1 of 25

Future at the Edge

2 of 25

Cloud DNS 101

Modern DNS Architecture and�Edge Authoritative DNS

An architectural deep dive into cloud DNS, Anycast networks,

and programmable traffic management.

All Rights Reserved © VergeCloud

Cloud DNS 101

3 of 25

DNS Refresher and introduction to Athoritative DNS

1

All Rights Reserved © VergeCloud

Cloud DNS 101

4 of 25

Every internet request starts with DNS

  •  DNS is the critical entry point for all internet interactions.�
  •  If DNS fails, the application is unreachable regardless of backend health.�
  •  DNS availability directly dictates application uptime and reliability.

Cloud DNS 101

All Rights Reserved © VergeCloud

5 of 25

How a domain name becomes an IP address

Typically operated by an ISP or public service. Queries the hierarchy to find the IP address.

The final source of truth. Holds the official records for the domain.

If the authoritative server is slow or unavailable, the resolver cannot obtain the information.

Cloud DNS 101

All Rights Reserved © VergeCloud

6 of 25

The DNS Weak Link - Limitations of Registrar DNS

2

All Rights Reserved © VergeCloud

Cloud DNS 101

7 of 25

Registrar DNS was built for domain management

  • Historically bundled as a convenience feature for basic domain registration.

  • Designed for simple record creation, not high-availability application infrastructure.

  • Lacks the deeper traffic management and visibility capabilities required by modern applications.

Cloud DNS 101

All Rights Reserved © VergeCloud

8 of 25

Centralisation creates operational fragility

  • Legacy DNS relies on a small number of centralised infrastructure locations.

  • Latency penalties: Global queries must travel to distant, limited server clusters.

  • Single points of failure: Localised outages take down global DNS availability.

  • Rigid routing: Lacks dynamic traffic steering and intelligent response mechanisms.

Cloud DNS 101

All Rights Reserved © VergeCloud

9 of 25

Why Edge Cloud DNS is Faster and More Reliable

3

All Rights Reserved © VergeCloud

Cloud DNS 101

10 of 25

Distributing authoritative DNS to the edge

  • Cloud DNS discards centralised servers in favour of globally distributed infrastructure.
  • DNS services run directly on edge Points of Presence (PoPs) .
  • Requests are answered by a location geographically and operationally closer to the user.

Cloud DNS 101

All Rights Reserved © VergeCloud

11 of 25

Anycast architecture routes to the closest topological node

  • Multiple DNS servers in different geographic locations share the exact same IP address.
  • Internet routing protocols�(BGP) automatically direct queries to the nearest available PoP.
  • If a PoP drops offline, traffic instantly redirects to the next closest available node.

Cloud DNS 101

All Rights Reserved © VergeCloud

12 of 25

Edge resolution eliminates single points of failure

  • Lower lookup latency: Millisecond response times as queries are resolved locally.
  • Built-in redundancy: A regional infrastructure failure does not impact the global service.
  • Distributed query load: Traffic spikes are handled across the entire network footprint simultaneously.

Cloud DNS 101

All Rights Reserved © VergeCloud

13 of 25

Anycast delivers answers from the closest location

Lower lookup latency and consistent millisecond performance.

All Rights Reserved © VergeCloud

Cloud DNS 101

14 of 25

Intelligent Traffic Steering using DNS

4

All Rights Reserved © VergeCloud

Cloud DNS 101

15 of 25

DNS as an Active Traffic Steering Layer

Modern platforms provide advanced traffic management at the resolution layer.

Allows engineering teams to control exactly how user requests route to backend infrastructure.

DNS becomes an active enabler of reliability, rather than a passive directory.

Cloud DNS 101

All Rights Reserved © VergeCloud

16 of 25

Routing strategies for�modern deployment patterns

Round-robin routing

Distributing traffic evenly across multiple active endpoints.

Geolocation routing

Directing users to infrastructure located in their specific geographic region.

Weighted routing

Gradually shifting traffic between environments for canary deployments.

Cloud DNS 101

All Rights Reserved © VergeCloud

17 of 25

Protection Against DNS Volumetric and Spoofing Attacks

5

All Rights Reserved © VergeCloud

Cloud DNS 101

18 of 25

DNS is a primary target for volumetric attacks

  • Attackers target DNS as the front door; taking it down effectively erases a service from the internet.�
  • DNS Flood Attacks: Overwhelming authoritative servers with massive volumes of queries.�
  • UDP Amplification: Exploiting open resolvers to generate amplified traffic against a victim.�
  • Centralised architectures cannot withstand large-scale volumetric surges.

Cloud DNS 101

All Rights Reserved © VergeCloud

19 of 25

Edge networks absorb and distribute attack traffic

  • Distributed architecture fundamentally changes the defensive posture.
  • Volumetric attack traffic is absorbed across dozens of infrastructure nodes.
  • Prevents centralised bottlenecks by preventing malicious traffic from aggregating in one location.
  • Maintains DNS availability for legitimate users even under severe attack conditions.

Cloud DNS 101

All Rights Reserved © VergeCloud

20 of 25

Preventing DNS Spoofing with DNSSEC

Cloud DNS 101

All Rights Reserved © VergeCloud

21 of 25

Preventing DNS Spoofing with DNSSEC

Cryptographic Signing of DNS Records

DNSSEC adds digital signatures to every DNS record using public-key cryptography

Chain of Trust Validation

DNSSEC establishes a hierarchical chain of trust from the root zone down to individual domain records

Authenticated Denial of Existence

NSEC/NSEC3 records provide cryptographic proof that a queried domain does not exist, preventing attackers from exploiting negative responses to redirect users to malicious destinations through cache poisoning

Cloud DNS 101

All Rights Reserved © VergeCloud

22 of 25

SUMMARY & KEY TAKEAWAYS

6

All Rights Reserved © VergeCloud

Cloud DNS 101

23 of 25

Cloud Edge DNS - Key Advantages

Performance

Edge Anycast architecture delivers millisecond DNS resolution by answering queries from the nearest

PoP globally.

Resilience

Distributed infrastructure eliminates single points of failure; regional outages do not impact global DNS availability.

Intelligent Control

DNS becomes an active traffic steering layer enabling Geolocation routing, weighted rollouts, and round robin

Security

Edge networks absorb volumetric

DDoS attacks across dozens of nodes; DNSSEC prevents spoofing and cache poisoning.

Cloud DNS 101

All Rights Reserved © VergeCloud

24 of 25

VergeCloud Secure Edge Edge PoP Components

  • DNS query is answered at the nearest Edge PoP via Anycast routing
  • All security and delivery layers are enforced before traffic reaches origin
  • Cache HITs are served directly at the edge - origin is bypassed entirely

Cloud DNS 101

All Rights Reserved © VergeCloud

25 of 25

Q&A

All Rights Reserved © VergeCloud

Cloud DNS 101