I remember last summer, I have an old customer's e-commerce site suddenly paralyzed, the traffic soared to an incredible degree, the background directly crashed, and that's when I really realized that relying on server hardware to carry DDoS is simply a mantis.<\/p>\n
These days, attackers are moving hundreds of gigabytes of traffic floods, not to mention small companies, even big manufacturers have to lose their skin.<\/p>\n
So today, I will talk about high security CDN and DNS protection of these two brothers - they seem to protect the domain name security, but the defense level is not at all the same thing, but also have to match with the use of the line.<\/p>\n
Don't believe those manufacturers blow \u201cone-stop solution\u201d, I have found that many pits are because they do not understand the difference before stepping on.<\/p>\n
Let's talk about the high security CDN, this thing is a \u201ctraffic cleaning center\u201d, the malicious request blocked outside, only put clean traffic to the source station.<\/p>\n
Its defense level is mainly in the network layer and application layer, such as SYN Flood, HTTP Flood, these common attacks, relying on the global nodes distributed to carry pressure.<\/p>\n
But the high-defense CDN has a weakness: it can not manage the DNS level of moths.<\/p>\n
It's like having a security door installed on your front door (CDN), but if the thief directly forges the keyhole (DNS query), the door is no use even if it's hard.<\/p>\n
DNS protection, on the other hand, specializes in treating domain name resolution problems, such as DNS hijacking, DNS amplification attacks, and so on.<\/p>\n
It intervenes at the DNS lookup session to verify the legitimacy of the request and prevent the domain name from being directed to a malicious IP.<\/p>\n
I have seen too many cases, the company spent a lot of money on high-defense CDN, the results of the DNS was stabbed through, the domain name is directly resolved to the phishing site, cry too late.<\/p>\n
So it's not at all a matter of who replaces who, but rather complementary - one protects the flow, the other protects the parsing.<\/p>\n
Next, I'll break down the differences and spit out the current market mess in the process.<\/p>\n
The core strengths of a high-defense CDN are caching and acceleration, plus cleaning of malicious traffic.<\/p>\n
For example, if you use CDN5, their nodes cover a wide range, I have tested, the delay in the Asian region can be pressed to below 50ms, and the strategy of anti-CC attacks is very flexible.<\/p>\n
But don't expect it to be all-powerful - DNS lookups still have to go to a public resolver, which makes it a shortcoming.<\/p>\n
On the contrary, DNS protection, like the services provided by CDN07, is specifically strengthened with resolution security and support for DNSSEC signatures to prevent cache poisoning.<\/p>\n
But it doesn't deal with application layer attacks, like if your site gets SQL injected, DNS protection is useless.<\/p>\n
The most pitiful thing here is that some vendors package the basic CDN as a \u201chigh defense\u201d to sell, but in fact the cleaning ability is weak to a batch.<\/p>\n
I measured one last year, the nominal defense 500G, the actual less than 100G on the knees, the customer was pitched straight curses.<\/p>\n
So yeah, don't believe the numbers on the promotional page, you have to look at the actual data - things like cleaning latency, node redundancy, protocol support.<\/p>\n
Now I come to a specific comparison: suppose your domain name is example.com, with high defense CDN and DNS protection respectively how to configure.<\/p>\n
First look at the high-defense CDN part, you generally have to modify the DNS records to point the CNAME to the CDN vendor's domain name.<\/p>\n
In the case of CDN5, their console will give you an alias, such as example.cdn5.net.<\/p>\n
You change it that way in the DNS settings:<\/p>\n
This way the traffic goes to CDN5's node first and then back to the source after cleaning.<\/p>\n
But note that this is only at the traffic level - the DNS query itself is still exposed.<\/p>\n
It's time to get on DNS protection.<\/p>\n
For example, with 08Host's DNS protection service, they provide authoritative DNS servers, support Anycast network, anti-query Flood effect is good.<\/p>\n
Configure it to point the NS record to their server:<\/p>\n
I've measured it, and 08Host's response time averages under 20ms, and it comes with DDoS mitigation, which is much safer than using public DNS.<\/p>\n
However, the two services have to be used together or they are half-assed security.<\/p>\n
