scale-your-dns-infrastructure-to-ensure-app-and-service-availability.pdf

Scale your DNS Infrastructure Ensure App and Service Availability

Nigel Ashworth

Solution Architect EMEA

[email protected]

+44 77 88 436 325

F5 Agility 2014 2

• DNS and F5• Use Cases - The top four• Firewall for DNS or a DNS Firewall ?• DNS Reputational Intelligence• Competitive Comparisons• DNS Mitigation Test framework• Context and DNS

Agenda

DNS and F5

F5 Agility 2014 4

F5 DNSGSLB to DNS Delivery

10.XCOMPREHENSIVE

GSLB.

11.0

HIGH PERFORMANCE DNS DELIVERY.

11.1 / 11.2

HIGH PERFORMANCE CACHING &

RESOLVING.

11.3

VISIBILITY AND REPORTING

F5 Agility 2014 5

11.4SECURITY

AND ELASTIC

SCALABILITY.

11.5

EASE OF USE.EASE OF DEPLOYMENT.

SERVICE PROVIDER ENHANCEMENTS.

F5 DNSSecure High Performance DNS

CURRENT RELEASE

F5 Agility 2014 6

11.4SECURITY

AND ELASTIC

SCALABILITY.

11.5

EASE OF USE.EASE OF DEPLOYMENT.

SERVICE PROVIDER ENHANCEMENTS.

11.6

SECURITY

DOS

F5 DNSSecure High Performance DNS

CURRENT RELEASE

F5 Agility 2014 7

F5 DNS Key DriversPerformance and ConsolidationService Providers need scale to support millions of subscribers.F5 DNS products have unprecedented scale in virtual, appliances and chassis versions.F5 DNS integrates an ICSA certified firewall into the same footprint.Integrate with other F5 modules running on the same hardware.

Security DNS Protocol Validation scrubs the incoming DNS queries to only answer valid clients.Massive scale allows BIG-IP to absorb large attacks. Query type filtering and rate limiting features can further protect DNS resources.

Flexible GSLB Integrated with LTMGTM provides the best answer for DC availability through Intelligent DNS.Base answers on topology, geo-location, health and more.

Addresses Key Customer Pain Points, reducing OpEx and CapExF5 DNS Solutions can scale existing DNS installations. Scale without impacting operations.Optimized Service Provider DNS solutions maximize uptime and match core resources with customer demand.

CONVENTIONAL DNS THINKING

Internet External Firewall

DNS Load Balancing

Array of DNS Servers Internal Firewall Hidden Master

DNS

DMZ Datacenter

F5 PARADIGM SHIFT

Internet Master DNS Infrastructure

BIG-IP Global Traffic Manager

30M RPS

Use CasesThe top four

F5 Agility 2014 9

1 Local DNS

Where is www.f5.com?

F5 Agility 2014 10

1 Local DNS

2 Authoritative DNS


Where is www.bell.co.za?

F5 Agility 2014 11

1 Local DNS

2 Authoritative DNS

3 GSLB DNS



Where is the closest service

Data Center

Data Center

F5 Agility 2014 12

1 Local DNS

2 Authoritative DNS

3 GSLB DNS




Data Center

Data Center

4 GGSN / PGW

SGW/SGSN

MME

Mobile Core GGSN/PGW

BIG-IP Platform

DNS and GSLB

(e)NodeB

F5 Agility 2014 13

1 Local DNS

2 Authoritative DNS

3 GSLB DNS




Data Center

Data Center

!

DNS Firewall

4 GGSN / PGW

SGW/SGSN

MME

Mobile Core GGSN/PGW

BIG-IP Platform

DNS and GSLB

(e)NodeB

Firewall for DNS or a DNS Firewall ?

