Firewall and allowlist requirements
To use Shield NS53, you must allow specific CIDRs in your firewall and allowlists. Do the following:
-
If you configured Automatic filtering, make sure you allow IP addresses for Edge DNS Zone Transfer Agents. Zone transfer agents are required for authoritative zone transfer (AXFR) and incremental zone transfer (IXFR) transactions.
To obtain a list of IP addresses for Zone Transfer Agents (ZTAs), you need to subscribe to Control Center’s firewall rules notification service for Edge DNS Zone Transfer Agents. The notification service shows the IP addresses you must allow and also notifies you when there is a change to the ZTA infrastructure. DNS NOTIFY is also supported. To view these addresses and subscribe to notifications for Edge DNS Zone Transfer Agents, see Restrict zone transfers to the ZTAs.
Make sure the IP addresses and ports for Edge DNS Zone Transfer Agents are allowed by your origin name servers. For configuration examples on how you can allow ZTAs on different servers such as BIND and configure DNS NOTIFY and TSIG authentication, see Restrict zone transfers to the ZTAs. -
Allow recursive DNS from Akamai IPv4 and IPv6 IP addresses. You must allow these IP addresses:
IPv4 IPv6 Port Protocol 80.67.68.0/24
96.16.0.0/15
66.198.8.0/24
201.33.187.0/24
104.64.0.0/10
125.56.218.0/24
96.6.0.0/15
60.254.173.0/24
202.138.183.0/24
203.69.138.0/24
2.16.0.0/13
124.106.175.0/24
72.246.0.0/15
67.220.142.0/23
95.100.0.0/15
184.24.0.0/13
23.0.0.0/12
118.214.0.0/16
184.84.0.0/14
69.192.0.0/16
23.64.0.0/14
23.32.0.0/11
23.72.0.0/13
175.207.14.0/24
92.122.0.0/15
23.192.0.0/11
80.239.148.0/24
173.222.0.0/15
189.247.213.0/24
184.50.0.0/15
88.221.0.0/162a02:26f0::/32
2600:1400::/24
2405:9600::/32
2001:4450:40::/48
2001:4457:ff0::/48
2001:2030:22::/4853 UDP,
TCP
Updated 3 months ago