Philippe Bogaerts

Senior Field Systems Engineer

mailto: p.bogaerts@f5.com

Mob.: +32 473 654 689

F5 Intelligent DNS Scale

© F5 Networks, Inc 2

LOWERS

stress of DNS outages

REDUCES

data center costs

DIRECTS

customers to the best data

center or cloud

PROTECTS

web properties and

brand reputation

IMPROVES

web application performance

and browsing

Intelligent and scalable DNS

© F5 Networks, Inc 3

Internet foundation? DNS

DNS DEMANDS

WHEN DNS BREAKS, EVERYTHING BREAKS

DOMAIN NAME SYSTEM (DNS)

Translates a domain name… http://www.google.com

into an IP address: 74.125.227.64 (IPv4)

http://www.f5.com = 2001:19b8:101:2::f5f5:1d (IPv6)

More people

Mobile devices/apps

Complex sites

Increased latency

Cloud implementations

IPv6 added to IPv4

DDoS attacks

© F5 Networks, Inc 4

What is driving this demand for DNS ? Available and protected

AVERAGE DAILY LOAD FOR DNS (TLD) QUERIES IN BILLIONS

DNSSEC DEPLOYMENT EXPANDING

TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS

ATTACKS ON DNS BECOMING MORE COMMON; DNS SERVICES MUST BE ROBUST

GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS

DISTRIBUTED, AVAILABLE, HIGH-PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS

’12 ’11 ’10 ’09 ’08 7

7

57

39

43

50

18X Growth 2011-2016

4G LTE

2.4GB /mo

Non-4G LTE

86MB /mo

Reflection/amplification DDoS

Cache poisoning attacks

Drive for DNSSEC adoption

Total service availability

Geographically dispersed DCs

DNS capacity close to subscribers

© F5 Networks, Inc 5

Critical: DNS

5 SECONDS

74% are willing to wait

5 seconds or less for a single web page to load before leaving the site

Every 100ms delay costs Amazon.com

1% in sales

2012

2007

DNS has grown over 100% in the last 5 years

2012

2007 180%

As of October 2012, there were over 188 million active websites,

a growth of 180% over the last 5 years

© F5 Networks, Inc 6

Traditional DNS

LOAD–BALANCED DNS

• Scale DNS by adding more servers

• Individual servers are not high–performance, so scale with load balancing

• Place firewall in front of DNS infrastructure

ISSUES WITH THIS DEPLOYMENT?

• BIND DNS servers are patched frequently

• Patches are mostly for vulnerabilities

• Under load, firewalls become bottlenecks

Legitimate Clients

Malicious Actors Local Load Balancing Traditional

DNS Firewall

Load Balanced DNS Servers

Access Network

© F5 Networks, Inc 7

True DNS costs

HIGHER OPEX DUE TO MAINTENANCE

BIND by the numbers

• 340 updates since 2004

• 84 issued patches for vulnerabilities and bugs

• 9 patches a year for DNS

COMPANIES DEPLOY FIREWALLS TO PROTECT DNS

But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server

0

10

20

30

40

50

60

9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9

BIND HISTORY

Total updates, including beta, release candidates

Critical patches for vulnerabilities

Nu

mb

er

of

up

da

tes i

ssu

ed

BIND Version F5 DNS Authoritative Model Traditional DNS Authoritative Topology

Total in year 1: $301,280

Total in year 2 onward: $1,280

Total in year 1: $373,688

Total in year 2 onward: $298,688

© F5 Networks, Inc 8

DNS deployments

Conventional DNS Thinking

F5 DNS Delivery Reimagined

Internet External Firewall

DNS Load Balancing

Array of DNS Servers

Internal Firewall

Hidden Master DNS

Authoritative DNS Caching Resolver

Transparent Caching

DNS Firewall

DNS DDoS Protection

Protocol Validation

High Performance DNSSEC DNSSEC Validation

Intelligent GSLB

DMZ Datacenter

F5 PARADIGM SHIFT

Internet Master DNS Infrastructure

• Performance = Add DNS boxes

• Weak DoS/DDoS protection

• Firewall is THE bottleneck

• Massive performance over 10M RPS!