F5 Agility 2014 15

Anatomy of a DNS Firewall

• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification

F5 Agility 2014 16



Clients

IPv4

/ IP

v6

TCP

/ U

DP

Prot

ocol

Va

lidat

ion

+ A

CL

iRul

es

DN

SSEC

GSL

B

6 4

GSL

B iR

ules

DN

S Ex

pres

s

6 4

DN

SSEC

RPZ

/Cac

he /

R

esol

ver

DN

S 6

-4

DN

S LB

Po

ol

DNS Server Pool

iRul

es

Loca

l BIN

D

RequestResponseAXFR RequestAXFR Response

Zone XFR

Zone XFR

F5 Agility 2014 17


• IP Anycast• Pre filter• Packet inspection• Performance• Scaling resolution• DNSsec and Validation• Reporting and Automation• DNS Reputational Intelligence• DNS scrubbing• Hardware sizing• Certification Pe

rfor

ma

nce

Time

TMOS

SingleProcess

or

SMP

8x

4x2x

F5 Agility 2014 18



F5 Agility 2014 19



Advanced DNS Analytics– Applications– Virtual Servers– Query Name– Query Type– Client IP

F5 Agility 2014 20



RESPONSE POLICY ZONES*

URL FILTERING

IP INTELLIGENCE

Screens a DNS request against domain names with a bad reputation.

Categorize the FQDN from the request & make a decision.

Categorize the IP address from the response & make a decision.

MITIGATES THREATS BY FQDN

POLICY CONTROL BY FQDN

Ingress DNS path

Any IP Protocol with iRules

HTTP, HTTPS and DNS with iRules



F5 Agility 2014 21



LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner

Anonymous

Proxies

Anonymous

Requests

Botnet Attackers

Network attacks:

ICMP flood,UDP flood,SYN flood

DNS attacks:

DNS amplificatio

n,query flood,dictionary

attack,DNS

poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL

renegotiation,

SSL flood

HTTP attacks:

Slowloris,slow POST,

recursive POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2

Threat Feed Intelligence

Strategic Point of Control

Multiple ISP

strategy

Network and DNS

Tier 1

Access Control, Policy

Enforcement

F5 Agility 2014 22



VIPRION 4800

VIPRION 44xx Chassis

VIPRION 2400 Chassis

BIG‐IP 10x00

BIG‐IP 7x00

BIG‐IP 5x00

BIG‐IP 4x00

Platforms

F5 Agility 2014 23



CONVENTIONAL DNS THINKING

Internet External Firewall

DNS Load Balancing

Array of DNS Servers Internal Firewall Hidden Master

DNS

DMZ Datacenter

F5 PARADIGM SHIFT

Internet Master DNS Infrastructure

BIG-IP Global Traffic Manager

30M RPS

F5 Agility 2014 24



DNS Reputational Intelligence

F5 Agility 2014 26

Protecting the ClientThe internet isn’t an altogether safe place

MALICIOUS THREATS UNDESIRABLE CONTENT DUPING THE USER

BotNetsInadvertently downloaded and used to mount distributed attacks.

VirusesOnce installed, causes malicious activity on end-user device, sometimes for ransom.

OS VulnerabilitiesUnprotected, unpatched devices are extremely vulnerable.

Phishing scams and Man in the MiddleWebsites which impersonate real websites, often linked from email or a website.

Scammers aim to capture credentials.

Site redirectionDNS traffic is captured and sent to a malicious DNS server serving bad DNS results (such as a compromised CPE).

OffensiveContent may violate HR or local rules.Violation of decency standards.Be age inappropriate.

IrrelevantDistractive content incompatible with job function or policy.

Illegal contentFile sharing or sites identified as hosting banned material.

F5 Agility 2014 27

DNS IP and Name Reputation Choices

RESPONSE POLICY ZONES*

URL FILTERING

IP INTELLIGENCE

Screens a DNS request against domain names with a bad reputation.

Categorize the FQDN from the request & make a decision.

Categorize the IP address from the response & make a decision.


POLICY CONTROL BYFQDN

Ingress DNS path

Any IP Protocol with iRules

HTTP, HTTPS and DNS with iRules



*Response Policy Zones (RPZ) are a form of DNS firewall in which the rule sets are expressed as specially constructed DNS zones.In this case, using RPZ means subscribing to commercial threat feeds that provide the up-to-date RPZ lists of bad domains.

