Let us start with traditional DNS hosting with any DNS hoster or ISP. How does traditional DNS name resolution works? When you type a human readable name www.anydomain.com on the address bar of internet explorer, that name is resolved to an Internet Protocol (IP) address hosted by an Internet Service Provider (ISP). The browser presented the website to the user. By doing so, the website exposed the public IP address to everyone. The good and bad guys know the IP address and can trace globally. A state sponsored hackers or private individual can launch a denial of service attack also known as DDoS on a website whose publicly IP address is known and traceable. The bad guys can send overwhelming number of fake service request to the original IP address of the human readable name www.anydomain.com and shut the website. In this situation, DNS server hosting DNS record www.anydomain.com will stop serving genuine DNS request resulting distributed denial of service (DDoS).
Akamai introduced Fast DNS that is dynamic DNS located almost every country, state, territory and regions to mitigate such risk of DDoS and DNS hijack.
Akamai Fast DNS offloads domain name resolution from on-premises infrastructure and traditional domain name provider to an intelligent, secure and authoritative DNS service.  Akamai has successfully prevented DDoS attack, DNS forgery and manipulation by complex dynamic DNS hosting and spoof IP addresses.
As of today Akamai has more than 150000+ servers located in more than 2000+ locations in the world that are very well connected in 1200+ networks in 700+ cities in 92 countries and in most cases, an Akamai edge server is just a hop away from the end users.
How does it works?

  1. User request www.anydomain.com
  2. User’s ISP respond the DNS name query www.anydomain.com
  3. User’s ISP resolves www.anydomain.com DNS Name to www.anydomain.com.edgekey.net hosted by Akamai
  4. Akamai Global DNS checks the CNAME www.anydomain.com.edgekey.net and the region of the request coming from
  5. Akamai Global then forward the request to the Akamai regional DNS Server for example Sydney, Australia
  6. Akamai regional DNS server forward the request to nearest Akamai edge server of the user location for example Melbourne, Australia
  7. Akamai local DNS server for example Melbourne, Australia resolve the original CNAME www.anydomain.com to www.anydomain.com.edgekey.net
  8. www.anydomain.com.edgekey.net resolve to cached (if cached) website www.anydomain.com by Akamai which then presented to user’s browser

Since Akamai uses dynamic DNS server, it is extremely difficult for a bad guy to track down the real IP address of the website and origin host of the website. In Akamai terminology, .au or .uk means that the website is hosted in that country (au or uk) but the response of the website is coming to the user from his/her geolocation hence IP address of the website will always be presented from the Akamai edge server of the user’s geolocation. In plain English, origin host and IP address is vanished in the complex dynamic DNS servers of Akamai. For example,

  1. www.anydomain.com.edgekey.net resolve to a spoof IP address hosted by Akamai DNS server
  2. The original IP address of www.anydomain.com is never resolved by Akamai DNS server or the ISP hosting the www.anydomain.com

Implementing Akamai Fast DNS:

  1. Create a Host A record in your ISP www.anydomain.com and point to 201.17.xx.xx public IP (VIP of Azure Web Services or any web services)
  2. Create an origin host record or CNAME record www.anydomain.com and point to xyz9013452bcf.anaydomain.com
  3. Now request Akamai to black magic www.anydomain.com and point to www.anydomain.com.edgekey.net
  4. Once Akamai completes the black magic, request your ISP to create another CNAME record xyz9013452bcf.anydomain.com and point to www.anydomain.com.edgekey.net

