DNS 103: DNS Performance And Security


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DNS 103: DNS Performance And Security

  1. 1. DNS  103:  DNS  Performance    and  Security  Tom  Daly  Chief  Scien5st,  Dyn  Labs  tom@dyn.com  |  @tomdyninc     Dyn.com    |    @dyninc  
  2. 2. Agenda   •  Welcome  and  Introduc5on   •  Quick  Review:  DNS  Basics   •  DNS  Performance   •  DNS  Security  and  DNSSEC   •  Q&A  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  3. 3. Quick  Review:  DNS  Basics   hOp://www.poslovnipuls.com/wp-­‐content/uploads/2011/05/sta5s5ka_v.jpg  
  4. 4. The  Domain  Name  System  (DNS)   •  Fundamentally,  the  DNS  is  a  mul5-­‐level  database   distributed  throughout  the  world.   •  DNS  maps  domain  names  to    network  resources,  such  as  the    IP  address  of  a  web  server,  FTP    server,  or  e-­‐mail  server.   •  This  is  accomplished  through  a  variety   of  DNS  record  types.  Record  types  give  you  the  hint   about  the  type  of  remote  server  you’re  contac5ng.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  5. 5. Working  Together:  The    Lifecycle  of  a  DNS  Request   <root>   Root  DNS   Servers   .com   .com   Recursive   Servers   DNS  dyn.com   dyn.com   Servers   server1.www.dyn.com.  
  6. 6. DNS  Performance   hOp://www.flickr.com/photos/kryptos5/3281740790/sizes/z/in/photostream/  
  7. 7. The  first  DNS  Query  blocks  EVERYTHING   your  browser  can  possibly  do.  
  8. 8. Performance  Before  the  Byte   Bad  DNS  accounts  for  ½  of  this  webpage  response  Wme!  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  9. 9. Two  Major  Strategies   •  Reduce  DNS  Round  Trips:   –  Eliminate  excessive  points  of  delega5on  from  base  domain  to   load  balancing  devices  and  CDNs.   –  Op5mal  balancing  between  browser  parallel  download   capacity  and  number  of  dis5nct  DNS  hostnames.     •  Reduce  DNS  Round  Trip  Latency:   –  Place  DNS  servers  close  to  your  client  base  to  decrease   response  5me.   –  Awareness  to  DNS  RTT  banding  and  nameserver  selec5on.   –  Use  IP  Anycast  as  the  ul5mate  latency  reduc5on  tool.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  10. 10. Minimize  DNS  Round  Trips   •  Most  DNS-­‐based  load  balancing  systems  rely  on   mul5ple  DNS  round  trips:   –  Delegate  a  subdomain  to  the  GSLB  system.   –  Set  up  a  CNAME  to  an  external  system.   •  More  round  trips  means  more  lookup  latency,  more   entries  to  cache,  more  configura5on  to  manage.   •  DynECT  uniquely  combines  Managed  DNS  and  Traffic   Management  in  a  single  plajorm,  a  single  query   response  every  5me.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  11. 11. Example:  Unicast  Domain  PoinWng  to  CDN  www.sport.com. ! !300 !IN !CNAME !www.sport.com.edgesuite.net.!sport.com. ! !172800 !IN !NS !ns40.sport.com.!sport.com. ! !172800 !IN !NS !ns50.sport.com.!sport.com. ! !172800 !IN !NS !ns60.sport.com.!;; Received 276 bytes from in 45ms!!!www.sport.com.dynect-demo.com. 300 IN !CNAME !www.sport.com.edgesuite.net.!dynect-demo.com.!172800!IN !NS !ns1.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns3.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns2.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns4.p13.dynect.net.!;; Received 292 bytes from 18 ms!DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  12. 12. ~62ms  of  DNS  latency  decrease!  ~75ms  of  page  load  decrease,  and  more  stability!  
  13. 13. Example:  Extra  Lookups  on  GSLB  Servers   bank.com. ! !172800 !IN !NS !ns1.bank.com.! bank.com. ! !172800 !IN !NS !ns2.bank.com.! bank.com. ! !172800 !IN !NS !ns05.bank.com.! bank.com. ! !172800 !IN !NS !ns06.bank.com.! ;; Received 183 bytes from in 188 ms! ! www.bank.com.! !600 !IN !CNAME !wwwbc.gslb.bank.com.! gslb.bank.com. !3600!IN !NS !dbes1gbx01.bank.com.! gslb.bank.com. !3600!IN !NS !dcss1gbx01.bank.com.! gslb.bank.com. !3600!IN !NS !dbes1gbx02.bank.com.! gslb.bank.com. !3600!IN !NS !dbws1gbx01.bank.com.! gslb.bank.com. !3600!IN !NS !drds1gbx01.bank.com.! gslb.bank.com. !3600!IN !NS !dbws1gbx02.bank.com.! gslb.bank.com. !3600!IN !NS !drds1gbx02.bank.com.! ;; Received 370 bytes from in 90 ms!DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  14. 14. ~140ms  of  DNS  latency  decrease    plus  2  round  trips!   ~3s  of  page  load  decrease!  
