the dns of things - sys-con.com · manageability: enterprises need visibility into dns services...
TRANSCRIPT
Peter Silva
Sr. Technical Marketing Manager
@psilvas
The DNS of Things
Q. WHERE IS
WWW.F5.COM?
A. 2001:19b8:10
1:2::f5f5:1d
© F5 Networks, Inc 2 Confidential © F5 Networks, Inc 2
Mobility
SDDC/Cloud
Advanced threats
Internet of Things
“Software defined” everything
HTTP is the new TCP
© F5 Networks, Inc 3
Internet Foundation? DNS
DNS DEMANDS
WHEN DNS BREAKS EVERYTHING BREAKS
DOMAIN NAME SYSTEM (DNS)
Translates a domain name… http://www.google.com
into an IP address: 74.125.227.64 (IPv4)
http://www.f5.com = 2001:19b8:101:2::f5f5:1d (IPv6)
More People
Mobile devices/apps
Complex sites
Increased latency
Cloud implementations
IPv6 added with IPv4
DDoS attacks
© F5 Networks, Inc 4
Everything: DNS
• Internet of Things needs scalable DNS services*
• Combination = 5 to 10 times Internet revolution**
• 10bil devices in 2014 = 77bil mobile apps**
• 35% Y/Y DNS query increase***
• Ensure really fast connections and responses*
DNS
Look Ups
© F5 Networks, Inc 5
Demand: DNS
AVERAGE DAILY LOAD FOR DNS (.COM/.NET TLDS) QUERIES IN BILLIONS
DNSSEC DEPLOYMENT EXPANDING
TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS
SECOND MOST ATTACKED PROTOCOL
GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS
DISTRIBUTED, AVAILABLE, HIGH-PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS
18X Growth 2011-2016 4G LTE
2.4GB /mo
Non-4G LTE
86MB /mo
Reflection/amplification DDoS
Cache poisoning attacks
Drive for DNSSEC adoption
Total service availability
Geographically dispersed DCs
DNS capacity close to subscribers
82
‘13 ‘12 ‘11 ‘10 ‘09
82
77
43
50
57
© F5 Networks, Inc 6
Growth of Nouns
2013:80
2014:100
2020:250
152
Million
Cars
© F5 Networks, Inc 7
Growth of Sensors
© F5 Networks, Inc 8
Critical: DNS
76% are willing to wait
10 seconds or less for a single web page to load on Mobile phone before leaving.
Every 100ms delay Costs Amazon
1% in sales.
2013
2009 DNS has grown over 91% in the last 5 years.
2013
2009 157%
As of December 2013, there were over 184 million active websites,
a growth of 157% over the last 5 years.
© F5 Networks, Inc 9
DNS Deployments
• Performance = Add DNS boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
• Massive performance over 10M RPS!
• Best DoS/DDoS protection
• Lower CapEx and OpEx
CONVENTIONAL DNS THINKING
DNS DELIVERY REIMAGINED
Internet External Firewall
DNS Load Balancing
Array of DNS Servers
Internal Firewall
Hidden Master DNS
Authoritative DNS Caching Resolver
Transparent Caching
DNS Firewall
DNS DDoS Protection
Protocol Validation
High Performance DNSSEC DNSSEC Validation
Intelligent GSLB
DMZ Datacenter
PARADIGM SHIFT
Internet Master DNS Infrastructure
BIG-IP
© F5 Networks, Inc 10
True DNS Costs
HIGHER OPEX DUE TO MAINTENANCE
BIND by the numbers
• 340 updates since 2004
• 84 issued patches for vulnerabilities and bugs
• 9 patches a year for DNS
COMPANIES DEPLOY FIREWALLS TO PROTECT DNS
But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server.
0
10
20
30
40
50
60
9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9
BIND HISTORY
Total updates, including beta, release candidates
Critical patches for vulnerabilities
Nu
mb
er
of
up
da
tes i
ssu
ed
BIND Version
DNS Authoritative Model Traditional DNS Authoritative Topology
Total in year 1: $355,280
Total in year 2 onwards: $55,280
Total in year 1: $799,200
Total in year 2 onwards: $439,200
© F5 Networks, Inc 11
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
Efficient DNS
• Delivers High-speed response & DDoS protection with in-memory DNS.