• Best DoS/DDoS protection

• Lower CapEx and OpEx

BIG-IP Global Traffic Manager

© F5 Networks, Inc 9

Optimized DNS

Easy integration into existing DNS

infrastructure for high availability

and security

Support over 10 million DNS

responses per second (RPS)

Manageable and predictable

data center utilization

Offload to the edge Tier 1: DMZ

Application

health

Intelligent and Scalable DNS Services

Strategic Point of Control

Legitimate Visitors

Malicious Attackers

Context based

on geographical

location

Tier 2: Application Delivery

Legitimate Queries

DNS Attacks LDNS Internet

Web Bot Attacker

IP Intelligence

DNSSEC

IP geolocation

DNS DDoS protection

TCP Port 80/443

TCP/UDP Port 53

Primary DNS

Application Threat Intelligence

© F5 Networks, Inc 10

Benefits of BIG-IP integration • Simply and efficiently manage complex networks using one ADC solution

• Route users to available apps and data centers based on business logic

• Constantly monitor health between devices with iQuery

• Use the same geolocation data to reference for all BIG-IP devices

G T M

GOOD BETTER BEST BIG-IP Global Traffic Manager

BIG-IP Local Traffic Manager

Simplified Business Models

Authoritative DNS + DNS Security

Tier 1: DMZ

Legitimate

Visitors

Malicious

Attackers

Context based

on geographical

location

LDNS Internet

BIG-IP Platform

Absorb and mitigate

DNS attacks

Primary DNS Server + Application

Availability and Health

Tier 2: Application Delivery

Intelligent delivery based

on business logic

BIG-IP Platform

GTM

LTM

Same centralized

management solution

Same purpose-built hardware and

software designed for performance

Same iControl for extending

management control

© F5 Networks, Inc 11

Answer DNS

Query

Answer DNS

Query

Answer DNS

Query

Answer DNS

Query

Answer DNS

Query

Efficient DNS

DNS Express

• Delivers high-speed response and DDoS protection with in-memory DNS

• Provides authoritative DNS serving out of RAM

• Supports configuration size for tens of millions of records

• Scale and consolidate DNS servers

Clients

Internet

DNS Express in BIG-IP GTM

DNS Server

OS Admin Auth Roles

NIC Dynamic

DNS DHCP

Manage DNS

Records

© F5 Networks, Inc 12

Powerful DNS

• Your revenue and your brand are protected

• Use the same IP address for multiple devices

• Geographically separate the DNS request load for all requests

• Scale DNS infrastructure up and out per number of BIG-IP devices

© F5 Networks, Inc 13

Complete DNS Firewall Solution

• Protocol inspection and validation

• DNS record type ACL

• DNS load balancing

• High-performance DNS cache

• Higher-performance DNS slave

• Stateful—never accepts unsolicited responses

• ICSA Certified–DMZ deployment scale across devices—IP Anycast

• Secure responses—DNSSEC

• Complete DNS control—iRules

• DDoS threshold alerting

• DNS logging and reporting

• Hardened F5 DNS code—NOT BIND

F5 DNS FIREWALL SERVICES

DMZ Clients

LDNS Internet DNS Firewall in BIG-IP GTM

Data Center

DNS Servers

Apps

© F5 Networks, Inc 14

Total Control with DNS iRules

• Inspect and control DNS traffic

• Protect DNS and deliver high performance

• Services with DNS iRules

– Custom Query logging

– DNS filtering

– Rate limiting

– Query/Zone specific LB

– Honeypot Responses

• DNS iRule example: Blackhole*

– Intercept DNS requests for prohibited FQDNs, return a DNS response with an A record to an LTM virtual server, log the request and serve a static page.

Client Side

DNSSEC Sign

Egress

Ingress

Last Action

GTM Build

DNSSEC Answer

DNS_REQUEST

DNSX

GTM Rewrite

DNS_RESPONSE

© F5 Networks, Inc 15

Complete DNSSEC Security

“A high-performance DNSSEC validation solution is going to be extremely important as more and more sites

deploy DNSSEC.” Cricket Liu, VP of Architecture at Infoblox

http://example.org

Data Center

Internet

Internet Site

.