  15. 15. Minimize  DNS  Latency   •  IP  Anycast:  A  globally  distributed  IP  Anycast  network   of  17  worldwide  Points  of  Presence  (POPs).   •  Customers  are  given  4  nameservers  to  delegate  to:   –  4  discrete  anycast  IP  prefixes   –  6  worldwide  backbone   providers   –  Nearly  70  independent   network  paths.   •  Queries  are  answered   by  geographically     local  sites    DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  16. 16. The  Enemy:  DNS  Protocol  Resiliency   •  DNS  was  designed  with  crazy  protocol  level   redundancy  techniques  due  to  lossy  networks  of  the   1980s  –  lots  of  retry  mechanisms.   •  Resolvers  (in  your  Windows,  Mac,  and  Linux   machines)  implement  2-­‐10  second  5meouts  on  a   failed  query.   •  An  offline  NS  cause  2-­‐10  seconds  of  latency  in  non-­‐ cached  lookups.   •  DNS  RTT  banding  requires  all  nameservers  in  a   delega5on  to  be  contacted.    DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  17. 17. RTT  Banding  through  the  DelegaWon   ns1.dyn.com   (150ms)  www.dyn.com?   cdn.dyn.com?   ns2.dyn.com  pixel.dyn.com?   Recursive   (65ms)   gns.dyn.com?  mail.dyn.com?   DNS  smtp.dyn.com?   ns3.dyn.com   (20ms)   While  the  Recursive  DNS  server   warms  up,  it  needs  to  contact  every   server  in  the  delega5on.   ns4.dyn.com     (10ms)   Average  ini5al  response  5me:  62ms.  
  18. 18. Unicast  Experience   ns1:  SeaOle   ns4:  New  York   ns2:  Palo  Alto   ns5:  Ashburn  ns3:  Los  Angeles   ns6:  Miami  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  19. 19. Latency  in  Fiber  OpWcs   hOp://www.flickr.com/photos/36368604@N07/3391695435/sizes/l/in/photostream/   •  Photons  of  light  travel  at  50%  the  speed  of  light  in   fiber  opWc  cable   •  This  means  1ms  of  latency  for  every  50km  of  fiber   cable  traversed   •  Worst-­‐case  scenarios:  complete  world  traversal  @   430ms  per  round  trip.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  20. 20. The  Sheer  Gains  of  the  Network  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  21. 21. Anycast  Experience   ns1:  SeaOle   ns1:  New  York   ns2:  Palo  Alto   ns2:  Ashburn  ns3:  Los  Angeles   ns3:  Miami  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  22. 22. Lying  to  the  Internet   •  Anycast  allows  us  to  break  the  fundamental  rule  that   IP  addresses  are  supposed  to  be  “unique”  on  the   Internet.   •  We  “inject”  the  same  IP  address  mul5ple  5mes  from   mul5ple  loca5ons  around  the  backbone.   •  Hot  Potato  rou5ng  usually  off-­‐ramps  the  traffic  to  us   in  the  closest  loca5on.   •  DNS  is  generally  stateless  (UDP)  or  short-­‐lived  (TCP)   so  we  don’t  “crowbar”  flows  apart.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  23. 23. Internet  Scale  RouWng   AS  2   AS  3   AS  1   AS  4   ns1:  New  York  A  network  is  defined  as  an  ASN.  BGP  is  exchanges  “best”  routes  between  networks.  OSPF  floods  “all”  routes  inside  a  network.     DNS  103:  Performance  and  Security   Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  24. 24. BGP  RouWng   AS  2   AS  3   AS  1   AS  4   ns1:  New  York  With  BGP,  the  shortest  AS  path  is  selected  as  the  best  path.   DNS  103:  Performance  and  Security   Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  25. 25. OSPF  RouWng  in  AS4   AS  2   AS  3   AS  1   AS  4   ns1:  New  York  Within  the  ASN,  OSPF  picks  paths  based  upon  metric  preferences   DNS  103:  Performance  and  Security   Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  26. 26. Puing  it  All  Together   AS  2   AS  3   AS  1   AS  4   ns1:  New  York   ns1:  Los  Angeles  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  27. 27. Unicast  vs.  Anycast  DNS   www.domain.com. !1800 !IN !A !X.Y.162.26! domain.com. !1800 !IN !NS !ns1-auth.sprintlink.net.! domain.com. !1800 !IN !NS !ns2-auth.sprintlink.net.! domain.com. !1800 !IN !NS !ns3-auth.sprintlink.net.! domain.com. !1800 !IN !NS !ns-XXX-01.lXXig.com.! domain.com. !1800 !IN !NS !ns-XXX-02.lXXig.com.! ;; Received 199 bytes from auth.sprintlink.net) in 99 ms! www.domain.com.dynect-demo.com. 1800 IN A X.Y.162.26! dynect-demo.com.!86400 !IN !NS !ns4.p13.dynect.net.! dynect-demo.com.!86400 !IN !NS !ns2.p13.dynect.net.! dynect-demo.com.!86400 !IN !NS !ns1.p13.dynect.net.! dynect-demo.com.!86400 !IN !NS !ns3.p13.dynect.net.! ;; Received 157 bytes from (ns4.p13.dynect.net) in 11 ms! !DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  28. 28. ~60ms  of  DNS  latency  decrease!   ~100ms  of  page  load  decrease!  
