechnologies.com [23.74.181.249]

over a maximum of 30 hops:

1     1 ms     1 ms     1 ms  172.28.67.2

2     4 ms     1 ms     4 ms  172.28.2.10

3     *        *        *     Request timed out.

4     *        *        *     Request timed out.

5     *        *        *     Request timed out.

6                     *     Request timed out.

7     *        *        *     Request timed out.

8     *      125 ms    75 ms  bundle-ether1.sydp-core04.sydney.reach.com [203.50.13.90]

9   172 ms   160 ms   165 ms  i-52.tlot-core02.bx.telstraglobal.net [202.84.137.101]

10   152 ms   192 ms   164 ms  i-0-7-0-11.tlot-core01.bi.telstraglobal.net [202.84.251.233]

11   163 ms   183 ms   176 ms  gtt-peer.tlot02.pr.telstraglobal.net [134.159.63.182]

12   151 ms   157 ms   155 ms  xe-2-2-0.cr2-lax2.ip4.gtt.net [89.149.129.234]

13   175 ms   160 ms   154 ms  as5580-gw.cr2-lax2.ip4.gtt.net [173.205.59.18]

14   328 ms   318 ms   317 ms  ae21.edge02.fra06.de.as5580.net [78.152.53.219]

15   324 ms   325 ms   319 ms  78.152.48.250

16   336 ms   336 ms   339 ms  a23-74-181-249.deploy.static.akamaitechnologies.com [23.74.181.249]

Now open hosts file of windows machine C:\WINDOWS\system32\drivers\etc\hosts and add Akamai spoof IP 172.233.15.98   http://www.akamai.com (reference)

Browse http://www.akamai.com website on internet explorer that will point you to 172.233.15.98

Open command prompt, nslookup 172.233.15.98

Server:  lon-resolver.telstra.net

Address:  203.50.2.71

Name:    a172-233-15-98.deploy.static.akamaitechnologies.com

Address:  172.233.15.98

In conclusion, Akamai tricked web browser to go to Akamai edge server Sydney Australia instead of original Akamai server hosted in USA. An user will never know the original IP address of the http://www.akamai.com website. Abracadabra the original IP address is vanished…

Category:
Cloud Infrastructure
Tags:
, , , , , , ,

Join the conversation! 1 Comment

  1. This is a fantastic article. Thank you for sharing this, it’s complicated stuff.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: