Aminia architected and delivered a carrier-grade DNS core infrastructure refresh for Malaysia’s largest combined mobile and fixed network operator — replacing an aging DNS estate with a high-performance, security-hardened platform capable of handling 20 million transactions per second, deployed Active/Active across two geographically separated data centres with zero disruption to live subscribers.
The client is Malaysia’s leading mobile and fixed network operator, serving tens of millions of subscribers across both the consumer and enterprise segments. Operating one of the country’s most extensive mobile networks alongside a substantial fixed broadband and enterprise connectivity business, the operator runs critical DNS infrastructure that underpins subscriber internet access, mobile data sessions, roaming resolution, and internal network services at national scale.
DNS is the invisible backbone of carrier operations — every subscriber internet request, every mobile data session handover, every roaming event traverses the DNS core. For an operator at this scale, DNS infrastructure failure is not a degraded experience; it is a total outage. The requirement was therefore not simply for high performance, but for architecture that eliminates single points of failure entirely.
The client’s existing DNS estate was approaching end-of-life across both hardware and software, and could no longer keep pace with subscriber growth, DNS query volumes, or the evolving threat landscape. A full platform refresh was required — but with an operational constraint that is unique to carrier environments: the replacement had to be executed with zero tolerance for service disruption to tens of millions of live subscribers.
Aminia designed a carrier-grade DNS architecture using the EfficientIP SOLIDserver platform — purpose-selected for its proven performance at telco scale, Active/Active clustering capability, and integrated DNS security suite. The solution separates DNS roles across dedicated hardware tiers, ensuring no contention between recursive subscriber traffic, authoritative zone serving, and mobile GPRS resolution.
All DNS roles — Recursive, Authoritative, and GnGp — are deployed in fully active configurations at both data centres simultaneously. Neither site acts as a backup; both handle live production traffic. This eliminates the service risk of a single data centre outage, which at carrier scale would affect millions of subscribers.
DNS Anycast routing is deployed across all GiDNS nodes, allowing the IP core to advertise the same DNS service address from multiple locations simultaneously. Bidirectional Forwarding Detection (BFD) provides millisecond-level failure detection on forwarding paths — ensuring that if a node or link fails, DNS traffic is rerouted to a healthy node before a subscriber would experience a timeout.
DNS Guardian is deployed across every DNS server in the infrastructure — Recursive, Authoritative, and GnGp. Guardian performs real-time behavioural analysis of DNS query patterns, detecting and mitigating attacks including DNS floods, amplification attacks, and NXDOMAIN storms. All blocked client events are captured in syslog with source IP and trigger classification, enabling full forensic traceability.
Applied to the GiDNS Recursive layer, DNS Threat Pulse provides continuously updated threat intelligence feeds that block subscriber queries to malicious domains across 14 threat categories — including malware C2, phishing, botnets, ransomware, and cryptomining. Blocked events are logged with the source client IP, queried domain, and category, enabling the operator to report on threat activity and take subscriber-level action where required.
All DNS appliances are connected via 10 Gigabit Ethernet with Link Aggregation (LACP/LAGG) across the management and production network planes, with redundant cable paths providing protection against both switch failure and individual cable faults. Management traffic, production DNS traffic, and power feeds are fully separated at the rack level across both data centres.
Aminia coordinated the full vulnerability assessment process for all proposed hardware and software against the operator’s security compliance checklist — with all identified vulnerabilities remediated and cleared before equipment acceptance into the production environment. The platform integrates with the operator’s existing NMS via syslog and SNMP, delivering FCAP data for centralised alarm and performance visibility.
The delivered infrastructure replaces the operator’s legacy DNS estate with a modern, purpose-built platform that is architecturally resilient, security-hardened, and engineered with headroom for the growth in subscriber base and traffic volumes expected over the next five years. The Active/Active design means there is no single point of failure anywhere in the DNS core — a requirement that was non-negotiable for an operator at this scale.