  29. 29. hOp://upload.wikimedia.org/wikipedia/commons/4/43/Queuing_z01.jpg   DNS  Security  and  DNSSEC  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  30. 30. DNS  Security  Concerns   •  Ensuring  a  secure  DNS  system  is  cri5cal  the   con5nued  success  and  growth  of  the  Internet.   –  Global  Communica5ons   –  Business   –  E-­‐Commerce   •  The  use  of  layered  defenses  is  crucial:   –  System  Overprovisioning   –  DNS  Security  Extensions  (DNSSEC)   –  Business  Process  and  Prac5ce  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  31. 31. Threats  Against  the  DNS   •  Availability  –  does  dyn.com  resolve?   –  (Distributed)  Denial  of  Service  AOacks   •  Integrity  –  when  dyn.com  resolves,  does  it  take  you   to  the  right  IP  address?   –  Pharming  AOacks   –  Registry  /  Registrar  Data  Hacking  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  32. 32. DDoS  as  a  Way  of  Life   •  Brawn  of  Your  Network   –  Can  you  withstand  mul5ple  10Gb/sec  flows  against  DNS   servers?   –  Inbound  network  capacity,  filtering  capacity,  DNS  resolu5on   capacity.   •  Brains  of  Your  Network   –  Intelligent  filtering  DNS  queries  at  line  rate   –  Strategic  deployment  of  IP  anycast   –  Use  of  pooling  strategies  to  distribute  risk  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  33. 33. The  Unicast  DDoS  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  34. 34. The  Anycast  DDoS  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  35. 35. Pharming  Ajacks   •  DNS  Pharming  aOacks  aOempt  to  insert  malicious   DNS  data  into  recursive  DNS  servers.   •  A  targeted  recursive  DNS  server  will  ul5mately   redirect  unsuspec5ng  users  to  phishing  websites.   •  In  DNS,  the  first  response  received  by  a  resolver  with   the  right  transac5on  ID  and  source  port  will  be   accepted.   •  Ul5mately,  every  DNS  query  is  a  race!  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  36. 36. Typical  DNS  InteracWon   Web  Server  #1   (   HTTP  Connec5on  to   DNS  Query  for  www.bank.com   returns  with   ISP   DNS   Home  User   Bank.com  DNS  Server  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  37. 37. Pharming  DNS  InteracWon   Evil  Web  Server   Web  Server  #1   (   (   HTTP  Connec5on  to   Evil  DNS  Server   DNS  Query  for  www.bank.com   returns  with   ISP   DNS   Home  User   Bank.com  DNS  Server  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  38. 38. Dealing  with  Pharming   •  Exploits  a  widely  known  design  flaw  in  the  stateless,   UDP-­‐based  communica5on  protocol  in  which  DNS   has  its  default  implementa5on  upon.   •  Major  patch  effort  in  2008  awer  exposed  by  Dan   Kaminsky  to  push  for  DNS  source  port   randomiza5on.   •  A  low  latency  IP  Anycast  DNS  network  also  provides   a  layer  of  protec5on  –  a  faster  network  to  win  the   race  with.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  39. 39. Registry  /  Registrar  Data  Hacking   •  AOacking  domain  registra5on  data  is  another   aOempt  to  invalidate  the  integrity  of  the  DNS.     •  AOacker  simply  changes  the  delega5on  of  the   domain  and  registra5on  details  of  the  domain  to   their  own  evil  servers.   •  AOack  vectors  include  social  engineering,  SQL   injec5on,  EPP  hacking,  etc.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  40. 40. DNS  Security  Extensions  (DNSSEC)   •  An  answer  to  DNS  integrity  threats,  including  DNS   pharming  and  registry  /  registrar  data  hacking.   •  DNSSEC  bring  cryptographic  signature  support  into   the  DNS.   •  Cryptologic  signing  of  DNS  data  permits  valida5on  of   response  data  by  recursive  DNS  servers  and  end   users.   •  Ensures  integrity  of  DNS  responses  at  every  layer  of   delega5on.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  41. 