F5 Networks, profile picture
Uploaded byF5 Networks
PPTX, PDF1,209 views

F5 Networks Intelligent DNS Scale

The document discusses F5 Networks' DNS solutions aimed at enhancing DNS performance, reducing outages, and securing web properties against threats like DDoS attacks. It emphasizes the need for scalable, intelligent DNS infrastructure to support the increasing demands of mobile devices and web applications. Additionally, it highlights the benefits of F5's integrated DNS services in optimizing data center costs and improving application availability.

Embed presentation

Downloaded 59 times
Peter Silva Sr. Technical Marketing Manager F5 Intelligent DNS Scale
© F5 Networks, Inc 2 LOWERS Stress of DNS outages REDUCES Data center costs DIRECTS Customers to the best data center or cloud PROTECTS Web properties and Brand reputation IMPROVES Web application performance Intelligent and scalable DNS
© F5 Networks, Inc 3 Internet foundation? DNS DNS DEMANDS WHEN DNS BREAKS, EVERYTHING BREAKS DOMAIN NAME SYSTEM (DNS) Translates a domain name… http://www.google.com into an IP address: 74.125.227.64 (IPv4) http://www.f5.com = 2001:19b8:101:2::f5f5:1d (IPv6) More people Mobile devices/apps Complex sites Increased latency Cloud implementation s IPv6 added to IPv4 DDoS attacks
© F5 Networks, Inc 4 DNS demand Available and protected AVERAGE DAILY LOAD FOR DNS (TLD) QUERIES IN BILLIONS DNSSEC DEPLOYMENT EXPANDING TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS ATTACKS ON DNS BECOMING MORE COMMON; DNS SERVICES MUST BE ROBUST GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS DISTRIBUTED, AVAILABLE, HIGH- PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS ’12’11’10’09’08 77 57 39 43 50 18X Growth 2011-2016 4G LTE 2.4GB /mo Non-4G LTE 86MB /mo Reflection/amplification DDoS Cache poisoning attacks Drive for DNSSEC adoption Total service availability Geographically dispersed DCs DNS capacity close to subscribers
© F5 Networks, Inc 5 Critical: DNS 5SECONDS 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site Every 100ms delay costs Amazon.com 1% in sales 2012 2007 DNS has grown over 100% in the last 5 years 2012 2007 180% As of October 2012, there were over 188 million active websites, a growth of 180% over the last 5 years
© F5 Networks, Inc 6 DNS Deployments • Performance = Add DNS boxes • Weak DoS/DDoS Protection • Firewall is THE bottleneck • Massive performance over 10M RPS! • Best DoS/DDoS protection • Lower CapEx and OpEx CONVENTIONAL DNS THINKING F5 DNS DELIVERY REIMAGINED Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS Authoritative DNS Caching Resolver Transparent Caching DNS Firewall DNS DDoS Protection Protocol Validation High Performance DNSSEC DNSSEC Validation Intelligent GSLB DMZ Datacenter F5 PARADIGM SHIFT Internet Master DNS InfrastructureBIG-IP Global Traffic Manager
© F5 Networks, Inc 7 True DNS Costs HIGHER OPEX DUE TO MAINTENANCE BIND by the numbers • 340 updates since 2004 • 84 issued patches for vulnerabilities and bugs • 9 patches a year for DNS COMPANIES DEPLOY FIREWALLS TO PROTECT DNS But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server. 0 10 20 30 40 50 60 9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 BIND HISTORY Total updates, including beta, release candidates Critical patches for vulnerabilities Numberofupdatesissued BIND Version F5 DNS Authoritative Model Traditional DNS Authoritative Topology Total in year 1: $355,280 Total in year 2 onwards: $55,280 Total in year 1: $799,200 Total in year 2 onwards: $439,200
© F5 Networks, Inc 8 Optimized DNS Easy integration into existing DNS infrastructure for high availability and security Support over 10 million DNS responses per second (RPS) Manageable and predictable data center utilization Authoritative Zone Transfer Legitimate Visitors Context based on geographical location Tier 1: DMZ Cache Poisoning DNS DDoS Attacks Web Bot Attacker Tier 2: Application Delivery Application SaaS Cloud Providers Distributed DNS IP Intelligence Threat Intelligence DNSSEC IP Geolocation DNS DDoS Protection PaaS IaaS Application Health Authoritative DNS TCP Port 80/443 Strategic Point of Control Intelligent and Scalable DNS Services Primary DNS TCP/UDP Port 53 LDNS
© F5 Networks, Inc 9 Answer DNS Query Answer DNS Query Answer DNS Query Answer DNS Query Answer DNS Query Efficient DNS DNS Express • Delivers High-speed response & DDoS protection with in-memory DNS. • Authoritative DNS served out of RAM. • Configuration size for tens of millions of records. • Scale and consolidate DNS servers. Clients Internet DNS Express in BIG-IP GTM DNS Server OS Admin Auth Roles NIC Dynamic DNS DHCP Manage DNS Records
© F5 Networks, Inc 10 Benefits of BIG-IP Integration Simply and efficiently manage complex networks using one ADC solution. Route users to available apps and data centers based on business logic. Use the same geolocation data to reference for all BIG-IP devices. Constantly monitor health between devices.
© F5 Networks, Inc 11 Replicate High Performance DNS • Cloud DNS service with signed DNSSEC zones — Replicate DNSSEC to non-DNSSEC environments • Cloud DNS for disaster recovery / business continuity • DNS replication service to BIG-IPs or other DNS servers in DCs/Clouds closest to users BIG-IP Unsigned Zone(s) Traditional DNS Server Signed Zone(s ) Cloud DNS (BIG-IP VE) Enhanced AXFR Support for DNS Express • Zone transfer from DNS Express to any DNS service • Replicate DNS in physical, virtual, and cloud • NOTIFY is supported, as is TSIG key for each zone Cloud DNS Service High Performance DNS and DNSSEC Scenario Soluition Replicate Zones DNS Express
© F5 Networks, Inc 12 Complete DNS • Protocol inspection and validation • DNS record type ACL • DNS load balancing • High-performance DNS cache • Higher-performance DNS slave • Stateful – never accepts unsolicited responses • ICSA Certified – DMZ deployment Scale across devices – IP Anycast • Secure responses – DNSSEC • Complete DNS control – iRules • DDoS threshold alerting • DNS logging and reporting • Hardened F5 DNS code – NOT BIND F5 DNS FIREWALL SERVICES DMZClients LDNS Internet DNS Firewall in BIG-IP GTM Data Center DNS Servers Apps
© F5 Networks, Inc 13 The DNS value Scalable up to 20x 0 3 6 Low Query Query Growth Query Spike Query Decline Max DNS Complete DNS control Access Denied: Denial-of-service mitigation
© F5 Networks, Inc 14 The DNS value Support client requests and consolidate IT IPv6 to IPv4 Secure DNS query responses http://f5.com Route based on geolocation
© F5 Networks, Inc 15 DNS services are a primary reason we went with F5 for our infrastructure… With BIG-IP products, we were able to deploy leading functionality with an exceptional reduction in latency from the new DNS caching and resolving capabilities. — Oktay Yavuz Bora Senior Network Engineer, Turk Telekom
© F5 Networks, Inc 16 Intelligent DNS that Scales • Scale and manage DNS and apps globally • Improve application performance and availability • Robust, Flexible and Secure DNS Infrastructure • Mitigate DNS DDoS Attacks • Support hybrid IP Environments • Complete DNS Security
© F5 Networks, Inc 17 Intelligent means that your BIG-IP device, based on the context of the request (like location or reputation), can determine if the query is valid Scale means that your BIG-IP device will be able to handle any surge of DNS queries, keeping your applications available for your customers The F5 Intelligent DNS Scale reference architecture helps protect your brand and grow your business
© F5 Networks, Inc 18 The F5 Intelligent DNS Scale Reference Architecture f5.com/architectures Explore
F5 Networks Intelligent DNS Scale