Testing Akamai Fast DNS: I am using www.akamai.com as the DNS name instead of a real DNS of record of any of my client.
Go to mxtoolbox.com and DNS lookup, www.akamai.com you will see
CNAME www.akamai.com  resolve to www.akamai.com.edgekey.net
Open command Prompt and ping www.akamai.com.edgekey.net
Since I am pinging from Sydney Australia, my ping responded by the Akamai edge server Sydney, result is
Ping www.akamai.com.edgekey.net
Pinging e1699.dscc.akamaiedge.net [118.215.118.16] with 32 bytes of data:
Reply from 118.215.118.16: bytes=32 time=6ms TTL=56
Reply from 118.215.118.16: bytes=32 time=3ms TTL=56
Open a browser and go to http://www.kloth.net/services/dig.php and trace e1699.dscc.akamaiedge.net
; <<>> DiG 9 <<>> @localhost e1699.dscc.akamaiedge.net A
; (1 server found)
;; global options: +cmd
.                                            375598   IN            NS           d.root-servers.net.
.                                            375598   IN            NS           c.root-servers.net.
.                                            375598   IN            NS           i.root-servers.net.
.                                            375598   IN            NS           j.root-servers.net.
.                                            375598   IN            NS           k.root-servers.net.
.                                            375598   IN            NS           m.root-servers.net.
.                                            375598   IN            NS           a.root-servers.net.
.                                            375598   IN            NS           l.root-servers.net.
.                                            375598   IN            NS           e.root-servers.net.
.                                            375598   IN            NS           f.root-servers.net.
.                                            375598   IN            NS           b.root-servers.net.
.                                            375598   IN            NS           g.root-servers.net.
.                                            375598   IN            NS           h.root-servers.net.
;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
net.                                       172800   IN            NS           a.gtld-servers.net.
net.                                       172800   IN            NS           b.gtld-servers.net.
net.                                       172800   IN            NS           c.gtld-servers.net.
net.                                       172800   IN            NS           d.gtld-servers.net.
net.                                       172800   IN            NS           e.gtld-servers.net.
net.                                       172800   IN            NS           f.gtld-servers.net.
net.                                       172800   IN            NS           g.gtld-servers.net.
net.                                       172800   IN            NS           h.gtld-servers.net.
net.                                       172800   IN            NS           i.gtld-servers.net.
net.                                       172800   IN            NS           j.gtld-servers.net.
net.                                       172800   IN            NS           k.gtld-servers.net.
net.                                       172800   IN            NS           l.gtld-servers.net.
net.                                       172800   IN            NS           m.gtld-servers.net.
;; Received 512 bytes from 2001:7fd::1#53(2001:7fd::1) in 8 ms
akamaiedge.net.                  172800   IN            NS           la1.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           la3.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           lar2.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           ns3-194.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           ns6-194.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           ns7-194.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           ns5-194.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           a12-192.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           a28-192.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           a6-192.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           a1-192.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           a13-192.akamaiedge.net.
akamaiedge.net.                  172800   IN            NS           a11-192.akamaiedge.net.
;; Received 504 bytes from 2001:503:a83e::2:30#53(2001:503:a83e::2:30) in 14 ms
dscc.akamaiedge.net.          8000       IN            NS           n7dscc.akamaiedge.net.
dscc.akamaiedge.net.          4000       IN            NS           n0dscc.akamaiedge.net.
dscc.akamaiedge.net.          6000       IN            NS           a0dscc.akamaiedge.net.
dscc.akamaiedge.net.          6000       IN            NS           n3dscc.akamaiedge.net.
dscc.akamaiedge.net.          4000       IN            NS           n2dscc.akamaiedge.net.
dscc.akamaiedge.net.          6000       IN            NS           n6dscc.akamaiedge.net.
dscc.akamaiedge.net.          4000       IN            NS           n5dscc.akamaiedge.net.
dscc.akamaiedge.net.          8000       IN            NS           n1dscc.akamaiedge.net.
dscc.akamaiedge.net.          8000       IN            NS           n4dscc.akamaiedge.net.
;; Received 388 bytes from 184.85.248.194#53(184.85.248.194) in 8 ms
e1699.dscc.akamaiedge.net. 20        IN            A             23.74.181.249
;; Received 59 bytes from 77.67.97.229#53(77.67.97.229) in 5 ms
Now tracert 23.74.181.249 on a command prompt
Tracert 23.74.181.249
Tracing route to a23-74-181-249.deploy.static.akamaitechnologies.com [23.74.181.249]
over a maximum of 30 hops:
1     1 ms     1 ms     1 ms  172.28.67.2
2     4 ms     1 ms     4 ms  172.28.2.10
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6                     *     Request timed out.
7     *        *        *     Request timed out.
8     *      125 ms    75 ms  bundle-ether1.sydp-core04.sydney.reach.com [203.50.13.90]
9   172 ms   160 ms   165 ms  i-52.tlot-core02.bx.telstraglobal.net [202.84.137.101]
10   152 ms   192 ms   164 ms  i-0-7-0-11.tlot-core01.bi.telstraglobal.net [202.84.251.233]
11   163 ms   183 ms   176 ms  gtt-peer.tlot02.pr.telstraglobal.net [134.159.63.182]
12   151 ms   157 ms   155 ms  xe-2-2-0.cr2-lax2.ip4.gtt.net [89.149.129.234]
13   175 ms   160 ms   154 ms  as5580-gw.cr2-lax2.ip4.gtt.net [173.205.59.18]
14   328 ms   318 ms   317 ms  ae21.edge02.fra06.de.as5580.net [78.152.53.219]
15   324 ms   325 ms   319 ms  78.152.48.250
16   336 ms   336 ms   339 ms  a23-74-181-249.deploy.static.akamaitechnologies.com [23.74.181.249]
Now open hosts file of windows machine C:\WINDOWS\system32\drivers\etc\hosts and add Akamai spoof IP 172.233.15.98   www.akamai.com (reference)
Browse www.akamai.com website on internet explorer that will point you to 172.233.15.98
Open command prompt, nslookup 172.233.15.98
Server:  lon-resolver.telstra.net
Address:  203.50.2.71
Name:    a172-233-15-98.deploy.static.akamaitechnologies.com
Address:  172.233.15.98
In conclusion, Akamai tricked web browser to go to Akamai edge server Sydney Australia instead of original Akamai server hosted in USA. An user will never know the original IP address of the www.akamai.com website. Abracadabra the original IP address is vanished…

Category:
Cloud Infrastructure
Tags:
, , , , , , ,

Join the conversation! 1 Comment

  1. This is a fantastic article. Thank you for sharing this, it’s complicated stuff.

Comments are closed.