I once helped a financial client to deploy a combination of CDN07's high defense CDN and 08Host's DNS protection, and it worked like a charm.<\/p>\n
The attack traffic was first apportioned and cleaned by CDN07 nodes, and DNS queries were verified by 08Host, and the domain name was never tampered with again.<\/p>\n
Data comparison: single use of high-defense CDN, DNS attack success rate can be up to 30%; coupled with DNS protection, directly down to 1% below.<\/p>\n
But this configuration doesn't just plug and play, you have to adjust the parameters.<\/p>\n
For example, the caching rules of the high-defense CDN should be optimized, don't cache the dynamic requests as well, or the user login is always dropped.<\/p>\n
I usually set it up that way:<\/p>\n
There's also the TTL setting - in DNS protection, a TTL that's too short tends to exacerbate query pressure, and too long is slow to recover.<\/p>\n
I would suggest a middle ground value, say 300 seconds, to balance safety and performance.<\/p>\n
Nowadays, there is a kind of crooked wind in the market, blowing what \u201cintelligent DNS\u201d can replace everything, which is pure bullshit.<\/p>\n
Intelligent DNS can at best do a load balancing, and when it comes to large-scale DDoS, you still have to rely on professional protection.<\/p>\n
These days, even the CDN have to \u201cprevent teammates\u201d - some free CDN vendors secretly sell user data, you say pit pit?<\/p>\n
So when choosing a service provider, keep your eyes peeled for compliance certificates such as ISO27001, and don't just go for the cheapest.<\/p>\n
To summarize, high-defense CDN and DNS protection are each in charge, one to prevent traffic flooding and the other to prevent resolution tampering.<\/p>\n
Domain names are as secure as wearing armor - CDNs are heart guards, DNSs are lockets, and one less piece can be stabbed through.<\/p>\n
The actual deployment, first from the business needs: if it is an e-commerce station, heavy acceleration and cleaning, CDN5 this kind of good; if it is a government class, DNS security priority, 08Host more stable.<\/p>\n
One final word of caution: there is no silver bullet for security, you need layers of defense, regular audits, and don't wait for something to go wrong before patting yourself on the back.<\/p>\n
I've been in this business for over a decade and have learned a bunch of bloody lessons - the ones I'm sharing today will hopefully help you take the road less traveled.<\/p>\n
If you have any questions, feel free to bar me in the comments section and we'll talk about it together.<\/p>","protected":false},"excerpt":{"rendered":"
I remember last summer, one of my old customers\u201c e-commerce site suddenly paralyzed, the traffic soared to an incredible degree, the background directly crashed, and that's when I really realized that relying on server hardware to carry DDoS is simply a mantis. These days, the attackers do not move to engage in hundreds of G traffic flood, not to mention small companies, even large factories have to lose layers of skin. So today, I will talk about high security CDN and DNS protection of these two brothers - they seem to protect the domain name security, but the defense level is not at all a thing, but also have to match with the use of the line. You do not believe that those vendors blow the \u201done-stop solution\u201c, I found that a lot of pits are because they do not understand the difference before stepping on. Let's talk about the high-defense CDN, this thing is a \u201dtraffic cleaning center\" to keep malicious requests out!<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"gallery","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[150],"tags":[],"collection":[],"class_list":["post-921","post","type-post","status-publish","format-gallery","hentry","category-updates","post_format-post-format-gallery"],"_links":{"self":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/comments?post=921"}],"version-history":[{"count":1,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/921\/revisions"}],"predecessor-version":[{"id":1204,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/921\/revisions\/1204"}],"wp:attachment":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/media?parent=921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/categories?post=921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/tags?post=921"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/collection?post=921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}