Intelligent DNS Scale
•Download as PPTX, PDF•
0 likes•1,286 views
https://f5.com/solutions/enterprise/reference-architectures/intelligent-dns-scale DNS is the backbone of the Internet. It allows humans to find domain names like www.f5.com instead of the numerical IP addresses web servers require. It is also one of the most vulnerable points in your network. DNS failures account for 41 percent of web downtime, so keeping your DNS available is essential to your business. F5 can help you manage DNS's rapid growth and avoid outages with end-to-end solutions that increase the speed, availability, scalability, and security of your DNS infrastructure. Plus, our solution enables you to consolidate DNS services onto fewer devices, which are easier to secure and manage than traditional DNS deployments
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Intelligent DNS Scale
Similar to Intelligent DNS Scale (20)
Recently uploaded
Recently uploaded (20)
Intelligent DNS Scale
- 1. F5 Intelligent DNS Scale Peter Silva Sr. Technical Marketing Manager
- 2. Intelligent and scalable DNS PROTECTS Web properties and Brand reputation LOWERS Stress of DNS outages DIRECTS Customers to the best data center or cloud REDUCES Data center costs IMPROVES Web application performance © F5 Networks, Inc 2
- 3. Internet foundation? DNS DNS DEMANDS More people Mobile devices/apps Complex sites Cloud implementation s IPv6 added to IPv4 WHEN DNS BREAKS, EVERYTHING BREAKS DOMAIN NAME SYSTEM (DNS) Translates a domain name… http://www.google.com into an IP address: 74.125.227.64 (IPv4) http://www.f5.com = 2001:19b8:101:2::f5f5:1d (IPv6) Increased latency DDoS attacks © F5 Networks, Inc 3
- 4. DNS demand Available and protected AVERAGE DAILY LOAD FOR DNS (TLD) QUERIES IN BILLIONS 77 57 39 43 50 ’08 ’09 ’10 ’11 ’12 DNSSEC DEPLOYMENT EXPANDING TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS ATTACKS ON DNS BECOMING MORE COMMON; DNS SERVICES MUST BE ROBUST GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS 18X Growth 2011-2016 4G LTE 2.4GB /mo DISTRIBUTED, AVAILABLE, HIGH-PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS Non-4G LTE 86MB /mo Reflection/amplification DDoS Cache poisoning attacks Drive for DNSSEC adoption Total service availability Geographically dispersed DCs DNS capacity close to subscribers © F5 Networks, Inc 4
- 5. Critical: DNS 5 SECONDS 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site Every 100ms delay costs Amazon.com 1% in sales 2012 2007 DNS has grown over 100% in the last 5 years 2012 2007 180% As of October 2012, there were over 188 million active websites, a growth of 180% over the last 5 years © F5 Networks, Inc 5
- 6. DNS Deployments • Performance = Add DNS boxes • Weak DoS/DDoS Protection • Firewall is THE bottleneck • Massive performance over 10M RPS! • Best DoS/DDoS protection • Lower CapEx and OpEx CONVENTIONAL DNS THINKING External Firewall DNS Load Balancing F5 PARADIGM SHIFT F5 DNS DELIVERY REIMAGINED Internet Array of DNS Servers Internal Firewall Hidden Master DNS DMZ Datacenter DNS Firewall DNS DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Intelligent GSLB Internet Master DNS BIG-IP Infrastructure Global Traffic Manager © F5 Networks, Inc 6
- 7. True DNS Costs HIGHER OPEX DUE TO MAINTENANCE BIND by the numbers • 340 updates since 2004 • 84 issued patches for vulnerabilities and bugs • 9 patches a year for DNS COMPANIES DEPLOY FIREWALLS TO PROTECT DNS But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server. BIND HISTORY 60 50 40 30 20 10 0 9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 BIND Version Critical patches for vulnerabilities Total updates, including beta, release candidates Number of updates issued F5 DNS Authoritative Model Traditional DNS Authoritative Topology Total in year 1: $355,280 Total in year 2 onwards: $55,280 Total in year 1: $799,200 Total in year 2 onwards: $439,200 © F5 Networks, Inc 7
- 8. Optimized DNS Tier 1: DMZ Authoritative DNS DNSSEC IP Geolocation DNS DDoS Protection IP Intelligence Distributed DNS Intelligent and Scalable DNS Services Easy integration into existing DNS infrastructure for high availability and security Tier 2: Application Delivery Primary DNS Application TCP/UDP Port Strategic Point of Control Support over 10 million DNS responses per second (RPS) Context based on geographical location Legitimate Visitors Cache Poisoning DNS DDoS Attacks LDNS SaaS Intelligence PaaS IaaS Cloud Providers Manageable and predictable data center utilization Authoritative Zone Transfer Web Bot Attacker Threat 53 TCP Port 80/443 Application Health © F5 Networks, Inc 8
