Transcript F5_Synthesis_DNS_GTM_update

F5 Intelligent DNS Scale
Philippe Bogaerts
Senior Field Systems Engineer
mailto: [email protected]
Mob.: +32 473 654 689
Intelligent and scalable DNS
IMPROVES
PROTECTS
web properties and
brand reputation
web application performance
and browsing
DIRECTS
customers to the best data
center or cloud
LOWERS
REDUCES
stress of DNS outages
data center costs
© F5 Networks, Inc
2
Internet foundation? DNS
DNS DEMANDS
DOMAIN NAME SYSTEM (DNS)
Translates a domain name…
http://www.google.com
More
people
Mobile
devices/apps
Complex
sites
Increased
latency
into an IP address:
74.125.227.64 (IPv4)
http://www.f5.com =
2001:19b8:101:2::f5f5:1d
(IPv6)
Cloud
implementations
IPv6 added
to IPv4
DDoS
attacks
WHEN DNS BREAKS, EVERYTHING BREAKS
© F5 Networks, Inc
3
What is driving this demand for DNS ?
Available and protected
TYPICAL FOR A SINGLE WEB PAGE TO
CONSUME 100+ DNS QUERIES FROM ACTIVE
CONTENT, ADVERTISING, AND ANALYTICS
AVERAGE DAILY LOAD FOR DNS (TLD)
QUERIES IN BILLIONS
GLOBAL MOBILE DATA (4G/LTE) IS DRIVING
THE NEED FOR FAST, AVAILABLE DNS
’08
’09
’10
’11
DNSSEC DEPLOYMENT EXPANDING
© F5 Networks, Inc
77
57
50
43
39
18X Growth 2011-2016
4G LTE
Non-4G LTE
2.4GB
/mo
86MB
/mo
’12
ATTACKS ON DNS BECOMING MORE COMMON;
DNS SERVICES MUST BE ROBUST
DISTRIBUTED, AVAILABLE, HIGHPERFORMANCE GSLB FOR
MULTIPLE DATA CENTERS
Reflection/amplification DDoS
Total service availability
Cache poisoning attacks
Geographically dispersed DCs
Drive for DNSSEC adoption
DNS capacity close to subscribers
4
Critical: DNS
5
SECONDS
74% are willing to wait
5 seconds or less
for a single web page
to load before leaving
the site
2007
DNS has grown
over 100%
2012
in the last 5 years
2012
Every 100ms delay
costs Amazon.com
1% in sales
2007
180%
As of October 2012,
there were over
188 million active websites,
a growth of 180%
over the last 5 years
© F5 Networks, Inc
5
Traditional DNS
LOAD–BALANCED DNS
ISSUES WITH THIS DEPLOYMENT?
• Scale DNS by adding more servers
• BIND DNS servers are patched frequently
• Individual servers are not high–
performance, so scale with load balancing
• Patches are mostly for vulnerabilities
• Place firewall in front of DNS infrastructure
• Under load, firewalls become bottlenecks
Load Balanced DNS Servers
Legitimate Clients
Access Network
Malicious Actors
Traditional
DNS Firewall
© F5 Networks, Inc
Local Load
Balancing
6
True DNS costs
BIND HISTORY
HIGHER OPEX DUE TO MAINTENANCE
Number of updates issued
60
BIND by the numbers
50
40
30
20
10
•
340 updates since 2004
•
84 issued patches for vulnerabilities and bugs
•
9 patches a year for DNS
COMPANIES DEPLOY FIREWALLS TO PROTECT DNS
0
9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9
But traditional firewalls don’t process DNS, so a
vulnerability can still be exploited on the DNS server
BIND Version
F5 DNS Authoritative Model
Traditional DNS Authoritative Topology
Critical patches for vulnerabilities
Total in year 1: $301,280
Total in year 1: $373,688
Total updates, including beta, release candidates
Total in year 2 onward: $1,280
Total in year 2 onward: $298,688
© F5 Networks, Inc
7
DNS deployments
Conventional DNS Thinking
Internet
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
Internal
Firewall
Hidden
Master DNS
• Performance = Add DNS boxes
• Weak DoS/DDoS protection
• Firewall is THE bottleneck
DMZ
Datacenter
F5 PARADIGM SHIFT
F5 DNS Delivery Reimagined
Master DNS
Infrastructure
Internet
BIG-IP
Global Traffic Manager
© F5 Networks, Inc
DNS Firewall
DNS DDoS Protection
Protocol Validation
Authoritative DNS
Caching Resolver
Transparent Caching
High Performance DNSSEC
DNSSEC Validation
Intelligent GSLB
• Massive performance over
10M RPS!