More Related Content

PPTX
BIG-IP ADCs and ADF
byF5 Networks
 
PPTX
Top 10 Reasons Why F5 Makes Sense
byF5 Networks
 
PPTX
Intelligent DNS Scale
byPeter Silva
 
PDF
F5 beyond load balancer (nov 2009)
byInformation Technology
 
PPTX
F5 DNS Solution for CSPs
byF5 Networks
 
PDF
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
byF5 Networks
 
PPTX
Get more versatile and scalable protection with F5 BIG-IP
byF5NetworksAPJ
 
PDF
F5 Synthesis Toronto February 2014 Roadshow
bypatmisasi
 
BIG-IP ADCs and ADF
byF5 Networks
 
Top 10 Reasons Why F5 Makes Sense
byF5 Networks
 
Intelligent DNS Scale
byPeter Silva
 
F5 beyond load balancer (nov 2009)
byInformation Technology
 
F5 DNS Solution for CSPs
byF5 Networks
 
Company Profile: F5 Networks’ Traffix Signaling Delivery Controller and BIG-I...
byF5 Networks
 
Get more versatile and scalable protection with F5 BIG-IP
byF5NetworksAPJ
 
F5 Synthesis Toronto February 2014 Roadshow
bypatmisasi
 

What's hot

PPTX
BIG-IP Data Center Firewall Solution
byF5 Networks
 
PPTX
F5’s VMware Horizon View Reference Architecture
byF5 Networks
 
PPTX
F5's Dynamic DNS Services
byF5 Networks
 
PPTX
F5’s VMware Horizon View Reference Architecture
byF5 Networks
 
PPTX
Cisco ACI & F5 Integrate to Transform the Data Center
byF5NetworksAPJ
 
PPTX
VIPRION 2400 and vCMP
byF5 Networks
 
PPTX
Intrinsic Security—The Key to Effective Hybrid DDoS Protection
byF5 Networks
 
PPTX
F5 Application Delivery Optimization
byF5 Networks
 
PDF
Thinking about SDN and whether it is the right approach for your organization?
byCisco Canada
 
PDF
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
byPROIDEA
 
PPTX
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
byDSorensenCPR
 
PDF
The F5 Networks Application Services Reference Architecture (White Paper)
byF5 Networks
 
