Translates a domain name⦠... Total service availability .... Respondents most frequently cite improved application av
The DNS of Things Q. WHERE IS
Peter Silva
Sr. Technical Marketing Manager @psilvas
WWW.F5.COM?
A.
2001:19b8:10 1:2::f5f5:1d
“Software defined” everything
Advanced threats
Internet of Things
SDDC/Cloud
HTTP is the new TCP
Mobility
© F5 Networks, © F5 Inc Networks, Inc
Confidential
2
Internet Foundation? DNS DNS DEMANDS
DOMAIN NAME SYSTEM (DNS) Translates a domain name… http://www.google.com
More People
Mobile devices/apps
Complex sites
Increased latency
into an IP address: 74.125.227.64 (IPv4) http://www.f5.com = 2001:19b8:101:2::f5f5:1d (IPv6)
Cloud implementations
IPv6 added with IPv4
DDoS attacks
WHEN DNS BREAKS EVERYTHING BREAKS
© F5 Networks, Inc
3
Everything: DNS • • • • •
Internet of Things needs scalable DNS services* Combination = 5 to 10 times Internet revolution** 10bil devices in 2014 = 77bil mobile apps** 35% Y/Y DNS query increase*** Ensure really fast connections and responses*
© F5 Networks, Inc
DNS Look Ups
4
Demand: DNS AVERAGE DAILY LOAD FOR DNS (.COM/.NET TLDS) QUERIES IN BILLIONS
TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS
GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS
‘09
‘10
‘11
‘12
DNSSEC DEPLOYMENT EXPANDING
© F5 Networks, Inc
82 82
77
57
50
43
18X Growth 2011-2016
4G LTE
Non-4G LTE
2.4GB /mo
86MB /mo
‘13
SECOND MOST ATTACKED PROTOCOL
DISTRIBUTED, AVAILABLE, HIGHPERFORMANCE GSLB FOR MULTIPLE DATA CENTERS
Reflection/amplification DDoS
Total service availability
Cache poisoning attacks
Geographically dispersed DCs
Drive for DNSSEC adoption
DNS capacity close to subscribers
5
Growth of Nouns
2013:80 2014:100 2020:250
© F5 Networks, Inc
152 Million Cars
6
Growth of Sensors
© F5 Networks, Inc
7
Critical: DNS 2013 76% are willing to wait
10 seconds or less for a single web page to load on Mobile phone before leaving.
2009
157%
As of December 2013, there were over 184 million active websites,
a growth of 157% over the last 5 years.
2013 Every 100ms delay Costs Amazon
1% in sales.
© F5 Networks, Inc
2009
DNS has grown over 91% in the last 5 years.
8
DNS Deployments CONVENTIONAL DNS THINKING Internet
External Firewall
DNS Load Balancing
Array of DNS Servers
Internal Firewall
Hidden Master DNS
• Performance = Add DNS boxes
• Weak DoS/DDoS Protection • Firewall is THE bottleneck
DMZ
Datacenter
PARADIGM SHIFT DNS DELIVERY REIMAGINED Master DNS Infrastructure
Internet BIG-IP
DNS Firewall DNS DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Intelligent GSLB
© F5 Networks, Inc
• Massive performance over 10M RPS!