• Authoritative DNS served out of RAM.
• Configuration size for tens of millions of records.
• Scale and consolidate DNS servers.
Clients
Internet
DNS in DMZ
DNS Server
OS Admin Auth Roles
NIC Dynamic
DNS DHCP
Manage DNS
Records
© F5 Networks, Inc 12
Optimized DNS
Easy integration into existing DNS
infrastructure for high availability
and security
Support over 10 million DNS
responses per second (RPS)
Manageable and predictable
data center utilization
© F5 Networks, Inc 13
The DNS Value
SCALABLE UP TO 20X
0
3
6
Low Query Query Growth Query Spike Query Decline
Max DNS
DENIAL OF SERVICE MITIGATION
SUPPORT CLIENT REQUESTS AND CONSOLIDATE IT
IPv6 to IPv4
ROUTE BASED ON GEOLOCATION
COMPLETE DNS CONTROL
Access Denied:
SECURE DNS QUERY RESPONSES
http://f5.com
© F5 Networks, Inc 14
Deal with DNS
Who What Questions
• Enterprises w/High
volume of DNS, Apps.,
• Federal/Gov’t.
• eCommerce
• Service Providers
• DNS DDoS
• DNS Scale and Security
• How do you scale DNS/
Apps.?
• How do you manage
DNS Security?
• How do you support
DNS?
© F5 Networks, Inc 15
Market Pulse Research: Managing DNS Capacity Key Findings
• Respondents most frequently cite improved application availability and application performance (speed) as
highly important benefits of DNS.
• A majority (63%) report that their organizations’ DNS volume has increased over the past year. • Contributing factors: rollout of new services, applications. Cloud migration and traffic spikes.
• Most often, organizations manage DNS capacity by adding more servers (53%) and/or adding more bandwidth
(36%). Average of 24 DNS servers in use.
• With regard to current DNS implementations, outages are the top concern (70% highly concerned). • Most concerning consequences: loss of productivity and a poor customer experience.
• Nearly one-third of respondents (29%) report their organizations have experienced DNS outages in the past
12 months. Culprit? One-quarter of these (25%) report a traffic surge.
• Among those who indicate their organizations are planning to expand DNS services to the cloud, increasing
capacity is the most common driver. On-premise DNS primary case over the next year. Use of public cloud DNS slight
increase in next 12 months.
© F5 Networks, Inc 16
Story Arch
deviantart.net
© F5 Networks, Inc 17
admissions.tufts.edu
© F5 Networks, Inc 18
DNS Story Arc
Introduction
Complication
Denouement
Climax
Body
Market Conditions
DNS Traffic
Add Infrastructure
ADC
Peace of Mind
© F5 Networks, Inc 19
Intelligent & Secure DNS that Scales
• Scale and manage DNS and apps globally
• Improve application performance and availability
• Robust, Flexible and Secure DNS Infrastructure
• Mitigate DNS DDoS Attacks
• Support hybrid IP Environments
• Complete DNS Security
© F5 Networks, Inc 20
LOWERS
Stress of DNS Outages.
REDUCES
Data center costs.
DIRECTS
Customers to the best data
center or cloud.
PROTECTS
Web Properties and
Brand Reputation.
IMPROVES
Web application
performance.
Intelligent DNS Scale
© F5 Networks, Inc 21
The Five Takeaways
Scalability: In times of high traffic, enterprises’ DNS servers must be able to handle shifting volumes of traffic.
Security: Denial-of-service attacks frequently target IP addresses that cause DNS server outages.
Intelligence: To be protective, IT must be proactive. That means being able to pinpoint application or service delivery accuracy, based
on location of users, with geolocation services.
Manageability: Enterprises need visibility into DNS services across cloud and on-premises networks, in order to ensure uptime and
performance. IT also needs to be able to identify unusual activity that may indicate probing for vulnerabilities.
Reliability: With more customers accessing corporate web sites, DNS server performance has the potential to impact user experience
and employee productivity. Given these trends, DNS servers must be extremely reliable.
© F5 Networks, Inc 22
The F5 DNS Reference Architecture
f5.com/architectures
@f5networks
Explore