F5 Agility 2014 28

Technical Use Cases

http://www.badsite.com

http://194.71.107.15

http://www.facebook.com

IP INTELLIGENCE

URLFILTERINGNature of Threat

Protect users from accessing malicious websites. DNS lookup required.

Protect users from accessing a malicious website by IP address.*No DNS lookup issued

Social networkingAgainst corp policy.

RPZ

No DNS lookup to filter.

Cover malicious content only.

Limited to IP address reputation.

Limited to IP address reputation.

No URL or FQDN to examine.

*IPI blocks both the bad IP address (http://194.71.107.15) AND the domain name (www.badsite.com) mapped to the bad IP address.

F5 Agility 2014 29

Prevent malware and sites hosting malicious content from ever communicating with a client.

Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity.

Updates

CA

CH

E

RE

SO

LVE

R

PR

OTO

CO

L VA

LID

ATIO

N

IRU

LES

IPV

4/V

6 LI

STE

NE

R

REPUTATION

DATABASE

SPECIAL HANDLING

BIG-IP GTM

Use Case – Client ProtectionPrevent subscribers from reaching known bad domains

RPZ feed

F5 Agility 2014 30

Use Case – Parental or Enterprise Behavior ControlsCustomized DNS decisions based on domain categories

QUERY: WWW.DOMAIN.COM

SOCIALPARKED DOMAINGAMES

DNS iRules

BUSINESS

ALL OTHERSLOG

CA

CH

E

RE

SO

LVE

R

iControl iQuery

Subscriber Policy

SUBSCRIBER DATAGROUPS

• Determine subscriber policies and use the iControl API to furnish these into iRules.• Classify client traffic by source and retrieve their specific policy for categories and permissions.• Block or provide walled garden responses according to subscriber preferences.• Provided through the URL Filtering license and DNS iRules.

URL Feed

F5 Agility 2014 31

Use Case – Layered Client Protection

QUERY:WWW.DOMAIN.COM

DNS iRules (Request / Response)

CA

CH

E

RE

SO

LVE

R

iControl iQuery

Subscriber Policy

RP

ZR

PZ

IP IntelligenceIP Intelligence

URL FilteringURL Filtering

EGRESS DNS PATH

INGRESS DNSPATH

• Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad doma• URL Filtering further provides granular policy controls using categories.• IP Intelligence blocks based on the resolved IP.

• It can also be used in the data path for other protocols.

RPZ Feed IPI Feed URL Feed

iRuleDNS Request Path

DNS Response Path

Competitive Comparisons

F5 Agility 2014 33

A word on terminology

DNS EXPRESS

DNS CACHING

A high performance Authoritative DNS Slave.Zone transfer from an existing DNS server and get scale and security.

Place the F5 BIG-IP in front of a DNS Resolver and massively increase DNS performance by caching responses.

DNS RESOLVER Use the high performance DNS resolver in BIG-IP to consolidate all DNS and firewall functions into one platform.

F5 Agility 2014 34

DNS Authoritative on F5 BIG-IP AppliancesDNS Express is Utilized for BIG-IP Numbers