- 9. DNS Express • Delivers High-speed response & DDoS protection with in-memory • Authoritative DNS served out of RAM. • Configuration size for tens of millions of records. • Scale and consolidate DNS servers. DNS Express in BIG-IP Answer DNS Query Answer DNS Query Answer DNS Query Answer DNS Query DNS Server Answer DNS Query Efficient DNS DNS. Clients Internet GTM OS Manage DNS Records Admin Auth Roles NIC Dynamic DNS DHCP © F5 Networks, Inc 9
- 10. Benefits of BIG-IP Integration Simply and efficiently manage complex networks using one ADC solution. Route users to available apps and data centers based on business logic. Use the same geolocation data to reference for all BIG-IP devices. Constantly monitor health between devices. © F5 Networks, Inc 10
- 11. Replicate High Performance DNS BIG-IP Unsigned Zone(s) DNS Express Traditional DNS Server Replicate Zones High Performance DNS and DNSSEC Scenario Soluition • Cloud DNS service with signed DNSSEC zones — Replicate DNSSEC to non-DNSSEC environments • Cloud DNS for disaster recovery / business continuity • DNS replication service to BIG-IPs or other DNS servers in DCs/Clouds closest to users Signed Zone(s ) Cloud DNS Service Cloud DNS (BIG-IP VE) Enhanced AXFR Support for DNS Express • Zone transfer from DNS Express to any DNS service • Replicate DNS in physical, virtual, and cloud • NOTIFY is supported, as is TSIG key for each zone © F5 Networks, Inc 11
- 12. Complete DNS Clients DMZ LDNS Internet DNS Firewall F5 DNS FIREWALL SERVICES • Protocol inspection and validation • DNS record type ACL • DNS load balancing • High-performance DNS cache • Higher-performance DNS slave • Stateful – never accepts unsolicited responses BIG-IP GTM • ICSA Certified – DMZ deployment Scale across devices – IP Anycast • Secure responses – DNSSEC • Complete DNS control – iRules • DDoS threshold alerting • DNS logging and reporting • Hardened F5 DNS code – NOT BIND in Data Center DNS Servers Apps © F5 Networks, Inc 12
- 13. The DNS value Scalable up to 20x 6 3 0 Low Query Query Growth Query Spike Query Decline Max DNS Complete DNS control Access Denied: Denial-of-service mitigation © F5 Networks, Inc 13
- 14. The DNS value Support client requests and consolidate IT IPv6 to IPv4 Secure DNS query responses http://f5.com Route based on geolocation © F5 Networks, Inc 14
- 15. DNS services are a primary reason we went with F5 for our infrastructure… With BIG-IP products, we were able to deploy leading functionality with an exceptional reduction in latency from the new DNS caching and resolving capabilities. — Oktay Yavuz Bora Senior Network Engineer, Turk Telekom © F5 Networks, Inc 15
- 16. Intelligent DNS that Scales • Scale and manage DNS and apps globally • Improve application performance and availability • Robust, Flexible and Secure DNS Infrastructure • Mitigate DNS DDoS Attacks • Support hybrid IP Environments • Complete DNS Security © F5 Networks, Inc 16
- 17. The F5 Intelligent DNS Scale reference architecture helps protect your brand and grow your business Intelligent means that your BIG-IP device, based on the context of the request (like location or reputation), can determine if the query is valid Scale means that your BIG-IP device will be able to handle any surge of DNS queries, keeping your applications available for your customers © F5 Networks, Inc 17
- 18. The F5 Intelligent DNS Scale Reference Architecture f5.com/architectures Explore © F5 Networks, Inc 18
Editor's Notes
- Imagine how much you’d use the internet if you had to remember dozens of number combinations to do anything. Developed in 1983, the Domain Name System or DNS translates the names people type into a browser into an IP address so the requested service can be found on the internet. It is one of the most important plumbing components for a functioning internet. So welcome to F5’s Intelligent DNS Scale story, I’m Peter Silva.
- An intelligent and scalable DNS infrastructure improves performance of the web application, directs customers to the best performing data center, protects not only the web properties but also the brand reputation. It also reduces not only data center costs but also the administrator’s stress in dealing with DNS.
