Recently to help friends deal with the website was DDoS hit hanging problems, found that a lot of people high defense CDN are configured wrong, especially the CNAME resolution of this link - you think that after the resolution of the high peace of mind? Wrong! Misconfiguration is light acceleration failure, heavy direct exposure of the source station IP.
Last month, there is a customer swore to me that "CDN vendors said that the resolution of five minutes to take effect", the results of waiting for half a day or the user is directly connected to his source station, the flow of traffic rushed into the server directly paralyzed. I went up to take a look, good guy, CNAME record value at the end of the missing point, the resolution did not come into effect.
Even CDNs have to defend themselves against teammates these daysSome vendors' documents are written as if they were books, and technical support will only copy and paste official jargon. Today I will tell you with practical experience, high defense CDN CNAME resolution in the end how to play, from the principle of avoiding pit one step at a time.
Splash cold water first:Don't think that everything will be fine after resolving the CNAME.I have tested the resolution time of three mainstream vendors. I have tested the three mainstream vendors of the resolution of the effective time, the fastest CDN5 can be in 90 seconds in the global effect, while some small vendors of the node even have to wait for 20 minutes - during this period of time the traffic is a bare state!
Why is CNAME so important? Simply put it is your traffic scheduler. When a user accesses your domain name, DNS will first point the request to the CNAME address of the CDN vendor, and then the vendor will intelligently assign it to the nearest protection node. If the scheduler strikes, the user will rush directly to the door of your home server.
Let's take a tearful case: a financial platform used CDN07's high defense service, but the technicians resolved the CNAME to the source station IP instead of the vendor's protection domain name. As a result, the attacker directly through the DNS records to reverse detection of the real IP, a wave of 500G of traffic directly to the server room through.
Now hand in hand to teach you the correct configuration, to the common domestic DNSPod resolution as an example:
Watch out for that.final point! This is the most easily overlooked detail. With a dot indicates an absolute domain name, without a dot the system will automatically splice in the current domain name. I've seen people put in record values like "security.cdn5.com.web.com" and that kind of crap.
If you're using a CDN like 08Host with four layers of protection, the configuration will be a bit more complicated:
Don't wait for parsing to complete! Verify it immediately with the dig command:
I used to check the resolution status of different regions with global DNS query tool. Once I found that the resolution delay of European nodes was as high as 300ms, and I decided to let the vendor refresh the DNS cache of edge nodes.
Actual data speak for itself.: Under the same network environment, CDN5's global resolution takes an average of 68 seconds, CDN07 takes 120 seconds, and 08Host is the best performer in the Asia-Pacific region at only 40 seconds. If you do cross-border e-commerce, this time difference directly affects the loading speed of the first screen.
What should I do if I encounter a resolution that doesn't work? Check three things first:Whether DNS cache is refreshed, TTL is set too long, whether CNAME value has extra spaceThe problem is that the client's DNS cache is stored for 24 hours. At one point I had a metaphysical problem: the client DNS cache was stored for a surprising 24 hours, and I finally solved it by forcing a refresh of the local DNS.
Hidden tips for high defense CDNs:Configure WAF rules as soon as parsing takes effect. Many people have been exploited by injection attacks while waiting for 'full effect'. In fact, as soon as DNS resolution starts distributing traffic, the protection node can already intervene to clean the traffic.
One last sharp piece of advice:Don't believe the vendor's claim that "resolution takes effect immediately".. All DNS changes are subject to propagation delays and take at least 2 minutes to take effect globally. During this time, make sure to turn on the source firewall and set it to allow only the CDN node IPs to access the site, as this is a foolproof practice.
Now check your CNAME record, are you still waiting for "five minutes to take effect"? Use the dig command to verify, maybe your website is running naked at the moment!