0

200000

400000

600000

800000

1000000

1200000

1400000

1600000

1800000

2000S 2200S 4000S 5000S 4200V 7000S 10000S 5200V 10200V 7200V

11.4 11.5

Res

pons

es p

er S

econ

d

F5 Agility 2014 35

DNS Authoritative on F5 VIPRIONDNS Express is Utilized for BIG-IP Numbers

0

5000000

10000000

15000000

20000000

25000000

B2150Blade

B2100Blade

B2250Blade

B4200Blade

B4300Blade

2400w/B2100

2400w/B2250

4480w/B4300

4800w/B4300

11.4 11.5

Res

pons

es p

er S

econ

d

F5 Agility 2014 36

DNS Caching on F5 BIG-IP Appliances

0

200000

400000

600000

800000

1000000

1200000

1400000

2000S 2200S 4000S 4200V 10000S 5000S 7000S 10200V 5200V 7200V

11.4 11.5

Res

pons

es p

er S

econ

d

1.3M RPS

F5 Agility 2014 37

DNS Caching on F5 VIPRION

0

2000000

4000000

6000000

8000000

10000000

12000000

14000000

16000000

18000000

B2150Blade

B2100Blade

B4300Blade

B2250Blade

2400w/B2100

4480Chassis

2400w/B2250

4800Chassis

11.4 11.5

Res

pons

es p

er S

econ

d

15.5M RPS

F5 Agility 2014 38

DNS CachingCost per 1K RPS F5 versus Infoblox

0

200

400

600

800

1000

1200

1400

1600 Enterprise & SPCaching/Resolving Inc.Authoritative Inc.GSLB Inc.

EnterpriseCaching/Resolving Inc.Authoritative Inc.

SPCaching/Resolving Inc.Authoritative Inc.

SPCaching/Resolving Inc.

Included FunctionsC

ost i

n U

SD

bas

ed o

n lis

t

F5 Agility 2014 39

DNS AuthoritativeCost per 1K RPS F5 versus Infoblox

0

200

400

600

800

1000

1200

1400

1600 Enterprise & SPCaching/Resolving Inc.Authoritative Inc.GSLB Inc.

EnterpriseCaching/Resolving Inc.Authoritative Inc.

SPCaching/Resolving Inc.Authoritative Inc.

SPCaching/Resolving Inc.

Included FunctionsC

ost i

n U

SD

bas

ed o

n lis

t

F5 Agility 2014 40

DNS Cache PerformanceInfoblox Platform by Platform Comparison with F5

0

200000

400000

600000

800000

1000000

1200000

1400000

2000S InfobloxTrinzic1420




7200V InfobloxTrinzic4030 Platforms are grouped by like pricing

RP

S

F5 Agility 2014 41

0

200000

400000

600000

800000

1000000

1200000

1400000

1600000

1800000





7200V InfobloxTrinzic4030

DNS Authoritative PerformanceInfoblox Platform by Platform Comparison with F5

Platforms are grouped by like pricing

RP

S

DNS Mitigation Test framework

F5 Agility 2014 43

• Three major Components• Traffic Generation (Internal and External)• DNS server Caching Resolver (Mid Platform

BIG-IP 2400 loaded with 4 blades)• Traffic Responses (External)

Test Rig – Mid platform 2400

VIPRION 4800



BIG‐IP 10x00

BIG‐IP 7x00

BIG‐IP 5x00

BIG‐IP 4x00


Platforms

10 / 40 Gb interfaces and network

Traffic Generator10M DNS requests

Traffic generator and Responder10M DNS requests / responses

F5 Agility 2014 44

• First what to de Risk? Two areas • (they are very different and open to different types of attacks)

• Cache in a DNS server• Resolver in a DNS server

• Types of attacks – Many types• Volumetric

• Bad protocol / Floods / Amplification / Reflective• Zero ttl – consuming resources• DNSsec - Poisoning

• Functional• Malware – internal and external RPZ lists• Banned lists – ACL’s against a domain list• DNS tunnelling – remove free loaders

Tests to be performed and Why

VIPRION 4800



BIG‐IP 10x00

BIG‐IP 7x00

BIG‐IP 5x00

BIG‐IP 4x00

Platforms

F5 Agility 2014 45

• 10M requests per second as internal user requests, broken down as:• 50% Malware (50/50 customer list and feed lists)• 20% bad protocol requests• 10% Valid users• 10% DNS tunnelling• 10% Zero TTL on domains (queue protection for the resolver)

• 10 or 40Gb interfaces for scalability

• Can be split across multiple sources / servers

Traffic Generation for Caching mitigation

F5 Agility 2014 46

• Internal Traffic generation and responder on the external side:

• 200K (Turn cache off so all requests go to the resolver) requests per second as internal user requests as All Valid users going to the internet

• External Traffic generation:

• 10M requests per second as attacker requests, broken down as:• 10% Bad IP addresses – Webroot addresses• 40% Reflective attackers• 40% Amplification attackers• 10% bad protocol requests – DNS flood

