f5 intelligent dns scalebe.westcon.com/documents/50218/f5_synthesis_dns_gtm_update.pdf · •...
TRANSCRIPT
Philippe Bogaerts
Senior Field Systems Engineer
mailto: [email protected]
Mob.: +32 473 654 689
F5 Intelligent DNS Scale
© F5 Networks, Inc 2
LOWERS
stress of DNS outages
REDUCES
data center costs
DIRECTS
customers to the best data
center or cloud
PROTECTS
web properties and
brand reputation
IMPROVES
web application performance
and browsing
Intelligent and scalable DNS
© F5 Networks, Inc 3
Internet foundation? DNS
DNS DEMANDS
WHEN DNS BREAKS, EVERYTHING BREAKS
DOMAIN NAME SYSTEM (DNS)
Translates a domain name… http://www.google.com
into an IP address: 74.125.227.64 (IPv4)
http://www.f5.com = 2001:19b8:101:2::f5f5:1d (IPv6)
More people
Mobile devices/apps
Complex sites
Increased latency
Cloud implementations
IPv6 added to IPv4
DDoS attacks
© F5 Networks, Inc 4
What is driving this demand for DNS ? Available and protected
AVERAGE DAILY LOAD FOR DNS (TLD) QUERIES IN BILLIONS
DNSSEC DEPLOYMENT EXPANDING
TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS
ATTACKS ON DNS BECOMING MORE COMMON; DNS SERVICES MUST BE ROBUST
GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS
DISTRIBUTED, AVAILABLE, HIGH-PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS
’12 ’11 ’10 ’09 ’08 7
7
57
39
43
50
18X Growth 2011-2016
4G LTE
2.4GB /mo
Non-4G LTE
86MB /mo
Reflection/amplification DDoS
Cache poisoning attacks
Drive for DNSSEC adoption
Total service availability
Geographically dispersed DCs
DNS capacity close to subscribers
© F5 Networks, Inc 5
Critical: DNS
5 SECONDS
74% are willing to wait
5 seconds or less for a single web page to load before leaving the site
Every 100ms delay costs Amazon.com
1% in sales
2012
2007
DNS has grown over 100% in the last 5 years
2012
2007 180%
As of October 2012, there were over 188 million active websites,
a growth of 180% over the last 5 years
© F5 Networks, Inc 6
Traditional DNS
LOAD–BALANCED DNS
• Scale DNS by adding more servers
• Individual servers are not high–performance, so scale with load balancing
• Place firewall in front of DNS infrastructure
ISSUES WITH THIS DEPLOYMENT?
• BIND DNS servers are patched frequently
• Patches are mostly for vulnerabilities
• Under load, firewalls become bottlenecks
Legitimate Clients
Malicious Actors Local Load Balancing Traditional
DNS Firewall
Load Balanced DNS Servers
Access Network
© F5 Networks, Inc 7
True DNS costs
HIGHER OPEX DUE TO MAINTENANCE
BIND by the numbers
• 340 updates since 2004
• 84 issued patches for vulnerabilities and bugs
• 9 patches a year for DNS
COMPANIES DEPLOY FIREWALLS TO PROTECT DNS
But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server
0
10
20
30
40
50
60
9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9
BIND HISTORY
Total updates, including beta, release candidates
Critical patches for vulnerabilities
Nu
mb
er
of
up
da
tes i
ssu
ed
BIND Version F5 DNS Authoritative Model Traditional DNS Authoritative Topology
Total in year 1: $301,280
Total in year 2 onward: $1,280
Total in year 1: $373,688
Total in year 2 onward: $298,688
© F5 Networks, Inc 8
DNS deployments
Conventional DNS Thinking
F5 DNS Delivery Reimagined
Internet External Firewall
DNS Load Balancing
Array of DNS Servers
Internal Firewall
Hidden Master DNS
Authoritative DNS Caching Resolver
Transparent Caching
DNS Firewall
DNS DDoS Protection
Protocol Validation
High Performance DNSSEC DNSSEC Validation
Intelligent GSLB
DMZ Datacenter
F5 PARADIGM SHIFT
Internet Master DNS Infrastructure
• Performance = Add DNS boxes
• Weak DoS/DDoS protection
• Firewall is THE bottleneck
• Massive performance over 10M RPS!