PDF
F5 Networks: architecture and risk management
byAEC Networks
 
PPTX
The DNS of Things
byPeter Silva
 
PDF
Presentation network design and security for your v mware view deployment w...
bysolarisyourep
 
PDF
Big Ip Global Traffic Manager Ds
bySteven_Jackson
 
PPTX
F5 and Infoblox deliver complete secured DNS infrastructure
byDSorensenCPR
 
PPTX
F5 iHealth Presentation 10 22-10
byF5 Networks
 
BIG-IP Data Center Firewall Solution
byF5 Networks
 
F5’s VMware Horizon View Reference Architecture
byF5 Networks
 
F5's Dynamic DNS Services
byF5 Networks
 
F5’s VMware Horizon View Reference Architecture
byF5 Networks
 
Cisco ACI & F5 Integrate to Transform the Data Center
byF5NetworksAPJ
 
VIPRION 2400 and vCMP
byF5 Networks
 
Intrinsic Security—The Key to Effective Hybrid DDoS Protection
byF5 Networks
 
F5 Application Delivery Optimization
byF5 Networks
 
Thinking about SDN and whether it is the right approach for your organization?
byCisco Canada
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
byPROIDEA
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
byDSorensenCPR
 
The F5 Networks Application Services Reference Architecture (White Paper)
byF5 Networks
 
F5 Networks: architecture and risk management
byAEC Networks
 
The DNS of Things
byPeter Silva
 
Presentation network design and security for your v mware view deployment w...
bysolarisyourep
 
Big Ip Global Traffic Manager Ds
bySteven_Jackson
 
F5 and Infoblox deliver complete secured DNS infrastructure
byDSorensenCPR
 
F5 iHealth Presentation 10 22-10
byF5 Networks
 

Viewers also liked

PDF
Using Docker container technology with F5 Networks products and services
byF5 Networks
 
PPTX
F5 Networks Quick Poll Research: HTTP/2 Survey Results
byF5 Networks
 
PPTX
F5 Intelligent DNS Scale
byF5 Networks
 
PPTX
F5 Application Services Reference Architecture
byF5 Networks
 
PPTX
F5 Certified! Program Overview and Update
byF5 Networks
 
PPTX
Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
byF5 Networks
 
PPTX
F5 Application Services Reference Architecture (Audio)
byF5 Networks
 
PPTX
F5 Networks: Introduction to Silverline WAF (web application firewall)
byF5 Networks
 
PPTX
Operationalize all the Network Things
byF5 Networks
 
PPTX
Key Findings from the State of Application Delivery 2015
byF5 Networks
 
PDF
F5 networks the_expectation_of_ssl_everywhere
byF5 Networks
 
PPTX
The DNS of Things
byF5 Networks
 
PPTX
5 Ways to use Node in the Network
byF5 Networks
 
PPTX
Ensure Application Availability Between Hybrid Data Centers
byF5 Networks
 
PPTX
BIG-IP Policy Enforcement Manager
byF5 Networks
 
PDF
Configuration F5 BIG IP ASM v12
bySassan Saharkhiz_ CRISC
 
PPTX
F5 - BigIP ASM introduction
byJimmy Saigon
 
PDF
Presentation f5 – beyond load balancer
byxKinAnx
 
PDF
F5 ASM v12 DDoS best practices
byLior Rotkovitch
 
PDF
Visual Design with Data
bySeth Familian
 
Using Docker container technology with F5 Networks products and services
byF5 Networks
 
F5 Networks Quick Poll Research: HTTP/2 Survey Results
byF5 Networks
 
F5 Intelligent DNS Scale
byF5 Networks
 
F5 Application Services Reference Architecture
byF5 Networks
 
F5 Certified! Program Overview and Update
byF5 Networks
 
Integrated SDN/NFV Framework for Transitioning to Application Delivery Model
byF5 Networks
 
F5 Application Services Reference Architecture (Audio)
byF5 Networks
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
byF5 Networks
 
Operationalize all the Network Things
byF5 Networks
 
Key Findings from the State of Application Delivery 2015
byF5 Networks
 
F5 networks the_expectation_of_ssl_everywhere
byF5 Networks
 
The DNS of Things
byF5 Networks
 
5 Ways to use Node in the Network
byF5 Networks
 
Ensure Application Availability Between Hybrid Data Centers
byF5 Networks
 
BIG-IP Policy Enforcement Manager
byF5 Networks
 
Configuration F5 BIG IP ASM v12
bySassan Saharkhiz_ CRISC
 
F5 - BigIP ASM introduction
byJimmy Saigon
 
Presentation f5 – beyond load balancer
byxKinAnx
 
F5 ASM v12 DDoS best practices
byLior Rotkovitch
 
Visual Design with Data
bySeth Familian
 

Similar to F5 Networks Intelligent DNS Scale

PDF
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
byPROIDEA
 
PDF
Denial of Service - Service Provider Overview
byMarketingArrowECS_CZ
 
PDF
f5_synthesis_cisco_connect.pdf
byGrigoryShkolnik1
 
PPTX
Dns security overview
byVladimir2003
 
PPTX
Resolution for a Faster Site
byIdo Safruti
 
PPTX
DNS for Developers - NDC Oslo 2016
byMaarten Balliauw
 
PDF
F5 DDoS Protection
byMarketingArrowECS_CZ
 
PDF
Building Resilient Applications with Cloudflare DNS
byDevOps.com
 
PPTX
Spider & F5 Round Table - Application Centric Security
byTzoori Tamam
 
PPTX
DNS for Developers - ConFoo Montreal
byMaarten Balliauw
 
PPTX
DNS Security, is it enough?
byZscaler
 
PDF
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
bySam Bowne
 
PDF
An Evolving Threat Needs an Evolved Defense (F5 Networks Infographic)
byF5 Networks
 
