Embed Size (px)
DESCRIPTION
https://f5.com/solutions/enterprise/reference-architectures/intelligent-dns-scale DNS is the backbone of the Internet. It allows humans to find domain names like www.f5.com instead of the numerical IP addresses web servers require. It is also one of the most vulnerable points in your network. DNS failures account for 41 percent of web downtime, so keeping your DNS available is essential to your business. F5 can help you manage DNS's rapid growth and avoid outages with end-to-end solutions that increase the speed, availability, scalability, and security of your DNS infrastructure. Plus, our solution enables you to consolidate DNS services onto fewer devices, which are easier to secure and manage than traditional DNS deployments
Citation preview
Peter Silva
Sr. Technical Marketing Manager
F5 Intelligent DNS Scale
© F5 Networks, Inc 2
LOWERS
Stress of DNS outages
REDUCES
Data center costs
DIRECTS
Customers to the best data
center or cloud
PROTECTS
Web properties and
Brand reputation
IMPROVES
Web application
performance
Intelligent and scalable DNS
© F5 Networks, Inc 3
Internet foundation? DNS
DNS DEMANDS
WHEN DNS BREAKS, EVERYTHING BREAKS
DOMAIN NAME SYSTEM (DNS)
Translates a domain name…http://www.google.com
into an IP address:74.125.227.64 (IPv4)
http://www.f5.com =2001:19b8:101:2::f5f5:1d(IPv6)
More people
Mobile devices/apps
Complex sites
Increased latency
Cloud implementation
s
IPv6 added to IPv4
DDoS attacks
© F5 Networks, Inc 4
DNS demandAvailable and protected
AVERAGE DAILY LOAD FOR DNS (TLD)QUERIES IN BILLIONS
DNSSEC DEPLOYMENT EXPANDING
TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS
ATTACKS ON DNS BECOMING MORE COMMON;DNS SERVICES MUST BE ROBUST
GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS
DISTRIBUTED, AVAILABLE, HIGH-PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS
’12’11’10’09’087
7
57
39 4
3 50
18X Growth 2011-20164G LTE
2.4GB/mo
Non-4G LTE
86MB/mo
Reflection/amplification DDoS
Cache poisoning attacks
Drive for DNSSEC adoption
Total service availability
Geographically dispersed DCs
DNS capacity close to subscribers
© F5 Networks, Inc 5
Critical: DNS
5SECONDS
74% are willing to wait
5 seconds or less for a single web page to load before leaving the site
Every 100ms delay costs Amazon.com
1% in sales
2012
2007
DNS has grownover 100%in the last 5 years
2012
2007 180%
As of October 2012, there were over 188 million active websites,
a growth of 180% over the last 5 years
© F5 Networks, Inc 6
DNS Deployments
• Performance = Add DNS boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
• Massive performance over 10M RPS!
• Best DoS/DDoS protection
• Lower CapEx and OpEx
CONVENTIONAL DNS THINKING
F5 DNS DELIVERY REIMAGINED
InternetExternal Firewall
DNS Load Balancing
Array of DNS Servers
Internal Firewall
Hidden Master DNS
Authoritative DNSCaching Resolver
Transparent Caching
DNS Firewall
DNS DDoS Protection
Protocol Validation
High Performance DNSSECDNSSEC Validation
Intelligent GSLB
DMZ Datacenter
F5 PARADIGM SHIFT
InternetMaster DNS InfrastructureBIG-IP
Global Traffic Manager
© F5 Networks, Inc 7
True DNS Costs
HIGHER OPEX DUE TO MAINTENANCE
BIND by the numbers
• 340 updates since 2004
• 84 issued patches for vulnerabilities and bugs
• 9 patches a year for DNS
COMPANIES DEPLOY FIREWALLS TO PROTECT DNS
But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server.