• Best DoS/DDoS protection
• Lower CapEx and OpEx
BIG-IP Global Traffic Manager
© F5 Networks, Inc 9
Optimized DNS
Easy integration into existing DNS
infrastructure for high availability
and security
Support over 10 million DNS
responses per second (RPS)
Manageable and predictable
data center utilization
Offload to the edge Tier 1: DMZ
Application
health
Intelligent and Scalable DNS Services
Strategic Point of Control
Legitimate Visitors
Malicious Attackers
Context based
on geographical
location
Tier 2: Application Delivery
Legitimate Queries
DNS Attacks LDNS Internet
Web Bot Attacker
IP Intelligence
DNSSEC
IP geolocation
DNS DDoS protection
TCP Port 80/443
TCP/UDP Port 53
Primary DNS
Application Threat Intelligence
© F5 Networks, Inc 10
Benefits of BIG-IP integration • Simply and efficiently manage complex networks using one ADC solution
• Route users to available apps and data centers based on business logic
• Constantly monitor health between devices with iQuery
• Use the same geolocation data to reference for all BIG-IP devices
G T M
GOOD BETTER BEST BIG-IP Global Traffic Manager
BIG-IP Local Traffic Manager
Simplified Business Models
Authoritative DNS + DNS Security
Tier 1: DMZ
Legitimate
Visitors
Malicious
Attackers
Context based
on geographical
location
LDNS Internet
BIG-IP Platform
Absorb and mitigate
DNS attacks
Primary DNS Server + Application
Availability and Health
Tier 2: Application Delivery
Intelligent delivery based
on business logic
BIG-IP Platform
GTM
LTM
Same centralized
management solution
Same purpose-built hardware and
software designed for performance
Same iControl for extending
management control
© F5 Networks, Inc 11
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
Efficient DNS
DNS Express
• Delivers high-speed response and DDoS protection with in-memory DNS
• Provides authoritative DNS serving out of RAM
• Supports configuration size for tens of millions of records
• Scale and consolidate DNS servers
Clients
Internet
DNS Express in BIG-IP GTM
DNS Server
OS Admin Auth Roles
NIC Dynamic
DNS DHCP
Manage DNS
Records
© F5 Networks, Inc 12
Powerful DNS
• Your revenue and your brand are protected
• Use the same IP address for multiple devices
• Geographically separate the DNS request load for all requests
• Scale DNS infrastructure up and out per number of BIG-IP devices
© F5 Networks, Inc 13
Complete DNS Firewall Solution
• Protocol inspection and validation
• DNS record type ACL
• DNS load balancing
• High-performance DNS cache
• Higher-performance DNS slave
• Stateful—never accepts unsolicited responses
• ICSA Certified–DMZ deployment scale across devices—IP Anycast
• Secure responses—DNSSEC
• Complete DNS control—iRules
• DDoS threshold alerting
• DNS logging and reporting
• Hardened F5 DNS code—NOT BIND
F5 DNS FIREWALL SERVICES
DMZ Clients
LDNS Internet DNS Firewall in BIG-IP GTM
Data Center
DNS Servers
Apps
© F5 Networks, Inc 14
Total Control with DNS iRules
• Inspect and control DNS traffic
• Protect DNS and deliver high performance
• Services with DNS iRules
– Custom Query logging
– DNS filtering
– Rate limiting
– Query/Zone specific LB
– Honeypot Responses
• DNS iRule example: Blackhole*
– Intercept DNS requests for prohibited FQDNs, return a DNS response with an A record to an LTM virtual server, log the request and serve a static page.
Client Side
DNSSEC Sign
Egress
Ingress
Last Action
GTM Build
DNSSEC Answer
DNS_REQUEST
DNSX
GTM Rewrite
DNS_RESPONSE
© F5 Networks, Inc 15
Complete DNSSEC Security
“A high-performance DNSSEC validation solution is going to be extremely important as more and more sites
deploy DNSSEC.” Cricket Liu, VP of Architecture at Infoblox
http://example.org
Data Center
Internet
Internet Site
.