PPTX
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
bySWITCHPOINT NV/SA
 
PDF
What You Need to Know - Domain Name System (DNS)
byWes Morgan
 
PPTX
Velocity 2013: Resolution For A Faster Site
byAkamai Technologies
 
PDF
F5 - Configuring BIG-IP LTM v11 - Instructor PPT.pdf
byneoalt
 
PPTX
F5 GOV Round Table - Application Centeric Security
byTzoori Tamam
 
PDF
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
bySam Bowne
 
PDF
DNS Troubleshooting.pdf
byRitish H
 
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
byPROIDEA
 
Denial of Service - Service Provider Overview
byMarketingArrowECS_CZ
 
f5_synthesis_cisco_connect.pdf
byGrigoryShkolnik1
 
Dns security overview
byVladimir2003
 
Resolution for a Faster Site
byIdo Safruti
 
DNS for Developers - NDC Oslo 2016
byMaarten Balliauw
 
F5 DDoS Protection
byMarketingArrowECS_CZ
 
Building Resilient Applications with Cloudflare DNS
byDevOps.com
 
Spider & F5 Round Table - Application Centric Security
byTzoori Tamam
 
DNS for Developers - ConFoo Montreal
byMaarten Balliauw
 
DNS Security, is it enough?
byZscaler
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
bySam Bowne
 
An Evolving Threat Needs an Evolved Defense (F5 Networks Infographic)
byF5 Networks
 
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
bySWITCHPOINT NV/SA
 
What You Need to Know - Domain Name System (DNS)
byWes Morgan
 
Velocity 2013: Resolution For A Faster Site
byAkamai Technologies
 
F5 - Configuring BIG-IP LTM v11 - Instructor PPT.pdf
byneoalt
 
F5 GOV Round Table - Application Centeric Security
byTzoori Tamam
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
bySam Bowne
 
DNS Troubleshooting.pdf
byRitish H
 

More from F5 Networks

PDF
F5 Networks: The Internet of Things - Ready Infrastructure
byF5 Networks
 
PDF
F5 Networks Threat Analysis: Madness
byF5 Networks
 
PDF
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
byF5 Networks
 
PDF
The F5 DDoS Protection Reference Architecture (Technical White Paper)
byF5 Networks
 
PDF
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
byF5 Networks
 
PDF
DNS: Challenges in a Changing Landscape (Infographic)
byF5 Networks
 
PPTX
BIG-IP 4200v Hardware Platform
byF5 Networks
 
PPTX
F5's IP Intelligence Service
byF5 Networks
 
F5 Networks: The Internet of Things - Ready Infrastructure
byF5 Networks
 
F5 Networks Threat Analysis: Madness
byF5 Networks
 
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
byF5 Networks
 
The F5 DDoS Protection Reference Architecture (Technical White Paper)
byF5 Networks
 
F5 Networks: The Right Way to Protect Against DDoS Attacks (Business White Pa...
byF5 Networks
 
