CDN and DNS Management
Introduction
Content Delivery Networks (CDN) and Domain Name System (DNS) management are critical components of modern web infrastructure. For DevOps engineers, understanding how to properly configure and optimize these services is essential for delivering fast, reliable, and secure applications to users worldwide.
DNS Fundamentals
What is DNS?
The Domain Name System (DNS) is the phonebook of the internet. It translates human-readable domain names (like example.com) into machine-readable IP addresses (like 192.0.2.1).
DNS Resolution Process:
1. User types "example.com" in browser
2. Browser checks local cache → Not found
3. Query to Recursive Resolver (ISP or public DNS like 8.8.8.8)
4. Resolver queries Root Nameservers → ".com" TLD referral
5. Resolver queries TLD Nameservers → "example.com" NS referral
6. Resolver queries Authoritative Nameservers → Gets IP address
7. Resolver caches result and returns to browser
8. Browser connects to IP address
Time: Typically 20-120ms for initial lookup, then cached
DNS Components:
| Component | Purpose | Example |
|---|---|---|
| Root Nameservers | Direct queries to TLD servers | a.root-servers.net |
| TLD Nameservers | Manage top-level domains | com, org, net TLDs |
| Authoritative Nameservers | Store actual DNS records | ns1.cloudflare.com |
| Recursive Resolvers | Cache and resolve DNS queries | 8.8.8.8, 1.1.1.1 |
DNS Record Types
| Record Type | Purpose | Example | TTL |
|---|---|---|---|
| A | IPv4 address mapping | example.com A 192.0.2.1 | 300-3600 |
| AAAA | IPv6 address mapping | example.com AAAA 2001:db8::1 | 300-3600 |
| CNAME | Canonical name (alias) | www CNAME example.com | 300-3600 |
| MX | Mail exchange | example.com MX 10 mail.example.com | 3600-86400 |
| TXT | Text records (verification, SPF) | example.com TXT "v=spf1 include:_spf.google.com ~all" | 3600 |
| NS | Nameserver delegation | example.com NS ns1.example.com | 172800 |
| SOA | Start of Authority | Zone authority information | 3600 |
| SRV | Service location | _service._proto.name TTL class SRV priority weight port target | 3600 |
| CAA | Certificate Authority Authorization | example.com CAA 0 issue "letsencrypt.org" | 3600 |
Zone File Example:
; example.com zone file
$TTL 3600
@ IN SOA ns1.example.com. admin.example.com. (
2024011001 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
300 ) ; minimum TTL
; Nameservers
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
; A Records
@ IN A 192.0.2.1
www IN A 192.0.2.1
api IN A 192.0.2.2
blog IN CNAME myblogplatform.com.
; MX Records
@ IN MX 10 mail.example.com.
mail IN A 192.0.2.10
; TXT Records
@ IN TXT "v=spf1 mx -all"
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
; CAA Record
@ IN CAA 0 issue "letsencrypt.org"
DNS Management Strategies
DNS Provider Selection Criteria:
- Performance: Global anycast network
- Reliability: 99.99%+ uptime SLA
- Security: DNSSEC, DDoS protection
- Features: API, monitoring, analytics
- Cost: Pricing for your scale
Infrastructure as Code (DNS as Code):
# Terraform for Cloudflare DNS
resource "cloudflare_zone" "example" {
zone = "example.com"
}
resource "cloudflare_record" "www" {
zone_id = cloudflare_zone.example.id
name = "www"
value = "192.0.2.1"
type = "A"
ttl = 300
proxied = true # CDN proxy
}
resource "cloudflare_record" "api" {
zone_id = cloudflare_zone.example.id
name = "api"
value = "lb.example.com"
type = "CNAME"
ttl = 300
}
# AWS Route53 with Terraform
resource "aws_route53_zone" "primary" {
name = "example.com"
}
resource "aws_route53_record" "www" {
zone_id = aws_route53_zone.primary.zone_id
name = "www.example.com"
type = "A"
alias {
name = aws_lb.main.dns_name
zone_id = aws_lb.main.zone_id
evaluate_target_health = true
}
}
DNS Traffic Management:
# Route53 Weighted Routing
resource "aws_route53_record" "weighted" {
zone_id = aws_route53_zone.primary.zone_id
name = "app.example.com"
type = "A"
set_identifier = "blue"
weight = 90
alias {
name = aws_lb.blue.dns_name
zone_id = aws_lb.blue.zone_id
}
}
resource "aws_route53_record" "weighted_green" {
zone_id = aws_route53_zone.primary.zone_id
name = "app.example.com"
type = "A"
set_identifier = "green"
weight = 10
alias {
name = aws_lb.green.dns_name
zone_id = aws_lb.green.zone_id
}
}
# Geolocation Routing
resource "aws_route53_record" "geo" {
zone_id = aws_route53_zone.primary.zone_id
name = "app.example.com"
type = "A"
set_identifier = "us-east"
geolocation_routing_policy {
continent = "NA"
}
alias {
name = aws_lb.useast.dns_name
zone_id = aws_lb.useast.zone_id
}
}
CDN Fundamentals
What is a CDN?