- DNS is the foundation for the internet – akin to air and water for humans. We just expect it to be available, to always work and we really do not think about it until it doesn’t work…until it breaks….until we can’t resolve a website. DNS is critical for any human/internet interaction. Today, there are more demands than ever on DNS and it’s only going to get worse. With the upcoming Internet of Things or the Internet of Everything – where household items like your refrigerator, toaster, even toilet are connected – all of these will require a DNS entry and DNS will have many more things to resolve. BUT, When DNS breaks, everything breaks.
- Today’s websites are more complex, requiring many more DNS queries. Every icon, URL, link, image, object and all embedded content on a web page requires a DNS lookup. Loading complex sites may require hundreds of DNS queries and even simple smartphone apps can require numerous DNS queries just to load. In the last five years, the volume of DNS queries on for .com and .net addresses has more than doubled, increasing to an average daily query load of 77 billion in the fourth quarter of 2012*. More than six million domain names were added to the Internet in the fourth quarter of 2012. Future growth is expected to occur at an even faster pace. DNS scale becomes a critical issue when dealing with millions of service names and IP addresses. Also, You might not realize that DNS is the second most attacked protocol after http. Organizations such as twitter, nyt, network solutions and comcast all have had DNS attacks and outages over the last year. Notes: TLD numbers are for Verisign’s TLD servers. Traffic has doubled since 2008 (more now in 2013). Especially interesting since this is just for a TLD DNS service. This is the traffic that gets to a TLD after caching by ISPs! Point to make about 4G/LTE rollout is that there’s little point to having faster data speeds if the DNS latency and throughput aren’t in place to allow the user to experience those new data rates. On DDoS, especially for enterprises or ISPs that host, is that although you may not need ultra-high performance for “normal” DNS traffic loads, you will need it to absorb attacks. UDP, on which DNS is based, does not have identity. Spoofing is common. So mitigation techniques to identify real versus malicious actors actually consume more bandwidth than just answering the query. Of course, F5 performs copious checks on incoming DNS to qualify all requests and only responds to query types or responses that it is responsible for. Today’s websites are more complex, requiring many more DNS queries. Every icon, URL, and all embedded content on a web page requires a DNS lookup. Loading complex sites may require hundreds of DNS queries and even simple smartphone apps can require numerous DNS queries just to load. In the last five years, the volume of DNS queries on for .com and .net addresses has more than doubled, increasing to an average daily query load of 77 billion in the fourth quarter of 2012*. More than six million domain names were added to the Internet in the fourth quarter of 2012. Future growth is expected to occur at an even faster pace. DNS scale becomes a critical issue when dealing with millions of service names and IP addresses. Notes: TLD numbers are for Verisign’s TLD servers. Traffic has doubled since 2008 (more now in 2013). Especially interesting since this is just for a TLD DNS service. This is the traffic that gets to a TLD after caching by ISPs! Point to make about 4G/LTE rollout is that there’s little point to having faster data speeds if the DNS latency and throughput aren’t in place to allow the user to experience those new data rates. On DDoS, especially for enterprises or ISPs that host, is that although you may not need ultra-high performance for “normal” DNS traffic loads, you will need it to absorb attacks. UDP, on which DNS is based, does not have identity. Spoofing is common. So mitigation techniques to identify real versus malicious actors actually consume more bandwidth than just answering the query. Of course, F5 performs copious checks on incoming DNS to qualify all requests and only responds to query types or responses that it is responsible for.