0
10
20
30
40
50
60
9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9
BIND HISTORY
Total updates, including beta, release candidates
Critical patches for vulnerabilities
Nu
mb
er
of
up
da
tes i
ssu
ed
BIND Version
F5 DNS Authoritative
Model
Traditional DNS Authoritative
Topology
Total in year 1: $355,280
Total in year 2 onwards: $55,280
Total in year 1: $799,200
Total in year 2 onwards: $439,200
© F5 Networks, Inc 8
Optimized DNS
Easy integration into existing
DNS infrastructure for high
availability and security
Support over 10 million DNS
responses per second (RPS)
Manageable and predictable
data center utilization
AuthoritativeZone Transfer
Legitimate
Visitors
Context based ongeographical
location
Tier 1: DMZ
CachePoisoning
DNS DDoSAttacks
Web Bot
Attacker
Tier 2: Application Delivery
Application
SaaS
Cloud Providers
DistributedDNS
IP Intelligence
ThreatIntelligence
DNSSECIP Geolocation
DNS DDoS Protection
PaaS
IaaS
ApplicationHealth
Authoritative DNS
TCP Port 80/443
Strategic Point of
Control
Intelligent andScalable DNS
Services
Primary DNS
TCP/UDP Port 53
LDNS
© F5 Networks, Inc 9
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
Efficient DNS
DNS Express
• Delivers High-speed response & DDoS protection with in-memory DNS.
• Authoritative DNS served out of RAM.
• Configuration size for tens of millions of records.
• Scale and consolidate DNS servers.
Clients
Internet
DNS Express in BIG-IP
GTM
DNS Server
OSAdminAuthRoles
NICDynamic
DNSDHCP
ManageDNS
Records
© F5 Networks, Inc 10
Benefits of BIG-IP Integration
Simply and efficiently manage complex networks using one ADC solution.
Route users to available apps and data centers based on business logic.
Use the same geolocation data to reference for all BIG-IP devices.
Constantly monitor health between devices.
© F5 Networks, Inc 11
Replicate High Performance DNS
• Cloud DNS service with signed DNSSEC zones
— Replicate DNSSEC to non-DNSSEC environments
• Cloud DNS for disaster recovery / business continuity
• DNS replication service to BIG-IPs or other DNS servers in DCs/Clouds closest to users
BIG-IPUnsigned
Zone(s)
Traditional
DNS Server
Signed
Zone(s
)Cloud DNS
(BIG-IP VE)
Enhanced AXFR Support for DNS Express
• Zone transfer from DNS Express to any DNS
service
• Replicate DNS in physical, virtual, and cloud
• NOTIFY is supported, as is TSIG key for each zone
Cloud DNS
Service
High Performance
DNS and DNSSEC
Scenario Soluition
Replicate
Zones
DNS Express
© F5 Networks, Inc 12
Complete DNS
• Protocol inspection and validation
• DNS record type ACL
• DNS load balancing
• High-performance DNS cache
• Higher-performance DNS slave
• Stateful – never accepts unsolicited responses
• ICSA Certified – DMZ deployment Scale across devices – IP Anycast
• Secure responses – DNSSEC
• Complete DNS control – iRules
• DDoS threshold alerting
• DNS logging and reporting
• Hardened F5 DNS code – NOT BIND
F5 DNS FIREWALL SERVICES
DMZClients
LDNS Internet DNS Firewall in
BIG-IP GTM
Data Center
DNS Servers
Apps
© F5 Networks, Inc 13
The DNS value
Scalable up to 20x
0
3
6
LowQuery
QueryGrowth
QuerySpike
QueryDecline
MaxDNS
Complete DNS control
Access Denied:
Denial-of-service mitigation
© F5 Networks, Inc 14
The DNS value
Support client requests and consolidate IT
IPv6 to IPv4
Secure DNS query responses
http://f5.com
Route based on geolocation
© F5 Networks, Inc 15
DNS services are a primary reason we went with F5 for our infrastructure…
With BIG-IP products, we were able to deploy leading functionality with an exceptional reduction
in latency from the new DNS caching and resolving capabilities.
— Oktay Yavuz Bora
Senior Network Engineer, Turk Telekom
© F5 Networks, Inc 16
Intelligent DNS that Scales
• Scale and manage DNS and apps globally
• Improve application performance and availability
• Robust, Flexible and Secure DNS Infrastructure
• Mitigate DNS DDoS Attacks
• Support hybrid IP Environments
• Complete DNS Security
© F5 Networks, Inc 17
Intelligent means that your BIG-IP device, based on the context of the
request (like location or reputation), can determine if the query is valid
Scale means that your BIG-IP device will be able to handle any surge of
DNS queries, keeping your applications available for your customers
The F5 Intelligent DNS Scale reference architecture helps protect your brand and grow your business
© F5 Networks, Inc 18
The F5 Intelligent DNS
Scale Reference
Architecture
f5.com/architectures
Explore
