Set up and go live with Shield NS53

Going live with Shield NS53 requires that you set up shield in Control Center and complete these stages for delegation:

  • Stage 1. Delegate your zones to a subset of your origin servers and to your shield servers. When you are satisfied with the results of Stage 1, you can move on to Stage 2 where you restrict more traffic to shield servers.
  • Stage 2. Delegate your zones to only your shield servers, or depending on the needs of your organization, you can delegate zones to Shield and to some or all of your origin servers.

This procedure describes the steps that are required to set up and begin using Shield NS53 in your network.

To set up and go live with Shield NS53:

  1. Provision shields in Control Center. To do this, you need to:

    1. Create a shield. When you create a shield, you identify your origin name server IP address and a DNS record that shield can request to check if the name server is in a healthy state. After this initial configuration is completed, ​Akamai​ assigns service IP addresses to the shield configuration. These are the IP addresses of the shield servers that you use in step 2 for delegation.
    2. Add shield zones and assign filtering modes. This task requires that you add zones to your shield configuration. As part of this process, you select a filtering mode and configure the zone names.
  2. Delegate your zones to shield servers. This action directs traffic to Shield NS53. Complete these steps:

    1. Update the A and AAAA records of your name server or the NS record of your parent zone with the service IP addresses that are assigned to your shield configuration. You can also create new NS names for the delegations that use the shield service IP addresses.

      For Stage 1, your records should include your origin servers and some of your shield servers. For Stage 2, your records should include the shield servers. If you want to include your origin servers in Stage 2, provide some or all of your origin servers.

      📘

      Make sure these zone updates propagate to your origin servers. As your origin servers receive and respond to traffic, authority information will likely refresh in your client name server caches. After your origin server receives the new NS record, some traffic will reach the shield servers. You may need to wait until after the TTL for each record expires before you can confirm that resolvers are using the latest records.

    2. Provide the IP addresses and names of your ​Akamai​ shield servers to your registrar. Zone changes that are submitted to the registrar take about five minutes to propagate to the top-level domain name servers. After this is done, shield servers can handle requests.

      📘

      If you want Shield NS53 to protect subdomains such as a global server load balancer subdomain, make sure you update the NS record of the subdomain and not the NS record of the top-level domain.

    3. If you want to restrict access to only shield servers as part of Stage 2, you can hide your origin name servers from the Internet by only allowing Shield NS53 and other NS services to access origin name servers. Make sure all legitimate DNS traffic is flowing from your NS record services before you lock down access to only your NS record services. You can use Shield NS53 reports in Control Center (Common Services > Traffic Reports > Edge DNS) to validate that traffic is flowing.

  3. Update your organization’s firewall and allowlists with IP address blocks required for Shield NS53. For more information, see Firewall and allowlist requirements.

Create a shield

Complete this procedure to create a shield.

At this time, you can create up to two shield configurations per contract. To add more shields, contact your ​Akamai​ account representative.

To create a shield:

  1. In Control Center, go to ☰ > DNS SOLUTIONS > Shield NS53. The Shields List page appears.
  2. Click Create new Shield.
  3. If your Control Center account includes multiple contracts or groups, you are prompted to select the specific contract and the group that you want to associate with this configuration. Click Save.
  4. In the Shield name field, enter a name for the shield.
  5. In the provided text field for your name servers, enter your name server IP addresses or hostnames.

    📘

    An IP address is strongly recommended for name servers. If you provide a hostname and use automatic filtering for a zone, you must configure at least one IP address for alternate transfer targets.

  6. In the Health check record field, enter the name of the DNS record that you want to request from your name servers.
  7. In the Type menu, select the type of DNS record that you are requesting. While you can select any record type, ​Akamai​ recommends you use a TXT or SOA record type for this check as these records are static on your name servers.
  8. If you would like to see the client IP address in a valid DNS request that’s forwarded to Shield NS53, enable EDNS client subnet. EDNS client subnet (ECS) allows a DNS resolver to include the client’s IP address in DNS queries that are sent to authoritative DNS servers. This helps optimize DNS responses based on the client’s geographic location, providing more accurate results for location-based services.
  9. Click Save.
    After you create a shield with your name server information, ​Akamai​ assigns service IP addresses. It can take up to 30 minutes for ​Akamai​ to assign a set of IPv4 and IPv6 addresses to your shield configuration.

Next Step:

Add zones and assign filtering modes to each zone. For instructions, see Add shield zones and assign filtering modes.

Add shield zones and assign filtering modes

The filtering mode for a zone defines how Shield NS53 handles traffic for that zone. You can select to use cache-based filtering to cache DNS responses, manual filtering where you set the permitted zone names, automatic filtering that allows DNS traffic based on a zone file that’s transferred from name servers to Shield NS53 through AXFR, or a deny filter mode that blocks all queries. To learn more about these filtering modes, see Filtering modes for shield zones.

To add shield zones and assign filtering modes:

  1. Go to the shield that you created in Create a shield.
  2. Click the name of the zone or click Edit Shield.
  3. Click Add zones.
  4. To use cache-based filtering:
    1. In the Filtering mode menu, select Caching.
    2. Enter zone names in the provided text box.
    3. Click Create shield zones.
  5. To use automatic filtering:
    1. In the Filtering mode menu, select Automatic.
    2. Enter zone names in the provided text box.
    3. If you use TSIG keys to secure your zones, you can create a TSIG key or select an existing TSIG key for the zone.
    4. Click Create shield zones.
  6. To use manual filtering:
    1. In the Filtering mode menu, select Manual.
    2. In the Zone name field, enter names for each zone.
    3. Click Create shield zones.
  7. To deny all traffic in zones:
    1. In the Filtering mode menu, select Deny all.
    2. In the Zone names field, enter names of zones where you want to block all traffic.
    3. Click Create shield zones.
  8. If you select automatic filtering for any zone, you can configure alternate transfer targets to ensure that the transfer of master zone files is done from another IP address that does not belong to your origin name servers. Click Add alternate transfer targets and enter the IP address or addresses you want to use in the provided text box.

    📘

    If you used only hostnames to identify your name servers in Create a shield, you must enter at least one IP address for this setting.

  9. Click Save.

Next Steps:

  1. If you created a shield zone that uses manual filtering, make sure you configure the domains that you want to allow to each zone. For instructions, see Add domains for manual filtering.
  2. Delegate your zones to Shield NS53. For more information, see the high-level steps that are described at the top of this page.
  3. Update your organization’s firewall and allowlists with IP address blocks required for Shield NS53. For more information, see Firewall and allowlist requirements.