- There are many reasons why DNS requirements are growing. Over the last 5 years, there has been a 180% growth of active websites, 230% growth in active users, a 22% growth in software applications and 100% growth in DNS queries. Add to that, we are very impatient – 74% are willing to wait 5 seconds, nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less. 1 mississippi, 2 mississippi, 3 mississippi – that’s it, on to the next site. Organizations are experiencing rapid growth in terms of applications and the volume of traffic accessing those applications. DNS failures account for almost half - 41% of web infrastructure downtime. According to a survey by the Aberdeen Group, organizations lose an average of $138,000 for every hour their data centers are down*. There are real costs and loss involved when DNS does not respond. Downtime has an impact on visiting customers, can lead to loss of revenue and can also impact employees trying to access their corporate resources. “Nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less and 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site.” – Compuware report, “What Users Want from Mobile,” July 2011 Every 100ms delay costs Amazon 1% in sales. – Greg Lindon, Amazon DNS growth stats attached (100%+ growth in last 5yrs.) https://investor.verisign.com/releaseDetail.cfm?ReleaseID=591560 188M+ active websites (180%+ growth in last 5 yrs.) http://news.netcraft.com/ Active users = 230% Growth last 5 years. 566% growth in last 12 years. http://www.internetworldstats.com/stats.htm http://slideshow.techworld.com/3363475/ipv6--why-we-need-new-internet-protocol/8/ Global software spending forecast from 2005 to 2015. Statista http://www.statista.com/statistics/203964/global-software-spending-forecast/ Software apps grew at 8.9% in 2011 and 7.7% in 2010. http://www.gartner.com/id=1969315 The Internet and its endless challenges keep growing. Over the last 5 years, there has been a 180% growth of active websites, 230% growth in active users, a 22% growth in software applications and 100% growth in DNS queries. Add to that, nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less. Organizations are experiencing rapid growth in terms of applications and the volume of traffic accessing those applications. And if customers can’t get to your content, they’ll go elsewhere because the next app is just a click away. DNS failures account for 41% of web infrastructure downtime so organizations must keep their DNS available. According to a survey by the Aberdeen Group, organizations lose an average of $138,000 for every hour their data centers are down*. Downtime has an impact on visiting customers, can lead to loss of revenue and can also impact employees trying to access their corporate resources. “Nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less and 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site.” – Compuware report, “What Users Want from Mobile,” July 2011 Every 100ms delay costs Amazon 1% in sales. – Greg Lindon, Amazon DNS growth stats attached (100%+ growth in last 5yrs.) https://investor.verisign.com/releaseDetail.cfm?ReleaseID=591560 188M+ active websites (180%+ growth in last 5 yrs.) http://news.netcraft.com/ Active users = 230% Growth last 5 years. 566% growth in last 12 years. http://www.internetworldstats.com/stats.htm http://slideshow.techworld.com/3363475/ipv6--why-we-need-new-internet-protocol/8/ Global software spending forecast from 2005 to 2015. Statista http://www.statista.com/statistics/203964/global-software-spending-forecast/ Software apps grew at 8.9% in 2011 and 7.7% in 2010. http://www.gartner.com/id=1969315
- When a visitor requests a website, it first goes to their local DNS server – typically the dsl or cable modem at the edge of your home network. If your ISP knows where to find the website, maybe it’s cached, it’ll return the answer and tell the browser where to go. If not, then the query has to go back to the primary DNS server handling the record to then get the answer. That’s all fine and dandy and typically works well…until there is a serge in DNS traffic. It could be some media event, a rush of visitors or…it could be malicious activity. Generally, organizations have a set of DNS servers, each one capable of handling up to 150,000 to 200,000 DNS queries per second. If traffic spikes due to normal operations or if an attacker is sending a lot of DNS query requests by nefarious means, it might be more than what the DNS servers can handle. The DNS server stops responding and sites are unavailable, unreachable, or completely offline. Currently, organizations must add costly DNS infrastructure to address spikes in DNS requests but are not really needed during normal business operations. In addition, DNS servers must also be patched frequently for newfound vulnerabilities. On top of all that, organizations might have firewalls to protect the DNS servers and those could become a bottleneck depending on the traffic spike. Instead, put BIG-IP in that sweet spot. The F5 Intelligent DNS Scale reference architecture is leaner, faster, and more secure on top of offering massive performance. BIG-IP can handle over 10 million query RPS; that’s 123 requests per day from every person on earth. Additionally, it offers unmatched DNS D/DoS protection and since BIG-IP is ICSA firewall certified, organizations can collapse multiple firewall tiers in the DMZ. Less equipment to purchase, manage and support. Plus, BIG-IP offers easy DNS management that integrates with your existing infrastructure. Error checking, auto population of protocols, and importation of zones help eliminate any downtime from DNS errors. The customer benefits from an ultra-high performance solution which incorporates a firewall and DNS services. Unlike the conventional model, it does not suffer from firewall bottlenecks. The F5 solution scales, in a single box, to 20M query RPS. This results in much lower OpEx and CapEx while delivering much higher performance and protection.
