Developed in 1983, the Domain Name System or DNS translates the names people type into a browser into an IP address so the requested service can be found on the internet. It is one of the most important plumbing components for a functioning internet. So welcome to F5’s Intelligent DNS Scale story.
Imagine how much you’d use the internet if you had to remember dozens of number combinations to do anything. Developed in 1983, the Domain Name System or DNS translates the names people type into a browser into an IP address so the requested service can be found on the internet. It is one of the most important plumbing components for a functioning internet. So welcome to F5’s Intelligent DNS Scale story, I’m Peter Silva.
An intelligent and scalable DNS infrastructure improves performance of the web application, directs customers to the best performing data center, protects not only the web properties but also the brand reputation. It also reduces not only data center costs but also the administrator’s stress in dealing with DNS.
DNS is the foundation for the internet – akin to air and water for humans. We just expect it to be available, to always work and we really do not think about it until it doesn’t work…until it breaks….until we can’t resolve a website. DNS is critical for any human/internet interaction. Today, there are more demands than ever on DNS and it’s only going to get worse. With the upcoming Internet of Things or the Internet of Everything – where household items like your refrigerator, toaster, even toilet are connected – all of these will require a DNS entry and DNS will have many more things to resolve. BUT, When DNS breaks, everything breaks.
Today’s websites are more complex, requiring many more DNS queries. Every icon, URL, link, image, object and all embedded content on a web page requires a DNS lookup. Loading complex sites may require hundreds of DNS queries and even simple smartphone apps can require numerous DNS queries just to load. In the last five years, the volume of DNS queries on for .com and .net addresses has more than doubled, increasing to an average daily query load of 77 billion in the fourth quarter of 2012*. More than six million domain names were added to the Internet in the fourth quarter of 2012. Future growth is expected to occur at an even faster pace. DNS scale becomes a critical issue when dealing with millions of service names and IP addresses. Also, You might not realize that DNS is the second most attacked protocol after http. Organizations such as twitter, nyt, network solutions and comcast all have had DNS attacks and outages over the last year.
Notes:
TLD numbers are for Verisign’s TLD servers. Traffic has doubled since 2008 (more now in 2013). Especially interesting since this is just for a TLD DNS service. This is the traffic that gets to a TLD after caching by ISPs!
Point to make about 4G/LTE rollout is that there’s little point to having faster data speeds if the DNS latency and throughput aren’t in place to allow the user to experience those new data rates.
On DDoS, especially for enterprises or ISPs that host, is that although you may not need ultra-high performance for “normal” DNS traffic loads, you will need it to absorb attacks. UDP, on which DNS is based, does not have identity. Spoofing is common. So mitigation techniques to identify real versus malicious actors actually consume more bandwidth than just answering the query. Of course, F5 performs copious checks on incoming DNS to qualify all requests and only responds to query types or responses that it is responsible for.
Today’s websites are more complex, requiring many more DNS queries. Every icon, URL, and all embedded content on a web page requires a DNS lookup. Loading complex sites may require hundreds of DNS queries and even simple smartphone apps can require numerous DNS queries just to load. In the last five years, the volume of DNS queries on for .com and .net addresses has more than doubled, increasing to an average daily query load of 77 billion in the fourth quarter of 2012*. More than six million domain names were added to the Internet in the fourth quarter of 2012. Future growth is expected to occur at an even faster pace. DNS scale becomes a critical issue when dealing with millions of service names and IP addresses.
Notes:
TLD numbers are for Verisign’s TLD servers. Traffic has doubled since 2008 (more now in 2013). Especially interesting since this is just for a TLD DNS service. This is the traffic that gets to a TLD after caching by ISPs!
Point to make about 4G/LTE rollout is that there’s little point to having faster data speeds if the DNS latency and throughput aren’t in place to allow the user to experience those new data rates.
On DDoS, especially for enterprises or ISPs that host, is that although you may not need ultra-high performance for “normal” DNS traffic loads, you will need it to absorb attacks. UDP, on which DNS is based, does not have identity. Spoofing is common. So mitigation techniques to identify real versus malicious actors actually consume more bandwidth than just answering the query. Of course, F5 performs copious checks on incoming DNS to qualify all requests and only responds to query types or responses that it is responsible for.
There are many reasons why DNS requirements are growing. Over the last 5 years, there has been a 180% growth of active websites, 230% growth in active users, a 22% growth in software applications and 100% growth in DNS queries. Add to that, we are very impatient – 74% are willing to wait 5 seconds, nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less. 1 mississippi, 2 mississippi, 3 mississippi – that’s it, on to the next site. Organizations are experiencing rapid growth in terms of applications and the volume of traffic accessing those applications.