DNS: Challenges in a Changing Landscape (Infographic)
byF5 Networks
 
BIG-IP 4200v Hardware Platform
byF5 Networks
 
F5's IP Intelligence Service
byF5 Networks
 

Recently uploaded

PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 

F5 Networks Intelligent DNS Scale

  • 1.
    Peter Silva Sr. TechnicalMarketing Manager F5 Intelligent DNS Scale
  • 2.
    © F5 Networks,Inc 2 LOWERS Stress of DNS outages REDUCES Data center costs DIRECTS Customers to the best data center or cloud PROTECTS Web properties and Brand reputation IMPROVES Web application performance Intelligent and scalable DNS
  • 3.
    © F5 Networks,Inc 3 Internet foundation? DNS DNS DEMANDS WHEN DNS BREAKS, EVERYTHING BREAKS DOMAIN NAME SYSTEM (DNS) Translates a domain name… http://www.google.com into an IP address: 74.125.227.64 (IPv4) http://www.f5.com = 2001:19b8:101:2::f5f5:1d (IPv6) More people Mobile devices/apps Complex sites Increased latency Cloud implementation s IPv6 added to IPv4 DDoS attacks
  • 4.
    © F5 Networks,Inc 4 DNS demand Available and protected AVERAGE DAILY LOAD FOR DNS (TLD) QUERIES IN BILLIONS DNSSEC DEPLOYMENT EXPANDING TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS ATTACKS ON DNS BECOMING MORE COMMON; DNS SERVICES MUST BE ROBUST GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS DISTRIBUTED, AVAILABLE, HIGH- PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS ’12’11’10’09’08 77 57 39 43 50 18X Growth 2011-2016 4G LTE 2.4GB /mo Non-4G LTE 86MB /mo Reflection/amplification DDoS Cache poisoning attacks Drive for DNSSEC adoption Total service availability Geographically dispersed DCs DNS capacity close to subscribers
  • 5.
    © F5 Networks,Inc 5 Critical: DNS 5SECONDS 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site Every 100ms delay costs Amazon.com 1% in sales 2012 2007 DNS has grown over 100% in the last 5 years 2012 2007 180% As of October 2012, there were over 188 million active websites, a growth of 180% over the last 5 years
  • 6.
    © F5 Networks,Inc 6 DNS Deployments • Performance = Add DNS boxes • Weak DoS/DDoS Protection • Firewall is THE bottleneck • Massive performance over 10M RPS! • Best DoS/DDoS protection • Lower CapEx and OpEx CONVENTIONAL DNS THINKING F5 DNS DELIVERY REIMAGINED Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS Authoritative DNS Caching Resolver Transparent Caching DNS Firewall DNS DDoS Protection Protocol Validation High Performance DNSSEC DNSSEC Validation Intelligent GSLB DMZ Datacenter F5 PARADIGM SHIFT Internet Master DNS InfrastructureBIG-IP Global Traffic Manager
  • 7.
    © F5 Networks,Inc 7 True DNS Costs HIGHER OPEX DUE TO MAINTENANCE BIND by the numbers • 340 updates since 2004 • 84 issued patches for vulnerabilities and bugs • 9 patches a year for DNS COMPANIES DEPLOY FIREWALLS TO PROTECT DNS But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server. 0 10 20 30 40 50 60 9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 BIND HISTORY Total updates, including beta, release candidates Critical patches for vulnerabilities Numberofupdatesissued BIND Version F5 DNS Authoritative Model Traditional DNS Authoritative Topology Total in year 1: $355,280 Total in year 2 onwards: $55,280 Total in year 1: $799,200 Total in year 2 onwards: $439,200
  • 8.
    © F5 Networks,Inc 8 Optimized DNS Easy integration into existing DNS infrastructure for high availability and security Support over 10 million DNS responses per second (RPS) Manageable and predictable data center utilization Authoritative Zone Transfer Legitimate Visitors Context based on geographical location Tier 1: DMZ Cache Poisoning DNS DDoS Attacks Web Bot Attacker Tier 2: Application Delivery Application SaaS Cloud Providers Distributed DNS IP Intelligence Threat Intelligence DNSSEC IP Geolocation DNS DDoS Protection PaaS IaaS Application Health Authoritative DNS TCP Port 80/443 Strategic Point of Control Intelligent and Scalable DNS Services Primary DNS TCP/UDP Port 53 LDNS
  • 9.
    © F5 Networks,Inc 9 Answer DNS Query Answer DNS Query Answer DNS Query Answer DNS Query Answer DNS Query Efficient DNS DNS Express • Delivers High-speed response & DDoS protection with in-memory DNS. • Authoritative DNS served out of RAM. • Configuration size for tens of millions of records. • Scale and consolidate DNS servers. Clients Internet DNS Express in BIG-IP GTM DNS Server OS Admin Auth Roles NIC Dynamic DNS DHCP Manage DNS Records
  • 10.
    © F5 Networks,Inc 10 Benefits of BIG-IP Integration Simply and efficiently manage complex networks using one ADC solution. Route users to available apps and data centers based on business logic. Use the same geolocation data to reference for all BIG-IP devices. Constantly monitor health between devices.
  • 11.
    © F5 Networks,Inc 11 Replicate High Performance DNS • Cloud DNS service with signed DNSSEC zones — Replicate DNSSEC to non-DNSSEC environments • Cloud DNS for disaster recovery / business continuity • DNS replication service to BIG-IPs or other DNS servers in DCs/Clouds closest to users BIG-IP Unsigned Zone(s) Traditional DNS Server Signed Zone(s ) Cloud DNS (BIG-IP VE) Enhanced AXFR Support for DNS Express • Zone transfer from DNS Express to any DNS service • Replicate DNS in physical, virtual, and cloud • NOTIFY is supported, as is TSIG key for each zone Cloud DNS Service High Performance DNS and DNSSEC Scenario Soluition Replicate Zones DNS Express
  • 12.
    © F5 Networks,Inc 12 Complete DNS • Protocol inspection and validation • DNS record type ACL • DNS load balancing • High-performance DNS cache • Higher-performance DNS slave • Stateful – never accepts unsolicited responses • ICSA Certified – DMZ deployment Scale across devices – IP Anycast • Secure responses – DNSSEC • Complete DNS control – iRules • DDoS threshold alerting • DNS logging and reporting • Hardened F5 DNS code – NOT BIND F5 DNS FIREWALL SERVICES DMZClients LDNS Internet DNS Firewall in BIG-IP GTM Data Center DNS Servers Apps
  • 13.
    © F5 Networks,Inc 13 The DNS value Scalable up to 20x 0 3 6 Low Query Query Growth Query Spike Query Decline Max DNS Complete DNS control Access Denied: Denial-of-service mitigation
  • 14.
    © F5 Networks,Inc 14 The DNS value Support client requests and consolidate IT IPv6 to IPv4 Secure DNS query responses http://f5.com Route based on geolocation
  • 15.
    © F5 Networks,Inc 15 DNS services are a primary reason we went with F5 for our infrastructure… With BIG-IP products, we were able to deploy leading functionality with an exceptional reduction in latency from the new DNS caching and resolving capabilities. — Oktay Yavuz Bora Senior Network Engineer, Turk Telekom
  • 16.
    © F5 Networks,Inc 16 Intelligent DNS that Scales • Scale and manage DNS and apps globally • Improve application performance and availability • Robust, Flexible and Secure DNS Infrastructure • Mitigate DNS DDoS Attacks • Support hybrid IP Environments • Complete DNS Security
  • 17.
    © F5 Networks,Inc 17 Intelligent means that your BIG-IP device, based on the context of the request (like location or reputation), can determine if the query is valid Scale means that your BIG-IP device will be able to handle any surge of DNS queries, keeping your applications available for your customers The F5 Intelligent DNS Scale reference architecture helps protect your brand and grow your business
  • 18.
    © F5 Networks,Inc 18 The F5 Intelligent DNS Scale Reference Architecture f5.com/architectures Explore