© F5 Networks, Inc 16
Secure DNS Query Response
Simple DNSSEC:
• Protection from cache poisoning and reduce management costs
• Ensure trusted DNS queries with dynamically signed responses
• Implement BIG-IP GTM in front of existing DNS servers
• Available as add-on DNSSEC module or included with all new GTM appliances
Data Center
Apps
DNS
Servers
LDNS
example.com example.com
123.123.123.123
+Public Key
123.123.123.123
+Public Key
DMZ
© F5 Networks, Inc 17
• Validating secure site responses require lots of steps that slows response times
• For example:
Slow Response on DNSSEC validation
15 steps!! http://example.org
© F5 Networks, Inc 18
Datacenter
Delivery of Resolver LDNS Services
Internet Site • DNS Caching / Resolver / DNSSEC Validation
• High Performance LDNS – multicore
• DNS Filtering and Control iRules
• Seamless integration of internal GSLB services
• Lower TCO and consolidation – query per dollar
Internet
© F5 Networks, Inc 19
Optimize DNS Resolving with Cache Zone Forwarding
• DNS Caching passes queries to the Resolver when response isn’t cached
• Resolver uses root hints to kick off process
DNS Request: Zone A
DNS Request: Zone B
DNS Request: Zone C
DNS Cache
Not cached Zone B NS
Zone C NS Root Hints
(all other zones)
• Requests for specific zones sent to specific
recursive name server
• Zone not listed, then Resolver follows root hints
Faster Web Browsing Fastest Web browsing
Resolver
Zone B
Forward NS
Zone C
Forward NS BIG-IP
© F5 Networks, Inc 20
F5 DNS Delivery Architecture
DN
SS
EC
BIN
D Z
on
e
Ma
na
ge
me
nt
TC
P /
UD
P
GTM
TMM
iRules iControl API
iR
ule
s
IPv4
/ IP
v6
DN
S 6
4
DN
S
Exp
ress
DN
S
LB
Po
ol
Linux
Switch HSB FIPS Crypto
GUI TMSH Dynamic Routing
High Performance Hardware G
TM
- iR
ule
s
iR
ule
s
DN
SS
EC
64
64
Re
so
lve
r
DNS Scale and High Performance
Responding to DNS queries with
TMM is 2x more efficient than
load balancing
Pro
toco
l
Va
lid
ati
on
Ca
ch
e
La
st
Act
Packet Pre-filter
inspection
DNS filtering/
customization
DNS filtering/
customization
Protocol Filter
© F5 Networks, Inc 21
Intelligent DNS scale solution diagram
SaaS
Device
Location Infrastructure
Applications
Protect and scale your DNS infrastructure while maintaining availability for applications.
Intelligence Scale
Centralized Management
Optimized Experience
Intelligent Scale
Intelligent & Scalable DNS Services
Customer Scenarios
Core Functionality
Professional Services and Support
Authoritative DNS
IP Geolocation
Real-Time IP Threat
Information
Network Firewall
DNS Attack Mitigation
© F5 Networks, Inc 22
DMZ DMZ
DNS Scale, Security for Global App Management with BIG-IP Global Traffic Manager (GTM)
OPTIMIZED APPLICATIONS & DATA
• Dynamic Datacenter Global Load Balancing
• DNS and App Health Monitoring
• Geolocation routing
• Automatic site-to-site failover
• IPv6/IPv4 Translation
• DNS Scalability up to 10x
• DNS Caching and Resolving
SECURE APPLICATIONS & DATA
• Transaction Assurance
• DNS iRules
• Real-time DNSSEC signing
• DNSSEC Validation
• DNS DDoS Mitigation
• DNS Firewall Services
BIG-IP
Global Traffic Manager
BIG-IP
Global Traffic Manager
BIG-IP
Local Traffic Manager
BIG-IP
Local Traffic Manager
App Svr.
DNS DNS
Active
App Svr.
Active
Internet