A Content Delivery Network (CDN) is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing content closer to end-users.
How CDN Works:
1. User requests "example.com/image.jpg"
2. DNS routes to nearest CDN PoP (Point of Presence)
3. CDN edge server checks cache:
- If cached: Serve immediately (HIT)
- If not cached: Fetch from origin (MISS)
4. Origin server responds to CDN
5. CDN caches response and serves user
6. Subsequent requests served from cache
Benefits:
- Reduced latency (closer to users)
- Reduced origin load
- Improved availability
- Better security
CDN Use Cases:
| Use Case | Benefit | Example |
|---|---|---|
| Static Assets | Fast delivery of CSS, JS, images | Website media files |
| Video Streaming | Adaptive bitrate streaming | YouTube, Netflix |
| Software Downloads | Large file distribution | Game updates, OS ISOs |
| API Acceleration | Dynamic content caching | REST API responses |
| Security | DDoS protection, WAF | Cloudflare, Akamai |
CDN Architecture
CDN Components:
- Edge Servers: PoP locations serving cached content
- Origin Server: Original source of content
- Distribution: Method of pushing content to edges
- Cache Hierarchy: Multi-tier caching strategy
Cache Behavior Configuration:
# CloudFront Behavior Configuration (AWS)
Behavior:
Path Pattern: /images/*
Origin: S3-origin
Cache Policy: CachingOptimized
Origin Request Policy: CORS-S3Origin
Response Headers Policy: SecurityHeadersPolicy
TTL Settings:
Minimum: 1 second
Maximum: 31536000 seconds (1 year)
Default: 86400 seconds (1 day)
# Cache Key Components:
- HTTP Method
- URI Path
- Query String (selectively)
- Headers (Authorization, Accept-Language)
- Cookies (selectively)
# Nginx CDN Configuration Example
server {
listen 80;
server_name cdn.example.com;
location /static/ {
# Cache configuration
proxy_cache static_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating;
# Origin headers
proxy_set_header Host $origin_host;
proxy_pass http://origin.example.com;
}
# Cache zone definition
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=static_cache:10m max_size=10g;
}
CDN Implementation
AWS CloudFront Configuration:
# Terraform for CloudFront Distribution
resource "aws_cloudfront_distribution" "s3_distribution" {
origin {
domain_name = aws_s3_bucket.bucket.bucket_regional_domain_name
origin_id = "S3Origin"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path
}
}
enabled = true
is_ipv6_enabled = true
comment = "Production CDN"
default_root_object = "index.html"
aliases = ["cdn.example.com"]
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3Origin"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
# Lambda@Edge for dynamic processing
lambda_function_association {
event_type = "viewer-request"
lambda_arn = aws_lambda_function.edge_auth.qualified_arn
}
}
# Custom error responses
custom_error_response {
error_caching_min_ttl = 300
error_code = 404
response_code = 200
response_page_path = "/index.html"
}
price_class = "PriceClass_All"
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.cert.arn
ssl_support_method = "sni-only"
}
}
Cloudflare Workers for Edge Computing:
// Cloudflare Worker for A/B testing at edge
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
const url = new URL(request.url)
// A/B testing based on cookie
const abTest = getABTestVariant(request)
// Modify request based on variant
if (abTest === 'B') {
url.pathname = '/experimental' + url.pathname
}