Editor's Notes

  • #2 Imagine how much you’d use the internet if you had to remember dozens of number combinations to do anything. Developed in 1983, the Domain Name System or DNS translates the names people type into a browser into an IP address so the requested service can be found on the internet. It is one of the most important plumbing components for a functioning internet. So welcome to F5’s Intelligent DNS Scale story, I’m Peter Silva.
  • #3 An intelligent and scalable DNS infrastructure improves performance of the web application, directs customers to the best performing data center, protects not only the web properties but also the brand reputation. It also reduces not only data center costs but also the administrator’s stress in dealing with DNS.
  • #4 DNS is the foundation for the internet – akin to air and water for humans. We just expect it to be available, to always work and we really do not think about it until it doesn’t work…until it breaks….until we can’t resolve a website. DNS is critical for any human/internet interaction. Today, there are more demands than ever on DNS and it’s only going to get worse. With the upcoming Internet of Things or the Internet of Everything – where household items like your refrigerator, toaster, even toilet are connected – all of these will require a DNS entry and DNS will have many more things to resolve. BUT, When DNS breaks, everything breaks.
  • #5 Today’s websites are more complex, requiring many more DNS queries. Every icon, URL, link, image, object and all embedded content on a web page requires a DNS lookup. Loading complex sites may require hundreds of DNS queries and even simple smartphone apps can require numerous DNS queries just to load. In the last five years, the volume of DNS queries on for .com and .net addresses has more than doubled, increasing to an average daily query load of 77 billion in the fourth quarter of 2012*. More than six million domain names were added to the Internet in the fourth quarter of 2012. Future growth is expected to occur at an even faster pace. DNS scale becomes a critical issue when dealing with millions of service names and IP addresses. Also, You might not realize that DNS is the second most attacked protocol after http. Organizations such as twitter, nyt, network solutions and comcast all have had DNS attacks and outages over the last year. Notes: TLD numbers are for Verisign’s TLD servers. Traffic has doubled since 2008 (more now in 2013). Especially interesting since this is just for a TLD DNS service. This is the traffic that gets to a TLD after caching by ISPs! Point to make about 4G/LTE rollout is that there’s little point to having faster data speeds if the DNS latency and throughput aren’t in place to allow the user to experience those new data rates. On DDoS, especially for enterprises or ISPs that host, is that although you may not need ultra-high performance for “normal” DNS traffic loads, you will need it to absorb attacks. UDP, on which DNS is based, does not have identity. Spoofing is common. So mitigation techniques to identify real versus malicious actors actually consume more bandwidth than just answering the query. Of course, F5 performs copious checks on incoming DNS to qualify all requests and only responds to query types or responses that it is responsible for. Today’s websites are more complex, requiring many more DNS queries. Every icon, URL, and all embedded content on a web page requires a DNS lookup. Loading complex sites may require hundreds of DNS queries and even simple smartphone apps can require numerous DNS queries just to load. In the last five years, the volume of DNS queries on for .com and .net addresses has more than doubled, increasing to an average daily query load of 77 billion in the fourth quarter of 2012*. More than six million domain names were added to the Internet in the fourth quarter of 2012. Future growth is expected to occur at an even faster pace. DNS scale becomes a critical issue when dealing with millions of service names and IP addresses. Notes: TLD numbers are for Verisign’s TLD servers. Traffic has doubled since 2008 (more now in 2013). Especially interesting since this is just for a TLD DNS service. This is the traffic that gets to a TLD after caching by ISPs! Point to make about 4G/LTE rollout is that there’s little point to having faster data speeds if the DNS latency and throughput aren’t in place to allow the user to experience those new data rates. On DDoS, especially for enterprises or ISPs that host, is that although you may not need ultra-high performance for “normal” DNS traffic loads, you will need it to absorb attacks. UDP, on which DNS is based, does not have identity. Spoofing is common. So mitigation techniques to identify real versus malicious actors actually consume more bandwidth than just answering the query. Of course, F5 performs copious checks on incoming DNS to qualify all requests and only responds to query types or responses that it is responsible for.