• 10 or 40Gb interfaces for scalability

• Can be split across multiple sources / servers

Traffic Generation for Resolver mitigation

F5 Agility 2014 47

DNSTest Framework

Response Policy Zone (RPZ)

CA

CH

E

RE

SO

LVE

R

PR

OTO

CO

L VA

LID

ATIO

N

IRU

LES

IPV

4/V

6 LI

STE

NE

R

REPUTATION DATABASE

SPECIAL HANDLING

BIG-IP GTM and AFM

AC

L O

N IP

FR

OM

AFM

RESPONSE PAGE

IP INTELLIGENC

E

?Scanners

Splunk Logging

IP Intelligence ServiceFeed

SU

BS

CR

IBE

R R

ATE

M

AN

AG

EM

EN

T

SPECIAL HANDLING

AC

L O

N IP

FR

OM

AFM

IRU

LES

SU

BS

CR

IBE

R R

ATE

M

AN

AG

EM

EN

T

F5 Agility 2014 48

• Agree Measurement for:

• Baseline the users performance and that the DNS is available, confidential and has integrity for Cache and Resolver

• Measure that the attacks do not affect the users and that the DNS is available, confidential and has integrity, compare to baseline

• It is about Risk Management to the business • while under DNS attack.

Outcomes

Context and DNS

F5 Agility 2014 50

DNS over UDP doesn’t prove Identity• UDP is the primary transport mechanism for DNS because it’s low

latency and fast for client resolution

• UDP is stateless and trivial to spoof

• A hacker client often doesn’t care about the response

• A hacker client can choose to use the most expensive response

• A hacker client can be a random nobody

• A hacker client can IMPERSONATE legitimate clients

• Techniques to identify clients utilize too much CPU

• Big DNS DDoS problem:

• No easy way to identify good vs bad clients

F5 Agility 2014 51

Preventing DNS AbuseDNS Tunneling – Prevent it with iRules

Clie

nt A

Clie

nt B

Clie

nt C

Clie

nt D

Clie

nt E

Clie

nt F

DropThreshold

Classify the trafficMobile or fixed. Determine the SLA for RPS and allowed response size.

When a client sends in a queryIs the query for a blocked domain? (A tunnel host)Is the query rate above allowed rate? Increment score.

Client previously above allowed rate? Increment score.Resolve request and analyze response.

- Factor in the response size to the score.

Take an actionIs the client above the score threshold?

- Drop the request- Suspend DNS service for a period.

SuspendThreshold

RESPONSE SIZE

SCORING

QUERY RATE SCORING

F5 Agility 2014 52

DNS Service ProtectionPolicing Requests for Fairness and Availability

SERVICE PROVIDER

PrimaryCustomers

CSP

Service Providers need to ensure availability of DNS services to customers according to their service level.

Intelligent per-Client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without adversely affecting performance.

MALICIOUS ACTOR

COMPROMISED CLIENT

REGULAR CLIENT

SUSPEND DNS SERVICE

RATE LIMIT CLIENT

LOG MALICIOUS IDENTITY

ACTIONS

CA

CH

E

RE

SO

LVE

R

Per-client DNS rates

Rate limits

DN

SR

ATE

LI

MIT

ER

F5 Agility 2014 53

PATENTS: Issued Patents

• US Patent No 8,261,351 Inventors: Lisa Golden; Peter Thornewell Title: DNS Flood Protection Platform

for a Network Filed January 22, 2008

Issued September 4, 2012

DNSReference

Architectures

F5 Agility 2014 55

DNS and GSLB in

CURRENT1. Cloud Bursting2. Cloud Migration3. DDoS Protection4. Intelligent DNS Scale5. Network Functions Virt.6. Security for Service Providers7. S/GI Network Simplification

FUTURE 8. Intelligent DNS for SPs9. Multi-Hybrid Data

Centers

scale-your-dns-infrastructure-to-ensure-app-and-service-availability.pdf

Documents

dns resources

intelligent dns

dns delivery10

f5 dns products

capexf5 dns solutions

incoming dns queries

existing dns installations

high performance dns