• Best DoS/DDoS protection
• Lower CapEx and OpEx
8
Optimized DNS
Offload to the edge
Tier 1: DMZ
Tier 2: Application Delivery
DNSSEC
IP geolocation
DNS DDoS protection
Legitimate
Visitors
Legitimate Queries
TCP/UDP Port 53
Primary DNS
DNS Attacks
LDNS
Internet
Intelligent
and Scalable
DNS Services
Malicious
Attackers
Context based
on geographical
location
Threat Intelligence
TCP Port 80/443
Application
health
Application
IP Intelligence
Web Bot
Manageable and predictable
data center utilization
© F5 Networks, Inc
Attacker
Strategic Point of Control
Easy integration into existing DNS
infrastructure for high availability
and security
Support over 10 million DNS
responses per second (RPS)
9
Benefits of BIG-IP integration
•
•
•
•
Simply and efficiently manage complex networks using one ADC solution
Route users to available apps and data centers based on business logic
Constantly monitor health between devices with iQuery
Use the same geolocation data to reference for all BIG-IP devices
Tier 1: DMZ
Authoritative DNS
+ DNS Security
GGTM
TM
Legitimate
Visitors
LDNS
Tier 2: Application Delivery
Primary DNS Server
+ Application
Availability and Health
LTM
Internet
BIG-IP Platform
Malicious
Attackers
Context based
on geographical
location
Absorb and mitigate
DNS attacks
BIG-IP Platform
Intelligent delivery based
on business logic
BIG-IP Global Traffic Manager
Simplified Business Models
GOOD
BETTER
BEST
BIG-IP Local Traffic Manager
Same purpose-built hardware and
software designed for performance
© F5 Networks, Inc
Same iControl for extending
management control
Same centralized
management solution
10
Efficient DNS
DNS Express
• Delivers high-speed response and DDoS protection with in-memory DNS
• Provides authoritative DNS serving out of RAM
• Supports configuration size for tens of millions of records
• Scale and consolidate DNS servers
DNS Server
Clients
DNS Express in BIG-IP GTM
Internet
© F5 Networks, Inc
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Manage
DNS
Records
OS
Admin
Auth
Roles
NIC
Dynamic
DNS
DHCP
11
Powerful DNS
•
•
•
•
Your revenue and your brand are protected
Use the same IP address for multiple devices
Geographically separate the DNS request load for all requests
Scale DNS infrastructure up and out per number of BIG-IP devices
© F5 Networks, Inc
12
Complete DNS Firewall Solution
DMZ
Clients
Data Center
DNS
Servers
LDNS
Internet
DNS Firewall in
BIG-IP GTM
Apps
F5 DNS FIREWALL SERVICES
•
•
•
•
•
•
Protocol inspection and validation
DNS record type ACL
DNS load balancing
High-performance DNS cache
Higher-performance DNS slave
Stateful—never accepts unsolicited
responses
© F5 Networks, Inc
•
•
•
•
•
•
ICSA Certified–DMZ deployment scale
across devices—IP Anycast
Secure responses—DNSSEC
Complete DNS control—iRules
DDoS threshold alerting
DNS logging and reporting
Hardened F5 DNS code—NOT BIND
13
Total Control with DNS iRules
• Inspect and control DNS traffic
• Protect DNS and deliver high performance
• Services with DNS iRules
–
–
–
–
–
Custom Query logging
DNS filtering
Rate limiting
Query/Zone specific LB
Honeypot Responses
• DNS iRule example: Blackhole*
Egress
Client Side
Last Action
DNSX
GTM Build
DNSSEC Answer
DNS_REQUEST
GTM Rewrite
DNS_RESPONSE
DNSSEC Sign
Ingress
– Intercept DNS requests for prohibited FQDNs, return a DNS response with an A
record to an LTM virtual server, log the request and serve a static page.
