robert nagy - infoblox€¦ · dh cp f o pe er cache dns only remote sites small to l arge ip am f...

Robert NagyCEO – DeepDive Networkingrob@deepdivenetworking.comwww.deepdivenetworking.com

• Architecture

• DNS Anycast

• DNSSEC Validation

Topics Covered

DNS Architecture

DNS ArchitectureOverview

DNS ArchitectureGoals of today’s DNS

Efficiency Security Scalability

Must handle the needs of the

other Applications

DNS must be a part of the

solution

Growth rates must be

addressable

DNS ArchitectureArchitecture best-practices

DNS ArchitectureDesign goals

Data Centers

Remote SitesVery Small

DxGrid Member

vNIOSDHCP FO Peer

Cache DNS Only

Remote SitesSmall to Large

IPAM Feed

Internet

Root DNS Servers

OutboundQuery

OutboundQuery

InboundQuery

F F FOptional: Dedicated Cache-Only DNS Servers Optional: Dedicated

Cache-Only DNS Servers

E

Secu

re (

TS

IG)

Zon

e

Tra

nsfe

rA1

Grid MasterIB-1550 HANo Services

Secure Grid Communications

MS Active DirectoryDNS Updates

L

Optional: External DNS queriesTo Hosting Site

Optional: Dedicated Logging Member

Forwarders to Cache-only

PPortIQ Discovery

AxMaster Candidate

DR SiteIB-1550 HA

B1Grid MemberIB-1550 HA

Primary Master DNS

CGrid MemberIB-1550 HA

DHCP FO Peer

D1Grid Member

IB-xx50DHCP FO Peer

Cache DNSLimited Auth DNS

DHCPFailover

DHCPFailover

BxGrid MemberIB-1550 HA

Authoritative DNS

BxGrid MemberIB-1550 HA

Authoritative DNS

Fo

rwa

rd to

Data

Ce

nte

r an

d/o

r C

ache

O

nly

DN

S M

em

be

rs

Anycast

DNS Anycast

10.128.1.12

2001:db8::256:180:c223:214e

10.128.1.12

2001:db8::256:180:c223:214e

10.128.1.12

2001:db8::256:180:c223:214e

10.128.1.12

2001:db8::256:180:c223:214e

DNS Query

(example: nslookup)

DNS Server europe.corp100.com

DNS Server us.corp100.com

DNS Server asiapac.corp100.com

DNS Server australia.corp100.com

Client

europe.corp100.com

DNS Query

Intranet

Overview – If one is good, more is better

• Nodes share a single IP address

• Routing allows clients to connect to the “nearest” node

• DNS Servers advertise this IP as a route when DNS is available

DNS Anycast

Everywhere!

• Authoritative• Internal

• External

• Recursive/Caching

Where to use it

Data Centers

Remote SitesVery Small

DxGrid Member

vNIOSDHCP FO Peer

Cache DNS Only

Remote SitesSmall to Large

IPAM Feed

Internet

Root DNS Servers

OutboundQuery

OutboundQuery

InboundQuery

F F FOptional: Dedicated Cache-Only DNS Servers Optional: Dedicated

Cache-Only DNS Servers

E

Secu

re (

TS

IG)

Zon

e

Tra

nsfe

r

A1Grid MasterIB-1550 HANo Services

Secure Grid Communications

MS Active DirectoryDNS Updates

L

Optional: External DNS queriesTo Hosting Site

Optional: Dedicated Logging Member

Forwarders to Cache-only

PPortIQ Discovery

AxMaster Candidate

DR SiteIB-1550 HA

B1Grid MemberIB-1550 HA

Primary Master DNS

CGrid MemberIB-1550 HA

DHCP FO Peer

D1Grid Member

IB-xx50DHCP FO Peer

Cache DNSLimited Auth DNS

DHCPFailover

DHCPFailover

BxGrid MemberIB-1550 HA

Authoritative DNS

BxGrid MemberIB-1550 HA

Authoritative DNS

Fo

rwa

rd to

Data

Ce

nte

r an

d/o

r C

ache

O

nly

DN

S M

em

be

rs

Anycast

• Routing protocols in use

• Network complexity

• DNS team’s access to routing information

• Troubleshooting

Considerations

DNSSEC

DNSSEC

Client queries for www.infoblox.com1. Client queries it’s locally configured DNS Server A

2. Server A Queries Root

3. Root name servers replies with NS and A records

for .com (delegation)

4. Server A queries .com Name Servers

5. .com name servers reply with NS and A records for

infoblox.com (delegation)

6. Server A queries Infoblox Name Servers

7. Infoblox Name Servers replies with A Record for

www.infoblox.com

8. Server A caches the answer and returns the record

to the Client

Traditional DNS walkthrough

3

2

6

7

4

5

1

8

Root (.)Name Server

.comName Server

Infobox.comName Server

LocalRecursive

Name Server

Server A

Client

How do I connect to www.infoblox.com

DNSSEC

Client queries for www.infoblox.com• Steps 1-7 happen as before.

• In 2, 4 and 6 each time the recursive server queries it adds a DO bit to indicate it would like DNSSEC info

• Each response in 3, 5 and 7 includes DNSSEC records including;

• DNSKEY, DS and RRSIG

• Once Server A receives an answer it begins the validation

DNSSEC validation walkthrough

3

2

6

7

4

5

1

8

Root (.)Name Server

.comName Server

Infobox.comName Server

LocalRecursive

Name Server

Server A

Client

How do I connect to www.infoblox.com

DNSSECValidation is in use today

• Google 8.8.8.8

• Comcast

• Neustar DNS Advantage

• …

• ad flag: Shows we have Authenticated Data

DNSSECEnabling validation

Questions?