DNS Shield

Authoritative DNS with anycast resilience and DNSSEC. Your domain, served from within Cambodia.


Your authoritative nameserver is the definitive record of where your services are reachable. Whoever holds it determines who can reach them — and under whose law that access is governed.

DNS Shield keeps that control inside Cambodia. Authoritative DNS served from CNX's anycast network — independent nodes across Cambodia, Southeast Asia, Europe, and the Americas — with DNSSEC on every zone and signing keys held in hardware security modules inside Cambodia.

How it works

DNS Shield uses anycast: the same IP address is announced from multiple locations simultaneously. Every query is answered by the nearest node. There is no single point of failure.

Inside Cambodia — multiple independent nodes interconnected via the national IXP fabric, with direct private peering to Cambodia's largest carriers on isolated segments. These nodes carry no public internet routes — they are structurally unreachable from outside the country.

Outside Cambodia — international edge nodes in Singapore, Japan, Germany, and the USA. These nodes act as regional traffic sinks — volumetric attack traffic is drawn to and consumed at the nearest node before it can reach Cambodia.

Two input paths

Zone Transfer — your team keeps your existing DNS workflow. CNX connects to your authoritative server, signs and distributes your zone on the anycast network. Your operations team makes no changes to how DNS records are managed today.

CNX Managed Origin — no DNS infrastructure required. Zone changes go through an approval workflow that produces an immutable audit record, satisfying NBC TCRMG change management requirements. Integrates with your existing Single Sign-On.

What CNX operates on your behalf
During an attack — your users see nothing

During a volumetric attack, your Cambodian users are unaffected. Domestic nodes carry no public internet routes — they are structurally unreachable from outside the country regardless of attack volume. International edge nodes absorb traffic from their respective regions before it can cross into Cambodia. From inside Cambodia, your domain resolves exactly as it always does. The attack is invisible to your users.

Zone completeness — every record, on every node, always

Some DNS protection services learn your zone by scanning publicly-reachable records — querying for A, MX, and NS entries to build a working copy. Records with unpredictable names are invisible to a scanner that does not know what to ask for: DKIM selectors, SPF policies, DMARC configuration, verification tokens, API endpoint definitions. If that service ever serves from its learned copy rather than your origin — because your origin is down, or because traffic is being scrubbed — those records are gone. The domain appears to work. The authentication layer does not. Nobody notices until email stops being delivered or a domain verification fails.

DNS Shield receives your complete zone via authenticated transfer from your authoritative server, or directly from the CNX-managed repository. Every record is present on every node — every subdomain, every TXT entry, every selector. The zone is cryptographically signed with DNSSEC; any omission or modification in transit is detectable and rejected. There is no learned copy. There is only the complete zone.

Onboarding — from evaluation to live, with no production risk

Before your DNS is live on CNX, we run in parallel. Your existing DNS keeps operating exactly as it does today — no changes to registrar records, no impact on users.

  1. CNX imports your current zone records.
  2. CNX serves your zones from the anycast network — your registrar still points to your current provider. Nothing changes for users.
  3. Your team queries the CNX nameservers directly to verify every record, check latency, and confirm DNSSEC signatures — at your own pace, with no time pressure.
  4. When your team is satisfied, registrar NS records are updated. This is the only change with any user-facing effect, and it propagates gradually as DNS caches expire.
  5. Your previous provider remains available as a fallback for at least seven days after cutover.

Rollback at any time: pointing your registrar records back to your previous provider restores the previous state. The exit is a single DNS change.

Service levels
In-country
Query path Queries from Cambodian networks resolve entirely on the CNX exchange fabric. Each major carrier connects to a dedicated isolated segment — ISP traffic is served from its own capacity, with no contention between networks. A query from a user on any Cambodian ISP never leaves the national exchange fabric to reach an answer.
LatencyUnder 10 ms from resolver to CNX node, across every Cambodian carrier
Uptime SLA99.99%
International
Query path International nodes are colocated at major internet exchanges alongside the world's largest public resolvers — Google (8.8.8.8), Cloudflare (1.1.1.1), and Quad9 (9.9.9.9). Users outside Cambodia on public resolvers receive answers with minimal additional latency; CNX sits where those resolvers peer.
All nodes
Query limitsNone. Attack traffic costs nothing extra.
Zone propagationTypically seconds · SLA under 5 minutes
DNSSECEvery zone, by default. Keys in HSMs, automated rollover per RFC 6781
Monitoring24/7 availability and DNSSEC validity
Standards

DNS Shield implements DNSSEC per RFC 4033–4035, using ECDSAP256SHA256 — NIST P-256 with SHA-256, the RECOMMENDED algorithm under RFC 8624 — as the only signing algorithm. Deprecated algorithms are not accepted. Key rollover follows RFC 6781. Zone transfer authentication uses TSIG per RFC 8945. Signing keys are generated and stored in dedicated hardware security modules; they are non-exportable by hardware design.

Full standards and regulatory compliance mapping — including NBC TCRMG chapter-by-chapter, NIST SP 800-81, and RGC Cloud First Policy alignment — is on the Compliance page.

Your zone data stays yours

Zone files are maintained in standard BIND format — the open format used by every DNS operator on the internet. At any point you can export your complete zone and take it to any other provider. There is no proprietary format, no data migration, no lock-in. The rollback process described in onboarding is identical to a full exit: update your registrar records, done.