// Fetch from origin
let response = await fetch(url.toString(), request)
// Add caching headers
response = new Response(response.body, response)
response.headers.set('Cache-Control', 'public, max-age=3600')
response.headers.set('X-AB-Test', abTest)
return response
}
function getABTestVariant(request) {
const cookie = request.headers.get('Cookie') || ''
const match = cookie.match(/ab_test=([AB])/)
return match ? match[1] : (Math.random() > 0.5 ? 'A' : 'B')
}
DNS & CDN Integration
CDN Integration Patterns:
# Pattern 1: Subdomain CDN (Recommended)
www.example.com CNAME cdn.example.com
cdn.example.com CNAME d123abc.cloudfront.net
# Pattern 2: Apex Domain with CNAME Flattening
example.com A 192.0.2.1 (with CNAME flattening)
www.example.com CNAME cdn.example.com
# Pattern 3: Multi-CDN for High Availability
www.example.com CNAME multi-cdn.example.com
; multi-cdn.example.com managed by DNS provider with failover
# Cloudflare Integration
; Point domain to Cloudflare nameservers
example.com NS ns1.cloudflare.com
example.com NS ns2.cloudflare.com
; Cloudflare manages all records with proxy
www.example.com A 192.0.2.1 (proxied)
api.example.com A 192.0.2.2 (DNS only)
Global Server Load Balancing (GSLB):
# Route53 Latency-Based Routing
resource "aws_route53_record" "latency" {
zone_id = aws_route53_zone.primary.zone_id
name = "app.example.com"
type = "A"
set_identifier = "us-east"
latency_routing_policy {
region = "us-east-1"
}
alias {
name = aws_lb.useast.dns_name
zone_id = aws_lb.useast.zone_id
}
}
resource "aws_route53_record" "latency_eu" {
zone_id = aws_route53_zone.primary.zone_id
name = "app.example.com"
type = "A"
set_identifier = "eu-west"
latency_routing_policy {
region = "eu-west-1"
}
alias {
name = aws_lb.euwest.dns_name
zone_id = aws_lb.euwest.zone_id
}
}
# Health checks for failover
resource "aws_route53_health_check" "app" {
fqdn = "app.example.com"
port = 443
type = "HTTPS"
resource_path = "/health"
failure_threshold = "3"
request_interval = "30"
}
Performance Optimization
DNS Optimization:
# TTL Strategy
; Critical records (low TTL for quick changes)
www.example.com. 300 IN A 192.0.2.1
; Stable records (high TTL for performance)
api.example.com. 3600 IN A 192.0.2.2
; Prefetching and Preconnecting
<link rel="dns-prefetch" href="//cdn.example.com">
<link rel="preconnect" href="https://cdn.example.com">
# DNS Response Compression
; Use EDNS0 for larger UDP packets
; Enable DNS over HTTPS (DoH) or TLS (DoT)
# Minimize DNS Lookups
; Combine domains where possible
; Use same domain for CDN and main site when possible
CDN Optimization:
# Cache Control Headers
# Origin response headers
Cache-Control: public, max-age=31536000, immutable # Static assets
Cache-Control: no-cache, must-revalidate # Dynamic content
Cache-Control: s-maxage=3600 # CDN cache only
# Cache Variants
Vary: Accept-Encoding
Vary: Accept-Language
# Brotli Compression
# Enable on CDN for smaller file sizes
Content-Encoding: br
# Image Optimization
# Use WebP/AVIF formats with fallbacks
<picture>
<source srcset="image.avif" type="image/avif">
<source srcset="image.webp" type="image/webp">
<img src="image.jpg" alt="Description">
</picture>
# HTTP/2 and HTTP/3
# Enable on CDN for better performance
Alt-Svc: h3=":443"; ma=86400
Security Considerations
DNS Security:
# DNSSEC Implementation
; Sign your zone with DNSSEC
example.com. IN DNSKEY 256 3 13 AwEAAc...
example.com. IN RRSIG DNSKEY 13 2 3600 ...