  • #6 There are many reasons why DNS requirements are growing. Over the last 5 years, there has been a 180% growth of active websites, 230% growth in active users, a 22% growth in software applications and 100% growth in DNS queries. Add to that, we are very impatient – 74% are willing to wait 5 seconds, nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less. 1 mississippi, 2 mississippi, 3 mississippi – that’s it, on to the next site. Organizations are experiencing rapid growth in terms of applications and the volume of traffic accessing those applications. DNS failures account for almost half - 41% of web infrastructure downtime. According to a survey by the Aberdeen Group, organizations lose an average of $138,000 for every hour their data centers are down*. There are real costs and loss involved when DNS does not respond. Downtime has an impact on visiting customers, can lead to loss of revenue and can also impact employees trying to access their corporate resources. “Nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less and 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site.” – Compuware report, “What Users Want from Mobile,” July 2011 Every 100ms delay costs Amazon 1% in sales. – Greg Lindon, Amazon DNS growth stats attached (100%+ growth in last 5yrs.)  https://investor.verisign.com/releaseDetail.cfm?ReleaseID=591560 188M+ active websites (180%+ growth in last 5 yrs.) http://news.netcraft.com/ Active users = 230% Growth last 5 years. 566% growth in last 12 years. http://www.internetworldstats.com/stats.htm http://slideshow.techworld.com/3363475/ipv6--why-we-need-new-internet-protocol/8/ Global software spending forecast from 2005 to 2015. Statista http://www.statista.com/statistics/203964/global-software-spending-forecast/ Software apps grew at 8.9% in 2011 and 7.7% in 2010. http://www.gartner.com/id=1969315 The Internet and its endless challenges keep growing. Over the last 5 years, there has been a 180% growth of active websites, 230% growth in active users, a 22% growth in software applications and 100% growth in DNS queries. Add to that, nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less. Organizations are experiencing rapid growth in terms of applications and the volume of traffic accessing those applications. And if customers can’t get to your content, they’ll go elsewhere because the next app is just a click away. DNS failures account for 41% of web infrastructure downtime so organizations must keep their DNS available. According to a survey by the Aberdeen Group, organizations lose an average of $138,000 for every hour their data centers are down*. Downtime has an impact on visiting customers, can lead to loss of revenue and can also impact employees trying to access their corporate resources. “Nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less and 74% are willing to wait 5 seconds or less for a single web page to load before leaving the site.” – Compuware report, “What Users Want from Mobile,” July 2011 Every 100ms delay costs Amazon 1% in sales. – Greg Lindon, Amazon DNS growth stats attached (100%+ growth in last 5yrs.)  https://investor.verisign.com/releaseDetail.cfm?ReleaseID=591560 188M+ active websites (180%+ growth in last 5 yrs.) http://news.netcraft.com/ Active users = 230% Growth last 5 years. 566% growth in last 12 years. http://www.internetworldstats.com/stats.htm http://slideshow.techworld.com/3363475/ipv6--why-we-need-new-internet-protocol/8/ Global software spending forecast from 2005 to 2015. Statista http://www.statista.com/statistics/203964/global-software-spending-forecast/ Software apps grew at 8.9% in 2011 and 7.7% in 2010. http://www.gartner.com/id=1969315
  • #7 When a visitor requests a website, it first goes to their local DNS server – typically the dsl or cable modem at the edge of your home network. If your ISP knows where to find the website, maybe it’s cached, it’ll return the answer and tell the browser where to go. If not, then the query has to go back to the primary DNS server handling the record to then get the answer. That’s all fine and dandy and typically works well…until there is a serge in DNS traffic. It could be some media event, a rush of visitors or…it could be malicious activity. Generally, organizations have a set of DNS servers, each one capable of handling up to 150,000 to 200,000 DNS queries per second. If traffic spikes due to normal operations or if an attacker is sending a lot of DNS query requests by nefarious means, it might be more than what the DNS servers can handle. The DNS server stops responding and sites are unavailable, unreachable, or completely offline. Currently, organizations must add costly DNS infrastructure to address spikes in DNS requests but are not really needed during normal business operations. In addition, DNS servers must also be patched frequently for newfound vulnerabilities. On top of all that, organizations might have firewalls to protect the DNS servers and those could become a bottleneck depending on the traffic spike. Instead, put BIG-IP in that sweet spot. The F5 Intelligent DNS Scale reference architecture is leaner, faster, and more secure on top of offering massive performance. BIG-IP can handle over 10 million query RPS; that’s 123 requests per day from every person on earth. Additionally, it offers unmatched DNS D/DoS protection and since BIG-IP is ICSA firewall certified, organizations can collapse multiple firewall tiers in the DMZ. Less equipment to purchase, manage and support. Plus, BIG-IP offers easy DNS management that integrates with your existing infrastructure. Error checking, auto population of protocols, and importation of zones help eliminate any downtime from DNS errors. The customer benefits from an ultra-high performance solution which incorporates a firewall and DNS services. Unlike the conventional model, it does not suffer from firewall bottlenecks. The F5 solution scales, in a single box, to 20M query RPS. This results in much lower OpEx and CapEx while delivering much higher performance and protection.