© F5 Networks, Inc
14
Complete DNSSEC Security
http://example.org
Data Center
Internet Site
Internet
.
“A high-performance DNSSEC validation solution is going to be extremely important as more and more sites
deploy DNSSEC.”
Cricket Liu, VP of Architecture at Infoblox
© F5 Networks, Inc
15
Secure DNS Query Response
Data Center
DMZ
example.com
123.123.123.123
+Public Key
example.com
LDNS
DNS
Servers
123.123.123.123
+Public Key
Apps
Simple DNSSEC:
•
•
•
•
Protection from cache poisoning and reduce management costs
Ensure trusted DNS queries with dynamically signed responses
Implement BIG-IP GTM in front of existing DNS servers
Available as add-on DNSSEC module or included with all new GTM appliances
© F5 Networks, Inc
16
Slow Response on DNSSEC validation
• Validating secure site responses require lots of steps that slows response times
• For example:
15 steps!!
© F5 Networks, Inc
http://example.org
17
Delivery of Resolver LDNS Services
Internet Site
• DNS Caching / Resolver / DNSSEC Validation
• High Performance LDNS – multicore
• DNS Filtering and Control iRules
• Seamless integration of internal GSLB services
• Lower TCO and consolidation – query per dollar
Internet
Datacenter
© F5 Networks, Inc
18
Optimize DNS Resolving with Cache Zone Forwarding
Faster Web Browsing
Fastest Web browsing
• DNS Caching passes queries to the Resolver
when response isn’t cached
• Resolver uses root hints to kick off process
DNS Request: Zone A
DNS Cache
© F5 Networks, Inc
Resolver
Zone B NS
Not cached
DNS Request: Zone B
DNS Request: Zone C
• Requests for specific zones sent to specific
recursive name server
• Zone not listed, then Resolver follows root hints
BIG-IP
Zone C
Forward NS
Zone B
Forward NS
Zone C NS
Root Hints
(all other zones)
19
F5 DNS Delivery Architecture
DNS Scale and High Performance
Responding to DNS queries with
TMM is 2x more efficient than
load balancing
DNS filtering/
customization
Dynamic Routing
Packet Pre-filter
inspection
Switch
Protocol Filter
© F5 Networks, Inc
HSB
iRules
Crypto
FIPS
TMSH
GUI
BIND Zone
Management
DNS
LB Pool
DNS 64
Resolver
Last Act
Cache
DNS
Express
64
GTM - iRules
GTM
DNSSEC
iRules
64
iRules
DNSSEC
Protocol
Validation
Linux
TCP / UDP
IPv4 / IPv6
TMM
iControl API
High Performance Hardware
DNS filtering/
customization
20
Intelligent DNS scale solution diagram
Intelligence
Scale
Customer Scenarios
Device
Applications
Centralized Management
Optimized
Experience
Intelligent & Scalable
DNS Services
Intelligent
Scale
Core Functionality
Location
Authoritative
DNS
IP
Geolocation
Real-Time
IP Threat
Information
SaaS
Network
Firewall
DNS Attack
Mitigation
Infrastructure
Professional Services and Support
Protect and scale your DNS infrastructure while maintaining availability for applications.
© F5 Networks, Inc
21
DNS Scale, Security for Global App Management
with BIG-IP Global Traffic Manager (GTM)
OPTIMIZED APPLICATIONS & DATA
•
•
•
•
•
•
•
Dynamic Datacenter Global Load Balancing
DNS and App Health Monitoring
Geolocation routing
Automatic site-to-site failover
IPv6/IPv4 Translation
DNS Scalability up to 10x
DNS Caching and Resolving
DMZ
DMZ
BIG-IP
Global Traffic Manager
Internet
BIG-IP
Global Traffic Manager
SECURE APPLICATIONS & DATA
•
•
•
•
•
•
Transaction Assurance
DNS iRules
Real-time DNSSEC signing
DNSSEC Validation
DNS DDoS Mitigation
DNS Firewall Services
© F5 Networks, Inc
Active
BIG-IP
Local Traffic Manager
DNS
App Svr.
Active
BIG-IP
Local Traffic Manager
DNS
App Svr.
22