DNS failures account for almost half - 41% of web infrastructure downtime. According to a survey by the Aberdeen Group, organizations lose an average of $138,000 for every hour their data centers are down*. There are real costs and loss involved when DNS does not respond. Downtime has an impact on visiting customers, can lead to loss of revenue and can also impact employees trying to access their corporate resources.
“Nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less and 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site.”
– Compuware report,
“What Users Want from Mobile,” July 2011
Every 100ms delay costs Amazon 1% in sales.
– Greg Lindon, Amazon
DNS growth stats attached (100%+ growth in last 5yrs.) https://investor.verisign.com/releaseDetail.cfm?ReleaseID=591560
188M+ active websites (180%+ growth in last 5 yrs.) http://news.netcraft.com/
Active users = 230% Growth last 5 years. 566% growth in last 12 years. http://www.internetworldstats.com/stats.htm
http://slideshow.techworld.com/3363475/ipv6--why-we-need-new-internet-protocol/8/
Global software spending forecast from 2005 to 2015. Statista http://www.statista.com/statistics/203964/global-software-spending-forecast/
Software apps grew at 8.9% in 2011 and 7.7% in 2010. http://www.gartner.com/id=1969315
The Internet and its endless challenges keep growing. Over the last 5 years, there has been a 180% growth of active websites, 230% growth in active users, a 22% growth in software applications and 100% growth in DNS queries. Add to that, nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less. Organizations are experiencing rapid growth in terms of applications and the volume of traffic accessing those applications. And if customers can’t get to your content, they’ll go elsewhere because the next app is just a click away.
DNS failures account for 41% of web infrastructure downtime so organizations must keep their DNS available. According to a survey by the Aberdeen Group, organizations lose an average of $138,000 for every hour their data centers are down*. Downtime has an impact on visiting customers, can lead to loss of revenue and can also impact employees trying to access their corporate resources.
“Nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less and 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site.”
– Compuware report,
“What Users Want from Mobile,” July 2011
Every 100ms delay costs Amazon 1% in sales.
– Greg Lindon, Amazon
DNS growth stats attached (100%+ growth in last 5yrs.) https://investor.verisign.com/releaseDetail.cfm?ReleaseID=591560
188M+ active websites (180%+ growth in last 5 yrs.) http://news.netcraft.com/
Active users = 230% Growth last 5 years. 566% growth in last 12 years. http://www.internetworldstats.com/stats.htm
http://slideshow.techworld.com/3363475/ipv6--why-we-need-new-internet-protocol/8/
Global software spending forecast from 2005 to 2015. Statista http://www.statista.com/statistics/203964/global-software-spending-forecast/
Software apps grew at 8.9% in 2011 and 7.7% in 2010. http://www.gartner.com/id=1969315
When a visitor requests a website, it first goes to their local DNS server – typically the dsl or cable modem at the edge of your home network. If your ISP knows where to find the website, maybe it’s cached, it’ll return the answer and tell the browser where to go. If not, then the query has to go back to the primary DNS server handling the record to then get the answer. That’s all fine and dandy and typically works well…until there is a serge in DNS traffic. It could be some media event, a rush of visitors or…it could be malicious activity.
Generally, organizations have a set of DNS servers, each one capable of handling up to 150,000 to 200,000 DNS queries per second. If traffic spikes due to normal operations or if an attacker is sending a lot of DNS query requests by nefarious means, it might be more than what the DNS servers can handle. The DNS server stops responding and sites are unavailable, unreachable, or completely offline. Currently, organizations must add costly DNS infrastructure to address spikes in DNS requests but are not really needed during normal business operations. In addition, DNS servers must also be patched frequently for newfound vulnerabilities. On top of all that, organizations might have firewalls to protect the DNS servers and those could become a bottleneck depending on the traffic spike.
Instead, put BIG-IP in that sweet spot.
The F5 Intelligent DNS Scale reference architecture is leaner, faster, and more secure on top of offering massive performance. BIG-IP can handle over 10 million query RPS; that’s 123 requests per day from every person on earth. Additionally, it offers unmatched DNS D/DoS protection and since BIG-IP is ICSA firewall certified, organizations can collapse multiple firewall tiers in the DMZ. Less equipment to purchase, manage and support. Plus, BIG-IP offers easy DNS management that integrates with your existing infrastructure. Error checking, auto population of protocols, and importation of zones help eliminate any downtime from DNS errors.
The customer benefits from an ultra-high performance solution which incorporates a firewall and DNS services. Unlike the conventional model, it does not suffer from firewall bottlenecks. The F5 solution scales, in a single box, to 20M query RPS. This results in much lower OpEx and CapEx while delivering much higher performance and protection.