  • #8 About 80% of DNS deployments today are done with BIND. BIND is an open-source project maintained by Internet Systems Consortium (ISC) and the software is free. It still needs a server and operating system to run on, however, along with any maintenance, updates, rack space and so forth. ISC is a non-profit organization with a for-profit consulting arm called DNS-CO, which offers five levels of subscription that range from $10,000 to $100,000 annually. Despite its popularity, BIND requires significant maintenance multiple times a year primarily due to vulnerabilities, patches, and upgrades, averaging about 9 patches a year. Many organizations do not keep current with patching thus their DNS systems could be vulnerable. What’s the risk to the business if DNS is not working? In addition, BIND typically scales to only 50,000 responses per second (RPS), making it vulnerable to both legitimate and malicious DNS surges. You can see the cost savings both initially and ongoing for a very large enterprise. Even though BIND is free, there are certainly personnel, maintenance, datacenter, support, management and other costs that an organization can incur.
  • #9 The F5 Intelligent DNS Scale reference architecture also helps keep your content and applications available by responding to DNS queries from the edge of the network in the DMZ, rather than from deep within your critical infrastructure. When you offload DNS responses to the BIG-IP platform, no request reaches the back end of your network, which greatly increases your ability to scale and respond to DNS surges along with protecting your DNS infrastructure. There is less risk to those back end applications and much higher performance. Organizations can add DNSSEC to secure their domain name along with IP Intelligence to automatically block known malicious networks. Built in protocol validation also helps ensure proper DNS requests are made. It’s not just public websites that need DNS, it’s also internal systems like exchange that need name resolution. DNS is required on a network in order to find basic services such as fileservers and clients and to identify assets by name. By increasing the speed, availability, scalability, and security of your DNS infrastructure, the F5 Intelligent DNS Scale reference architecture ensures that your customers—and your employees—can access your critical web, application, and database services whenever they need them. Instead of worrying about DNS outages and purchasing additional DNS infrastructure to combat surges, simply place BIG-IP in front of your primary DNS server. It’s a full DNS server and handles requests on behalf of your main DNS server.
  • #10 The architecture of the F5 Intelligent and Scalable DNS services is optimized by the specifically designed DNS Express query response module. DNS Express manages authoritative DNS queries by transferring zones to its own RAM. The primary DNS server tells BIG-IP, ‘You are authoritative and you answer the query.’ In this architecture, F5 DNS Services only has to open the DNS query packet once, as long as the request is for an address that is in the zone that was transferred to DNS Express. Since it is served out of RAM, it is instantaneous. DNS Express simplifies a single processing instance of the DNS query to significantly improve the performance of an organization’s DNS infrastructure. With DNS Express, each individual core of each BIG-IP device can answer approximately 125,000 to 200,000 requests per second, scaling up to 10 million query RPS. This can be over 12X the capacity of what a typical primary DNS server can handle. This gives F5 customers a unique opportunity to scale dramatically to DNS query responses. BIG-IP GTM is a full DNS server and handles requests on behalf of the main DNS server.
  • #11 10
  • #12 Just under half of the internet (47 percent) remains insecure insofar as many top level domains (TLDs) have failed to sign up to use domain name system security extensions (DNSSEC), including intensive internet using countries such as Italy (.it), Spain (.es) and South Africa (.za), leaving millions of internet users open to malicious redirect to fake websites, reports Ultra Electronics AEP.  
  • #13 BIG-IP GTM can be configured as a full proxy for global load balancing applications and DNS across architectures—and across the globe. For greater flexibility, you can use BIG-IP GTM Virtual Edition (VE) to extend DNS services and global app availability to cloud or virtual environments and maintain centralized control within the data center. Your revenue and your brand are protected Use the same IP address for multiple devices Geographically separate the DNS request load for all requests Scale DNS infrastructure up and out per number of BIG-IP devices
  • #14 DNS is the internet’s phonebook and essential for every web property on the internet. It helps people find your web presence. It helps websites deliver the content you want visitors to see. If DNS is slow, then you entire infrastructure is slow and your bounce rate jumps. If your website takes longer than 3 seconds to load, you are losing revenue. If your DNS is attacked, then your web presence is severely limited. If your DNS cannot scale, then you cannot accommodate additional visitors. If your DNS is compromised, then your brand suffers. If DNS doesn’t work, you lose revenue. If you have an antiquated DNS infrastructure, you’re spending too much money and putting the business at risk. If people cannot find you, they will go somewhere else.
  • #15 If your DNS is resilient, people will find you. If people can find you, they will engage. If they engage, your brand gets exposure. If your web properties respond quickly, people are more likely to stay. If people stay, business will grow. F5 Intelligent and Scalable DNS Services can help protect your brand and grow your business.
  • #16 F5 DNS Services are crucial http://www.f5.com/about/news/press/2012/20120625b/
  • #18 Read slide