# DNS Security Extensions
; Use DNS over HTTPS (DoH) or TLS (DoT)
; Implement Response Policy Zones (RPZ)
; Enable Query Logging for security monitoring
# DDoS Protection
; Use DNS providers with DDoS mitigation
; Rate limiting on DNS queries
; Anycast network for distributed load
# Zone Transfer Security
; Restrict zone transfers to authorized servers
; Use TSIG for authenticated transfers
CDN Security:
# Web Application Firewall (WAF)
resource "aws_wafv2_web_acl" "cdn" {
name = "cdn-protection"
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
}
# Origin Protection
# Use Origin Access Identity (OAI) for S3
resource "aws_cloudfront_origin_access_identity" "oai" {
comment = "OAI for S3 bucket"
}
# Restrict S3 bucket to CloudFront only
resource "aws_s3_bucket_policy" "cdn" {
bucket = aws_s3_bucket.bucket.id
policy = data.aws_iam_policy_document.cdn.json
}
data "aws_iam_policy_document" "cdn" {
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.bucket.arn}/*"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.oai.iam_arn]
}
}
}
# HTTPS Enforcement
# Redirect HTTP to HTTPS
ViewerProtocolPolicy = "redirect-to-https"
# Security Headers at Edge
# CloudFront Function for security headers
function handler(event) {
var response = event.response;
var headers = response.headers;
headers['strict-transport-security'] = {value: 'max-age=31536000; includeSubDomains'};
headers['x-content-type-options'] = {value: 'nosniff'};
headers['x-frame-options'] = {value: 'DENY'};
headers['x-xss-protection'] = {value: '1; mode=block'};
headers['referrer-policy'] = {value: 'strict-origin-when-cross-origin'};
return response;
}
Monitoring & Troubleshooting
DNS Monitoring:
# DNS Query Monitoring # Use dig for manual testing dig example.com A dig @8.8.8.8 example.com A dig example.com A +trace # Monitor DNS resolution time time nslookup example.com # DNS Propagation Checking # Check from multiple locations dig @1.1.1.1 example.com A dig @8.8.8.8 example.com A dig @9.9.9.9 example.com A # DNS Performance Metrics - Query response time - Cache hit ratio - Query volume by type - Error rates # CloudWatch DNS Metrics (Route53) - DNSQueries - HealthCheckStatus - ConnectionTime
CDN Monitoring:
# CDN Performance Metrics
- Cache hit ratio
- Origin bandwidth
- Request count
- Error rates (4xx, 5xx)
- Data transfer out
# Real User Monitoring (RUM)
# Using CloudWatch RUM
resource "aws_rum_app_monitor" "cdn" {
name = "cdn-performance"
domain = "example.com"
app_monitor_configuration {
identity_pool_id = aws_cognito_identity_pool.main.id
}
}
# Synthetic Monitoring
# Using AWS Synthetics
resource "aws_synthetics_canary" "cdn" {
name = "cdn-health-check"
artifact_s3_location = "s3://${aws_s3_bucket.artifacts.bucket}/cdn-canary"
execution_role_arn = aws_iam_role.canary.arn
handler = "pageLoadBlueprint.handler"
zip_file = "canary.zip"
runtime_version = "syn-1.0"
schedule {
expression = "rate(5 minutes)"
}
run_config {
active_tracing = true
timeout_in_seconds = 60
}
}
# Log Analysis
# CloudFront Access Logs to S3
resource "aws_cloudfront_distribution" "main" {
logging_config {
include_cookies = false
bucket = aws_s3_bucket.logs.bucket_domain_name
prefix = "cdn-logs"
}
}
# Common CDN Issues and Solutions
1. Cache Misses: Check Cache-Control headers
2. High Latency: Check PoP locations, enable HTTP/2
3. SSL Errors: Check certificate validity
4. 403 Errors: Check origin access, WAF rules
5. Slow Origin: Optimize origin response time
Cloud Provider Solutions
AWS (Amazon Web Services):
# Route53 + CloudFront + S3 Components: - Route53: DNS management with advanced routing - CloudFront: Global CDN with edge computing - S3: Origin storage with high durability - WAF: Web application firewall - Shield: DDoS protection # Key Features: - Lambda@Edge for edge computing - Real-time logs to CloudWatch - Origin failover - Field-level encryption
Google Cloud Platform:
# Cloud DNS + Cloud CDN Components: - Cloud DNS: Scalable, reliable DNS - Cloud CDN: Global content delivery - Cloud Storage: Origin backend - Cloud Armor: Security protection # Key Features: - Anycast IP addresses - Integration with Load Balancers - Custom origins support
Microsoft Azure:
# Azure DNS + Azure CDN Components: - Azure DNS: DNS hosting service - Azure CDN: Global content delivery - Blob Storage: Origin storage - Azure WAF: Security protection # Key Features: - Multiple CDN profiles (Standard, Premium) - Rules engine for content manipulation - Diagnostics logging
Third-Party Providers:
# Cloudflare Features: - Global anycast network - Built-in DDoS protection - Workers for edge computing - Argo Smart Routing # Fastly Features: - Real-time purging - VCL for configuration - Advanced edge computing - Image optimization # Akamai Features: - Largest global network - Enterprise-grade security - Media delivery optimization - IoT edge capabilities
Comments
Post a Comment