• Best DoS/DDoS protection • Lower CapEx and OpEx
9
True DNS Costs BIND HISTORY
HIGHER OPEX DUE TO MAINTENANCE
Number of updates issued
60
BIND by the numbers
50 40 30 20 10
•
340 updates since 2004
•
84 issued patches for vulnerabilities and bugs
•
9 patches a year for DNS
COMPANIES DEPLOY FIREWALLS TO PROTECT DNS
0 9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 BIND Version
But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server. DNS Authoritative Model
Traditional DNS Authoritative Topology
Critical patches for vulnerabilities Total updates, including beta, release candidates
Total in year 1: $355,280 Total in year 2 onwards: $55,280
© F5 Networks, Inc
Total in year 1: $799,200 Total in year 2 onwards: $439,200 10
Efficient DNS • • • •
Delivers High-speed response & DDoS protection with in-memory DNS. Authoritative DNS served out of RAM. Configuration size for tens of millions of records. Scale and consolidate DNS servers. DNS Server
Clients
DNS in DMZ
Internet
© F5 Networks, Inc
Answer DNS Query
Answer DNS Query
Answer DNS Query
Answer DNS Query
Answer DNS Query
Manage DNS Records
OS
Admin Auth Roles
NIC
Dynamic DNS DHCP
11
Optimized DNS
Manageable and predictable data center utilization © F5 Networks, Inc
Easy integration into existing DNS infrastructure for high availability and security
Support over 10 million DNS responses per second (RPS) 12
The DNS Value SCALABLE UP TO 20X
DENIAL OF SERVICE MITIGATION
6 Max DNS
3 0
Low Query
Query Growth
Query Spike
COMPLETE DNS CONTROL
Query Decline
SUPPORT CLIENT REQUESTS AND CONSOLIDATE IT
Access Denied: IPv6 to IPv4 ROUTE BASED ON GEOLOCATION
SECURE DNS QUERY RESPONSES
http://f5.com
© F5 Networks, Inc
13
Deal with DNS Who
© F5 Networks, Inc
What
Questions
• Enterprises w/High volume of DNS, Apps., • Federal/Gov’t. • eCommerce • Service Providers • DNS DDoS • DNS Scale and Security
• How do you scale DNS/ Apps.? • How do you manage DNS Security? • How do you support DNS?
14
Market Pulse Research: Managing DNS Capacity Key Findings
• Respondents most frequently cite improved application availability and application performance (speed) as highly important benefits of DNS. • A majority (63%) report that their organizations’ DNS volume has increased over the past year. •
Contributing factors: rollout of new services, applications. Cloud migration and traffic spikes.
• Most often, organizations manage DNS capacity by adding more servers (53%) and/or adding more bandwidth (36%). Average of 24 DNS servers in use.
• With regard to current DNS implementations, outages are the top concern (70% highly concerned). •
Most concerning consequences: loss of productivity and a poor customer experience.
• Nearly one-third of respondents (29%) report their organizations have experienced DNS outages in the past 12 months. Culprit? One-quarter of these (25%) report a traffic surge.
• Among those who indicate their organizations are planning to expand DNS services to the cloud, increasing capacity is the most common driver. On-premise DNS primary case over the next year. Use of public cloud DNS slight increase in next 12 months. © F5 Networks, Inc
15
Story Arch
deviantart.net © F5 Networks, Inc
16
admissions.tufts.edu
© F5 Networks, Inc
17
DNS Story Arc Climax
Body
ADC Denouement
Add Infrastructure Complication Introduction
Peace of Mind
DNS Traffic
Market Conditions © F5 Networks, Inc
18
Intelligent & Secure DNS that Scales • Scale and manage DNS and apps globally • Improve application performance and availability • Robust, Flexible and Secure DNS Infrastructure • Mitigate DNS DDoS Attacks • Support hybrid IP Environments • Complete DNS Security
© F5 Networks, Inc
19
Intelligent DNS Scale IMPROVES PROTECTS Web Properties and Brand Reputation.
Web application performance.
DIRECTS Customers to the best data center or cloud.
LOWERS
REDUCES
Stress of DNS Outages.
Data center costs.
© F5 Networks, Inc
20
The Five Takeaways Scalability: In times of high traffic, enterprises’ DNS servers must be able to handle shifting volumes of traffic. Security: Denial-of-service attacks frequently target IP addresses that cause DNS server outages.
Intelligence: To be protective, IT must be proactive. That means being able to pinpoint application or service delivery accuracy, based on location of users, with geolocation services.
Manageability: Enterprises need visibility into DNS services across cloud and on-premises networks, in order to ensure uptime and performance. IT also needs to be able to identify unusual activity that may indicate probing for vulnerabilities.
Reliability: With more customers accessing corporate web sites, DNS server performance has the potential to impact user experience and employee productivity. Given these trends, DNS servers must be extremely reliable.
© F5 Networks, Inc
21
Explore
The F5 DNS Reference Architecture
f5.com/architectures @f5networks
© F5 Networks, Inc
22
