Set up Shield NS53

This topic describes the steps that are required to set up Shield NS53.

To set up Shield NS53:

  1. Create a shield. When you create a shield, you identify your name server IP address and a DNS record that shield can request to check if the name server is in a healthy state. After this initial configuration is completed, ‚ÄčAkamai‚Äč assigns service IP addresses to the shield configuration.
  2. Add shield zones and assign filtering modes. This task requires that you add zones to your shield configuration. As part of this process, you select a filtering mode and configure the zone names.
  3. Update your organization’s firewall and allowlists with IP address blocks required for Shield NS53. For more information, see Firewall and allowlist requirements.
  4. Direct traffic to shield by updating the A record of your name server or the NS record of your parent zone with the Shield NS53 IP addresses.

Create a shield

Complete this procedure to create a shield.

At this time, you can create up to two shield configurations per contract. To add more shields, contact your ‚ÄčAkamai‚Äč account representative.

To create a shield:

  1. In Control Center, do one of the following:
    • Go to ‚ėį > DNS SOLUTIONS > Edge DNS. At the top of the page, click Shields list. The Shields List page appears.
    • Go to ‚ėį > DNS SOLUTIONS > Shield NS53. The Shields List page appears.
  2. Click Create new Shield.
  3. If your Control Center account includes multiple contracts or groups, you are prompted to select the specific contract and the group that you want to associate with this configuration. Click Save.
  4. In the Shield name field, enter a name for the shield.
  5. In the provided text field for your name servers, enter your name server IP addresses or hostnames.

    ūüďė

    An IP address is strongly recommended for name servers. If you provide a hostname and use automatic filtering for a zone, you must configure at least one IP address for alternate transfer targets.

  6. In the Health check record field, enter the name of the DNS record that you want to request from your name servers.
  7. In the Type menu, select the type of DNS record that you are requesting. While you can select any record type, ‚ÄčAkamai‚Äč recommends you use a TXT or SOA record type for this check as these records are static on your name servers.
  8. Click Save.
    After you create a shield with your name server information, ‚ÄčAkamai‚Äč assigns service IP addresses. It can take up to 30 minutes for ‚ÄčAkamai‚Äč to assign a set of IPv4 and IPv6 addresses to your shield configuration.

Next Step:

Add zones and assign filtering modes to each zone. For instructions, see Add shield zones and assign filtering modes.

Add shield zones and assign filtering modes

The filtering mode for a zone defines how Shield NS53 handles traffic for that zone. You can select to use cache-based filtering to cache DNS responses, manual filtering where you set the permitted zone names, automatic filtering that allows DNS traffic based on a zone file that’s transferred from name servers to Shield NS53 through AXFR, or a deny filter mode that blocks all queries. To learn more about these filtering modes, see Filtering modes for shield zones.

To add shield zones and assign filtering modes:

  1. Go to the shield that you created in Create a shield.
  2. Click the name of the zone or click Edit Shield.
  3. Click Add zones.
  4. To use cache-based filtering:
    1. In the Filtering mode menu, select Caching.
    2. Enter zone names in the provided text box.
    3. Click Create shield zones.
  5. To use automatic filtering:
    1. In the Filtering mode menu, select Automatic.
    2. Enter zone names in the provided text box.
    3. If you use TSIG keys to secure your zones, you can create a TSIG key or select an existing TSIG key for the zone.
    4. Click Create shield zones.
  6. To use manual filtering:
    1. In the Filtering mode menu, select Manual.
    2. Do one of the following to add zone names:
      • Upload a zone file that contains the zone names. Only the names in the file are extracted for this configuration.
      • In the Zone name field, enter names for each zone.
  7. To deny all traffic in zones:
    1. In the Filtering mode menu, select Deny all.
    2. In the Zone names field, enter names of zones where you want to block all traffic.
  8. Click Create shield zones.
  9. If you select automatic filtering for any zone, you can configure alternate transfer targets to ensure that the transfer of master zone files is done from another IP address that does not belong to your origin name servers. Click Add alternate transfer targets and enter the IP address or addresses you want to use in the provided text box.

    ūüďė

    If you used only hostnames to identify your name servers in Create a shield, you must enter at least one IP address for this setting.

  10. Click Save.

Next Steps:

  1. If you created a shield zone that uses manual filtering, make sure you configure the domains that you want to allow to each zone. For instructions, see Add domains for manual filtering.
  2. Update your organization’s firewall and allowlists with IP address blocks required for Shield NS53. For more information, see Firewall and allowlist requirements.
  3. Direct traffic to shield by updating the A record of your name server or the NS record of your parent zone with the Shield NS53 IP addresses.