41. Design  Concepts  for  AuthoritaWve  Servers   •  Sign  your  zone  with  DNSSEC  records:   –  RRSIG  –  Crypto  signatures  for  A,  AAAA,  NS,  MX,  etc.  Tracks   the  type  and  number  at  each  “node.”   –  NSEC  or  NSEC3  –  Confirms  the  NXDOMAIN  response.   –  DNSKEY  –  Public  keys  for  the  en5re  zone.  Private  side  is  used   to  generate  RRSIGs.   –  DS  Record  –  Handed  up  to  the  parent  zone  to  authen5cate   the  NS  records  up  there.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  42. 42. Zone  Signing   •  Two  crypto  key-­‐pairs  are  used  in  DNSSEC:   •  Zone  Signing  Key  (ZSK)   –  Signs  the  zone  records,  and  itself   –  Public  part  becomes  the  DNSKEY  at  zone  apex.   •  Key  Signing  Key  (KSK)   –  Signs  the  keys  at  the  apex  of  the  zone   –  Public  part  becomes  also  a  DNSKEY  at  zone  apex.   –  Can  be  exported  as  SEP  /  DS  for  that  zone!    DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  43. 43. Rollover   •  RRSIGs  have  a  life5me  they  are  good  for  encoded  in   them,  i.e.  valid  for  30  days.   •  DNSKEYs  also  have  a  life5me  encoded  in  them.   •  Per  NIST  SP800-­‐01:   –  KSK  –  Rollover  every  12  months  (1  year)   –  ZSK  –  Rollover  every  1  month  (30  days)   •  Current  and  future  keys  get  published   simultaneously  to  help  support  this.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  44. 44. Zone  Signing  Record  RelaWonships   DS  (for  Parent)   DNS  KEY  KSK   RRSIG  by  KSK   KSK  Private  Key   Used  for  Signing DNS  KEY  ZSK   RRSIG  by  ZSK   SOA   RRSIG  by  ZSK   ZSK  Private  Key   Used  for  Signing NS   RRSIG  by  ZSK   A   RRSIG  by  ZSK  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  45. 45. Resolver  -­‐  Trust  Anchors   •  Trust  anchors  are  the  records  used  to  validate  apex   RRSIGs  for  DNSKEY  (usually  KSK).   •  Come  in  forms  of:   –  Manually  obtained  trusted  keys  or  ITAR   –  DS  records  at  parent   –  DNS  Lookaside  Valida5on   –  Root  Signed  SEP   •  Root  needs  to  be  signed  to  create  a  full  chain  of   trust.    DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  46. 46. Resolver  -­‐  ValidaWon   •  Formulate  DNS  query,  with  DNSSEC  enabled,  and  await   response.   •  Along  with  the  response  (A  record),  an  RRSIG  will  be   delivered  back.   •  Use  DNSKEY  from  the  zone  (public  part  of  ZSK)  to   validate  the  RRSIG.   •  Validate  that  DNSKEY  with  corresponding  RRSIG.   •  Validate  that  RRSIG  using  a  public  key  from  KSK.  Use  the   trust  anchor  here.   •  If  you  dont  have  a  trust  anchor,  traverse  upwards  for  a   DS,  then  validate.  Repeat  as  needed.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  47. 47. DNSSEC  ValidaWon  Process   Root   DNSSEC  Key   <root>   Root  DNS   Servers   .com   .com   Recursive   Servers   DNS  dyn.com   dyn.com   Servers   server1.www.dyn.com.  
  48. 48. DynECT  Managed  DNS  SoluWons   hOp://www.flickr.com/photos/nhuisman/3168683736/sizes/l/in/photostream/  
  49. 49. Today’s  Sales  Pitch   •  Integrated  global  server  load  balancing  and  CDN   rou5ng  services  to  reduce  DNS  round  trips.   •  Global  IP  anycast  DNS  network  for  low  latency  DNS   responses  and  resistance  to  DNS  pharming  aOacks.   •  Excessive  overprovisioning  and  intelligent  systems  to   handle  DNS  DDoS  aOacks.   •  Finally,  full  support  for  DNSSEC  zone  signing,  key   management,  and  rollover  in  a  simple  Web  UI.  DNS  103:  Performance  and  Security  Tom  Daly          @tomdyninc    #dnschat   Dyn.com    |    @dyninc  
  50. 50. Stay  Tuned!  Learn  More!   Intro  to  DynECT  Email  Delivery   Date  and  Time  TBD!  Thanks  for  listening!   Dyn.com    |    @dyninc  
  51. 51. Thank  You!   Hit  us  on  TwiOer:    @tomdyninc    #dnschat  Thanks  for  listening!   Dyn.com    |    @dyninc