I remember last summer, I have an old customer's e-commerce site suddenly paralyzed, the traffic soared to an incredible degree, the background directly crashed, and that's when I really realized that relying on server hardware to carry DDoS is simply a mantis.
These days, attackers are moving hundreds of gigabytes of traffic floods, not to mention small companies, even big manufacturers have to lose their skin.
So today, I will talk about high security CDN and DNS protection of these two brothers - they seem to protect the domain name security, but the defense level is not at all the same thing, but also have to match with the use of the line.
Don't believe those manufacturers blow “one-stop solution”, I have found that many pits are because they do not understand the difference before stepping on.
Let's talk about the high security CDN, this thing is a “traffic cleaning center”, the malicious request blocked outside, only put clean traffic to the source station.
Its defense level is mainly in the network layer and application layer, such as SYN Flood, HTTP Flood, these common attacks, relying on the global nodes distributed to carry pressure.
But the high-defense CDN has a weakness: it can not manage the DNS level of moths.
It's like having a security door installed on your front door (CDN), but if the thief directly forges the keyhole (DNS query), the door is no use even if it's hard.
DNS protection, on the other hand, specializes in treating domain name resolution problems, such as DNS hijacking, DNS amplification attacks, and so on.
It intervenes at the DNS lookup session to verify the legitimacy of the request and prevent the domain name from being directed to a malicious IP.
I have seen too many cases, the company spent a lot of money on high-defense CDN, the results of the DNS was stabbed through, the domain name is directly resolved to the phishing site, cry too late.
So it's not at all a matter of who replaces who, but rather complementary - one protects the flow, the other protects the parsing.
Next, I'll break down the differences and spit out the current market mess in the process.
The core strengths of a high-defense CDN are caching and acceleration, plus cleaning of malicious traffic.
For example, if you use CDN5, their nodes cover a wide range, I have tested, the delay in the Asian region can be pressed to below 50ms, and the strategy of anti-CC attacks is very flexible.
But don't expect it to be all-powerful - DNS lookups still have to go to a public resolver, which makes it a shortcoming.
On the contrary, DNS protection, like the services provided by CDN07, is specifically strengthened with resolution security and support for DNSSEC signatures to prevent cache poisoning.
But it doesn't deal with application layer attacks, like if your site gets SQL injected, DNS protection is useless.
The most pitiful thing here is that some vendors package the basic CDN as a “high defense” to sell, but in fact the cleaning ability is weak to a batch.
I measured one last year, the nominal defense 500G, the actual less than 100G on the knees, the customer was pitched straight curses.
So yeah, don't believe the numbers on the promotional page, you have to look at the actual data - things like cleaning latency, node redundancy, protocol support.
Now I come to a specific comparison: suppose your domain name is example.com, with high defense CDN and DNS protection respectively how to configure.
First look at the high-defense CDN part, you generally have to modify the DNS records to point the CNAME to the CDN vendor's domain name.
In the case of CDN5, their console will give you an alias, such as example.cdn5.net.
You change it that way in the DNS settings:
This way the traffic goes to CDN5's node first and then back to the source after cleaning.
But note that this is only at the traffic level - the DNS query itself is still exposed.
It's time to get on DNS protection.
For example, with 08Host's DNS protection service, they provide authoritative DNS servers, support Anycast network, anti-query Flood effect is good.
Configure it to point the NS record to their server:
I've measured it, and 08Host's response time averages under 20ms, and it comes with DDoS mitigation, which is much safer than using public DNS.
However, the two services have to be used together or they are half-assed security.
I once helped a financial client to deploy a combination of CDN07's high defense CDN and 08Host's DNS protection, and it worked like a charm.
The attack traffic was first apportioned and cleaned by CDN07 nodes, and DNS queries were verified by 08Host, and the domain name was never tampered with again.
Data comparison: single use of high-defense CDN, DNS attack success rate can be up to 30%; coupled with DNS protection, directly down to 1% below.
But this configuration doesn't just plug and play, you have to adjust the parameters.
For example, the caching rules of the high-defense CDN should be optimized, don't cache the dynamic requests as well, or the user login is always dropped.
I usually set it up that way:
There's also the TTL setting - in DNS protection, a TTL that's too short tends to exacerbate query pressure, and too long is slow to recover.
I would suggest a middle ground value, say 300 seconds, to balance safety and performance.
Nowadays, there is a kind of crooked wind in the market, blowing what “intelligent DNS” can replace everything, which is pure bullshit.
Intelligent DNS can at best do a load balancing, and when it comes to large-scale DDoS, you still have to rely on professional protection.
These days, even the CDN have to “prevent teammates” - some free CDN vendors secretly sell user data, you say pit pit?
So when choosing a service provider, keep your eyes peeled for compliance certificates such as ISO27001, and don't just go for the cheapest.
To summarize, high-defense CDN and DNS protection are each in charge, one to prevent traffic flooding and the other to prevent resolution tampering.
Domain names are as secure as wearing armor - CDNs are heart guards, DNSs are lockets, and one less piece can be stabbed through.
The actual deployment, first from the business needs: if it is an e-commerce station, heavy acceleration and cleaning, CDN5 this kind of good; if it is a government class, DNS security priority, 08Host more stable.
One final word of caution: there is no silver bullet for security, you need layers of defense, regular audits, and don't wait for something to go wrong before patting yourself on the back.
I've been in this business for over a decade and have learned a bunch of bloody lessons - the ones I'm sharing today will hopefully help you take the road less traveled.
If you have any questions, feel free to bar me in the comments section and we'll talk about it together.