© F5 Networks, Inc 16

Secure DNS Query Response

Simple DNSSEC:

• Protection from cache poisoning and reduce management costs

• Ensure trusted DNS queries with dynamically signed responses

• Implement BIG-IP GTM in front of existing DNS servers

• Available as add-on DNSSEC module or included with all new GTM appliances

Data Center

Apps

DNS

Servers

LDNS

example.com example.com

123.123.123.123

+Public Key

123.123.123.123

+Public Key

DMZ

© F5 Networks, Inc 17

• Validating secure site responses require lots of steps that slows response times

• For example:

Slow Response on DNSSEC validation

15 steps!! http://example.org

© F5 Networks, Inc 18

Datacenter

Delivery of Resolver LDNS Services

Internet Site • DNS Caching / Resolver / DNSSEC Validation

• High Performance LDNS – multicore

• DNS Filtering and Control iRules

• Seamless integration of internal GSLB services

• Lower TCO and consolidation – query per dollar

Internet

© F5 Networks, Inc 19

Optimize DNS Resolving with Cache Zone Forwarding

• DNS Caching passes queries to the Resolver when response isn’t cached

• Resolver uses root hints to kick off process

DNS Request: Zone A

DNS Request: Zone B

DNS Request: Zone C

DNS Cache

Not cached Zone B NS

Zone C NS Root Hints

(all other zones)

• Requests for specific zones sent to specific

recursive name server

• Zone not listed, then Resolver follows root hints

Faster Web Browsing Fastest Web browsing

Resolver

Zone B

Forward NS

Zone C

Forward NS BIG-IP

© F5 Networks, Inc 20

F5 DNS Delivery Architecture

DN

SS

EC

BIN

D Z

on

e

Ma

na

ge

me

nt

TC

P /

UD

P

GTM

TMM

iRules iControl API

iR

ule

s

IPv4

/ IP

v6

DN

S 6

4

DN

S

Exp

ress

DN

S

LB

Po

ol

Linux

Switch HSB FIPS Crypto

GUI TMSH Dynamic Routing

High Performance Hardware G

TM

- iR

ule

s

iR

ule

s

DN

SS

EC

64

64

Re

so

lve

r

DNS Scale and High Performance

Responding to DNS queries with

TMM is 2x more efficient than

load balancing

Pro

toco

l

Va

lid

ati

on

Ca

ch

e

La

st

Act

Packet Pre-filter

inspection

DNS filtering/

customization

DNS filtering/

customization

Protocol Filter

© F5 Networks, Inc 21

Intelligent DNS scale solution diagram

SaaS

Device

Location Infrastructure

Applications

Protect and scale your DNS infrastructure while maintaining availability for applications.

Intelligence Scale

Centralized Management

Optimized Experience

Intelligent Scale

Intelligent & Scalable DNS Services

Customer Scenarios

Core Functionality

Professional Services and Support

Authoritative DNS

IP Geolocation

Real-Time IP Threat

Information

Network Firewall

DNS Attack Mitigation

© F5 Networks, Inc 22

DMZ DMZ

DNS Scale, Security for Global App Management with BIG-IP Global Traffic Manager (GTM)

OPTIMIZED APPLICATIONS & DATA

• Dynamic Datacenter Global Load Balancing

• DNS and App Health Monitoring

• Geolocation routing

• Automatic site-to-site failover

• IPv6/IPv4 Translation

• DNS Scalability up to 10x

• DNS Caching and Resolving

SECURE APPLICATIONS & DATA

• Transaction Assurance

• DNS iRules

• Real-time DNSSEC signing

• DNSSEC Validation

• DNS DDoS Mitigation

• DNS Firewall Services

BIG-IP

Global Traffic Manager

BIG-IP

Global Traffic Manager

BIG-IP

Local Traffic Manager

BIG-IP

Local Traffic Manager

App Svr.

DNS DNS

Active

App Svr.

Active

Internet