6

Many online services configure their networks to use CDNs (content delivery networks) to improve performance by allowing content to be served from geographically close locations. I have noticed that very often the CDN is served from a different domain name than the actual service.

For example, a visit to www.amazon.com will involve pulling content from media-amazon.com.

www.facebook.com gets content from fbcdn.com, and so forth.

My question is, why don't these services use subdomains instead of completely different domain names for their CDNs?

E.g. why not use cdn.facebook.com instead of fbcdn.com? I rarely see that being done. Almost always it's a different domain name, often it's the base domain with something added to it, or an abbreviation.

The only thing I can think of is that having a different domain name allows using different DNS providers to spread the DNS load, but that isn't always the case.

Is there a specific technical reason for this practice? If so what is it?

Clarification: I'm not concerned with the cost of domain name registration. I assume any company that makes extensive use of CDNs can afford a few extra domain names. My question is why using subdomains would be inferior to using separate domains from a technical perspective. The fact that the practice is so widespread suggests there are good reasons for it.

lsl
  • 105
  • 1
  • 1
  • 5
barbecue
  • 352
  • 1
  • 15
  • 3
    Closed because? PLEASE don't tell me this belongs on Superuser or Stackexchange, that would be ridiculous. – barbecue Dec 23 '19 at 20:27
  • See [cdn - What is the advantage to hosting static resources on a separate domain? - Webmasters Stack Exchange](https://webmasters.stackexchange.com/q/25087/129592) – evan.bovie Jun 06 '22 at 22:09

2 Answers2

11

While every provider is different and may have different reasons for making the same choices, one common reason this is done is because of Cookies.

If your website makes use of cookies and your cookies may need to be used for multiple subdomains, then you will end up sending cookies along with every CDN request. This causes two issues:

  1. If you have a lot of cookies and/or very large cookies, you will be significantly enlarging every request to the CDN, using up valuable bandwidth for no reason (since the CDN serves the same content to everyone). At the scale of Google, Facebook, Amazon, etc., every byte in the request counts since millions (or even billions) of requests add up quickly.
  2. If your cookies contain user data, you may not wish the CDN to be able to see that data. This is especially true if your CDN is actually wholly or partially hosted by third-party service providers. Not sending cookies to the CDN eliminates one possible avenue of attack against your users' data.

Another common reason is user-generated content. Good examples of this is Gmail attachments and code hosted in GitHub repositories. If user-generated content is hosted on a subdomain, it might be able to stay the user's information from Cookies, LocalStorage, etc. and send it to a third party. Hosting on a different domain mitigates that form of attack.

Moshe Katz
  • 3,112
  • 5
  • 28
  • 43
  • I like this answer, although, like mine, this can be worked around by cookies which are limited to not work with subdomains. – davidgo Dec 22 '19 at 07:30
  • @davidgo I addressed why that workaround might not work. Let's say you need your cookies to work on some other subdomains (like `www`). – Moshe Katz Dec 22 '19 at 12:23
  • @MosheKatz that's something I hadn't thought of. Can you come up with any citations or references? – barbecue Dec 22 '19 at 22:26
  • @barbecue I read it on an engineering blog of one of the major tech companies years ago. I'll see if I can find it again. – Moshe Katz Dec 23 '19 at 01:33
1

The answer to this can only be speculation. A likely possibility -

Different teams/build systems handling the CDN and application(s). By separating the domains rather then using subdomains it simplifies management and automation, and makes things less likely to break. The cost if a domain name is trivial in the overall picture.

davidgo
  • 6,222
  • 3
  • 23
  • 41
  • I would think subdomains would be easier, not harder, to administer. No need to maintain separate registrations, no need to maintain separate certificates, it would improve branding, reinforce trademark, make scamming more difficult, and so on. – barbecue Dec 21 '19 at 21:53
  • Not so. The bit you are missing is that cloud services often interface directly with, and modify DNS. If you have 2 different teams building systems, there may be difficulties manipulating the DNS between platforms / build environments. While this could be somewhat worked arround by subdelegation of nameservers, this adds an extra lookup, which serves the opposite of the point of a CDN, ie speeding things up. [The logic above is true for the SaaS system I worked with ] – davidgo Dec 22 '19 at 00:43
  • Can you explain how separate domains make this easier? It's not obvious to me why that would be. – barbecue Dec 22 '19 at 00:51
  • Lets say I have software directly modifying A records in a route53 [ Amazon DNS ] instance to help with load balancing/routing. That software needs credentials to modify the DNS. Lets assume I have a separate team managing the CDN. They also need access to the system. This is possible, but what happens if someone makes a mistake in coding? Which team was responsible? – davidgo Dec 22 '19 at 00:55
  • 1
    Extending it further, lets assume the **really good** and trustworthy coders are working on the application, while CDN is outsourced to another company / less trusted business (say operating out of China for a pittance) if the crown jewels are in America). For $10 per year on a business turning over millions-billions, do we really want to allow the China team access to the core DNS for our application? – davidgo Dec 22 '19 at 00:57
  • Again, its technically possible to run it all from 1 domain, its just not neccessarily desireable for the cost a couple of cups of coffee a year. – davidgo Dec 22 '19 at 00:58
  • can you update your answer to include this information? – barbecue Dec 22 '19 at 01:34