About 80% of DNS deployments today are done with BIND. BIND is an open-source project maintained by Internet Systems Consortium (ISC) and the software is free. It still needs a server and operating system to run on, however, along with any maintenance, updates, rack space and so forth. ISC is a non-profit organization with a for-profit consulting arm called DNS-CO, which offers five levels of subscription that range from $10,000 to $100,000 annually.
Despite its popularity, BIND requires significant maintenance multiple times a year primarily due to vulnerabilities, patches, and upgrades, averaging about 9 patches a year. Many organizations do not keep current with patching thus their DNS systems could be vulnerable. What’s the risk to the business if DNS is not working? In addition, BIND typically scales to only 50,000 responses per second (RPS), making it vulnerable to both legitimate and malicious DNS surges.
You can see the cost savings both initially and ongoing for a very large enterprise. Even though BIND is free, there are certainly personnel, maintenance, datacenter, support, management and other costs that an organization can incur.
The F5 Intelligent DNS Scale reference architecture also helps keep your content and applications available by responding to DNS queries from the edge of the network in the DMZ, rather than from deep within your critical infrastructure. When you offload DNS responses to the BIG-IP platform, no request reaches the back end of your network, which greatly increases your ability to scale and respond to DNS surges along with protecting your DNS infrastructure. There is less risk to those back end applications and much higher performance.
Organizations can add DNSSEC to secure their domain name along with IP Intelligence to automatically block known malicious networks. Built in protocol validation also helps ensure proper DNS requests are made.
It’s not just public websites that need DNS, it’s also internal systems like exchange that need name resolution. DNS is required on a network in order to find basic services such as fileservers and clients and to identify assets by name.
By increasing the speed, availability, scalability, and security of your DNS infrastructure, the F5 Intelligent DNS Scale reference architecture ensures that your customers—and your employees—can access your critical web, application, and database services whenever they need them.
Instead of worrying about DNS outages and purchasing additional DNS infrastructure to combat surges, simply place BIG-IP in front of your primary DNS server. It’s a full DNS server and handles requests on behalf of your main DNS server.
The architecture of the F5 Intelligent and Scalable DNS services is optimized by the specifically designed DNS Express query response module. DNS Express manages authoritative DNS queries by transferring zones to its own RAM. The primary DNS server tells BIG-IP, ‘You are authoritative and you answer the query.’ In this architecture, F5 DNS Services only has to open the DNS query packet once, as long as the request is for an address that is in the zone that was transferred to DNS Express. Since it is served out of RAM, it is instantaneous. DNS Express simplifies a single processing instance of the DNS query to significantly improve the performance of an organization’s DNS infrastructure. With DNS Express, each individual core of each BIG-IP device can answer approximately 125,000 to 200,000 requests per second, scaling up to 10 million query RPS. This can be over 12X the capacity of what a typical primary DNS server can handle. This gives F5 customers a unique opportunity to scale dramatically to DNS query responses.
BIG-IP GTM is a full DNS server and handles requests on behalf of the main DNS server.
10
Just under half of the internet (47 percent) remains insecure insofar as many top level domains (TLDs) have failed to sign up to use domain name system security extensions (DNSSEC), including intensive internet using countries such as Italy (.it), Spain (.es) and South Africa (.za), leaving millions of internet users open to malicious redirect to fake websites, reports Ultra Electronics AEP.
BIG-IP GTM can be configured as a full proxy for global load balancing applications and DNS across architectures—and across the globe. For greater flexibility, you can use BIG-IP GTM Virtual Edition (VE) to extend DNS services and global app availability to cloud or virtual environments and maintain centralized control within the data center.
Your revenue and your brand are protected
Use the same IP address for multiple devices
Geographically separate the DNS request load for all requests
Scale DNS infrastructure up and out per number of BIG-IP devices
DNS is the internet’s phonebook and essential for every web property on the internet. It helps people find your web presence. It helps websites deliver the content you want visitors to see. If DNS is slow, then you entire infrastructure is slow and your bounce rate jumps. If your website takes longer than 3 seconds to load, you are losing revenue. If your DNS is attacked, then your web presence is severely limited. If your DNS cannot scale, then you cannot accommodate additional visitors. If your DNS is compromised, then your brand suffers. If DNS doesn’t work, you lose revenue. If you have an antiquated DNS infrastructure, you’re spending too much money and putting the business at risk.
If people cannot find you, they will go somewhere else.
If your DNS is resilient, people will find you. If people can find you, they will engage. If they engage, your brand gets exposure. If your web properties respond quickly, people are more likely to stay. If people stay, business will grow.
F5 Intelligent and Scalable DNS Services can help protect your brand and grow your business.
F5 DNS Services are crucial
http://www.f5.com/about/news/press/2012/20120625b/