- About 80% of DNS deployments today are done with BIND. BIND is an open-source project maintained by Internet Systems Consortium (ISC) and the software is free. It still needs a server and operating system to run on, however, along with any maintenance, updates, rack space and so forth. ISC is a non-profit organization with a for-profit consulting arm called DNS-CO, which offers five levels of subscription that range from $10,000 to $100,000 annually. Despite its popularity, BIND requires significant maintenance multiple times a year primarily due to vulnerabilities, patches, and upgrades, averaging about 9 patches a year. Many organizations do not keep current with patching thus their DNS systems could be vulnerable. What’s the risk to the business if DNS is not working? In addition, BIND typically scales to only 50,000 responses per second (RPS), making it vulnerable to both legitimate and malicious DNS surges. You can see the cost savings both initially and ongoing for a very large enterprise. Even though BIND is free, there are certainly personnel, maintenance, datacenter, support, management and other costs that an organization can incur.
- The F5 Intelligent DNS Scale reference architecture also helps keep your content and applications available by responding to DNS queries from the edge of the network in the DMZ, rather than from deep within your critical infrastructure. When you offload DNS responses to the BIG-IP platform, no request reaches the back end of your network, which greatly increases your ability to scale and respond to DNS surges along with protecting your DNS infrastructure. There is less risk to those back end applications and much higher performance. Organizations can add DNSSEC to secure their domain name along with IP Intelligence to automatically block known malicious networks. Built in protocol validation also helps ensure proper DNS requests are made. It’s not just public websites that need DNS, it’s also internal systems like exchange that need name resolution. DNS is required on a network in order to find basic services such as fileservers and clients and to identify assets by name. By increasing the speed, availability, scalability, and security of your DNS infrastructure, the F5 Intelligent DNS Scale reference architecture ensures that your customers—and your employees—can access your critical web, application, and database services whenever they need them. Instead of worrying about DNS outages and purchasing additional DNS infrastructure to combat surges, simply place BIG-IP in front of your primary DNS server. It’s a full DNS server and handles requests on behalf of your main DNS server.
- The architecture of the F5 Intelligent and Scalable DNS services is optimized by the specifically designed DNS Express query response module. DNS Express manages authoritative DNS queries by transferring zones to its own RAM. The primary DNS server tells BIG-IP, ‘You are authoritative and you answer the query.’ In this architecture, F5 DNS Services only has to open the DNS query packet once, as long as the request is for an address that is in the zone that was transferred to DNS Express. Since it is served out of RAM, it is instantaneous. DNS Express simplifies a single processing instance of the DNS query to significantly improve the performance of an organization’s DNS infrastructure. With DNS Express, each individual core of each BIG-IP device can answer approximately 125,000 to 200,000 requests per second, scaling up to 10 million query RPS. This can be over 12X the capacity of what a typical primary DNS server can handle. This gives F5 customers a unique opportunity to scale dramatically to DNS query responses. BIG-IP GTM is a full DNS server and handles requests on behalf of the main DNS server.
- 10
- Just under half of the internet (47 percent) remains insecure insofar as many top level domains (TLDs) have failed to sign up to use domain name system security extensions (DNSSEC), including intensive internet using countries such as Italy (.it), Spain (.es) and South Africa (.za), leaving millions of internet users open to malicious redirect to fake websites, reports Ultra Electronics AEP.
- BIG-IP GTM can be configured as a full proxy for global load balancing applications and DNS across architectures—and across the globe. For greater flexibility, you can use BIG-IP GTM Virtual Edition (VE) to extend DNS services and global app availability to cloud or virtual environments and maintain centralized control within the data center. Your revenue and your brand are protected Use the same IP address for multiple devices Geographically separate the DNS request load for all requests Scale DNS infrastructure up and out per number of BIG-IP devices
- DNS is the internet’s phonebook and essential for every web property on the internet. It helps people find your web presence. It helps websites deliver the content you want visitors to see. If DNS is slow, then you entire infrastructure is slow and your bounce rate jumps. If your website takes longer than 3 seconds to load, you are losing revenue. If your DNS is attacked, then your web presence is severely limited. If your DNS cannot scale, then you cannot accommodate additional visitors. If your DNS is compromised, then your brand suffers. If DNS doesn’t work, you lose revenue. If you have an antiquated DNS infrastructure, you’re spending too much money and putting the business at risk. If people cannot find you, they will go somewhere else.
- If your DNS is resilient, people will find you. If people can find you, they will engage. If they engage, your brand gets exposure. If your web properties respond quickly, people are more likely to stay. If people stay, business will grow. F5 Intelligent and Scalable DNS Services can help protect your brand and grow your business.
- F5 DNS Services are crucial http://www.f5.com/about/news/press/2012/20120625b/
- Read slide