1 DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki Adam Obszyński, CISSP, CCIE #8557 Regional Sales Engineer Eastern Europe 1
2 Dawno temu AD
3 Two kind of External DNS Servers? Authoritative Name Servers hosting company.com (corporate web site : Internet users > BIND DNS Internet Webserver Mailserver ETHERNET BIND DNS ETHERNET Forwarders (aka resolvers, dns cache) Enable web surfing, sending s, etc. Internal applications Internal users >
4 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?
5 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?
6 Bandwidth -> Core Cisco.com
7 Bandwidth -> Access
8 Serialization -> Access It was true in 1999 and 2000 Not today :-) Cisco.com
9 DNS: Scale Number of Queries YES Cause of Increase DNS prefetching function 28-times increase in one year FireFox -> enabled * Auto Update Web History NTT Information Sharing Platform Laboratories
10 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?
11 DNS Not Just Glue...
12 Web Prefetching Srinivas Krishnan and Fabian Monrose Department of Computer Science University of North Carolina at Chapel Hill
13 Web Delay Sample Fast Web Performance Starts with DNS 300 objects domains
14 Web Delay Sample 2 Fast Web Performance Starts with DNS Two components to DNS latency: Latency Client <-> Server Caches <-> name servers Cache misses Under provisioning Malicious traffic https://developers.google.com/
15 DNS Challenges Data traffic explosion drives increasing DNS load Rise of applications such as Facebook and Mobile devices are causing huge growth in DNS traffic Customer satisfaction is critical Unsatisfied mobile customers readily switch providers Distributed DNS approach places caching servers closer to the customer - Because response time is critical to the customer experience - But centralized management now becomes a critical requirement 4
16 Costs of Maintaining DNS Infrastructure are on the Rise More DNS servers = Higher management costs Security vulnerability patching costs are high Securing DNS infrastructure requires additional equipment and skills High availability implementations require significant expenses and skills TASK: Update the DNS software on 15 name servers % Faster BIND: Min. Infoblox: 5-20 Min. TIME
17 How ISPs Deal with DNS Today* Increase the number of DNS servers Use faster underlying server hardware Use load balancers to handle load and IPS s to handle vulnerabilities Code expensive customized changes into DNS software
18 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?
19 Mitigations of DNS Cache problems Over-provisioning Caching DNS resolvers demand a lot of network input/output highly vulnerable to cache poisoning (cache miss rate) Prepare for DoS/DDoS (over-provision with many machines) Load-balancing for shared caching Possible backfire -> reduce the cache hit rate (independent caches) Load-balance without fragmentation Think about 2 levels close to the user -> small cache with most popular names 2 nd level -> distributed per names Distributed clusters for geographical coverage Closer to your users -> less latency DNS Anycast (details later) BUT, Centralized HUGE servers can help with fragmentation! Low latency from user do DataCenter needed 19
20 DNS Anycast Anycast address: Routing advertisement DNS Cache Routing advertisements Query to Query to Routing advertisements Routing advertisement DNS Cache Anycast address: Infoblox Inc. All Rights Reserved.
21 DNS Anycast Anycast address: Routing advertisement DNS Cache Routing advertisements Query to Query to Routing advertisements Routing advertisement DNS Cache Anycast address: Infoblox Inc. All Rights Reserved.
22 DNS Anycast Anycast address: Routing advertisement DNS Cache Queries automatically re-routed to next nearest Routing advertisements Query to Query to Route removed Routing advertisement DNS Cache Anycast address: Infoblox Inc. All Rights Reserved.
24 Cache Poisoning Checklist by Cricket Liu Use dedicated Forwarders Run the most robust server code Split external/internal and forwarders Filter traffic to/from your forwarders 24
25 Other cases For DNSSEC size is important :-) TCP Check your ACLs EDNS/DNSSEC Check your Firewalls Spoofing - check RFC 5452 for Security DNS Cache Pollution RFC1918 ranges (AS112).local &.localhost domains Flood Educate your users! Newest concepts: DNS Cache server per user? Hardened OS 25
26 Devices v Solutions Dedicated vs Self made. Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses Avg. Latency (Seconds) a Bind 9.8 HW DNS Cache 26
27 Focus. Dedicated vs Self made. Note how the response rate drops off at 35k queries per second. This is a result of the total number of outstanding recursive requests hitting the processing limit. a 27
28 O Czym my tu dzisiaj? Który element puzzle nas interesuje? Dlaczego myślimy o DNS Cache? Jak można to zrobić lepiej a może najlepiej? S Jak zrobili to inni?
29 / Servers 29
30 Google, OpenDNS and more 30
31 Removed 31
32 Removed 32
33 Removed 33
34 Removed 34
35 Removed 35
36 Removed 36
37 Number of Servers/Appliances Needed to Reach 500K and 1M DNS QPS # of servers/appliances needed to reach 500K DNS QPS # of servers/appliances needed to reach 1M DNS QPS BIND HW DNS Appliance 1 1 An Hardware DNS appliance can achieve over 1 M DNS QPS BIND require 13 servers to reach 500K DNS QPS and 25 servers to achieve 1M DNS QPS 37
38 DNS Challenges They had ISPs need reliable, high performance DNS servers Limited options for carrier-grade server hardware Needs field replaceable, hot swap-able PSU/Fan/HDD DNS Queries/sec performance needs to be high Avoid buying and managing large number of servers Reduce support cost Protection against network threats is a growing concern Traditional ISP DNS uses BIND software on generic servers Extensive maintenance burden Customers want to move away from software-only solutions Need high performance appliance, plus ease of management No field software installs to customer units SLA 38
39 Pytania? 39
40 Anti DoS/DDoS Techniques TCP-SYN Flood Tracks the number of SYN requests per second, if the number of SYN requests goes above a threshold the code examines the requests to see if the clients are responding with ACK's if not the clients are added to a temp gray list and any pending connections are torn down. UDP Flood If it detects that a high number of packets with a very small payload are being received from a client or pool of clients, the client I.P address will be placed on a gray list All traffic from addresses on the gray list will be dropped for 60 seconds then removed from the gray list Spoofed Source Addresses The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. 40
STATE OF DNS AVAILABILITY REPORT VOLUME 1 ISSUE 1 APRIL 2011 WEB SITES AND OTHER ONLINE SERVICES ARE AMONG THE MOST IMPORTANT OPERATIONAL AND REVENUE GENERATING TOOLS FOR BUSINESSES OF ALL SIZES AND INDUSTRIES.
Best Practices for Architecting Your Hosted Systems for 100% Application Availability Overview Business Continuity is not something that is implemented at the time of a disaster. Business Continuity refers
WHITEPAPER Disaster Preparedness for Core Network Services Resiliency and Control for Disaster Recovery Planning and Business Continuity Cricket Liu, Vice President of Architecture Abstract Core network
Alteon Global Server Load Balancing Whitepaper GSLB Operation Overview Major Components Distributed Site Monitoring Distributed Site State Protocol Internet Topology Awareness DNS Authoritative Name Server
UNIVERSITY OF OSLO Department of Informatics Performance Measurement of Web Services Linux Virtual Server Muhammad Ashfaq Oslo University College May 19, 2009 Performance Measurement of Web Services Linux
Best Practices Guide McAfee epolicy Orchestrator for use with epolicy Orchestrator versions 4.5.0 and 4.0.0 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
McAfee NGFW Reference Guide for Firewall/VPN Role 5.7 NGFW Engine in the Firewall/VPN Role Legal Information The use of the products described in these materials is subject to the then current end-user
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
Release Version 3 The 2X Software Server Based Computing Guide Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless
5 Easy Steps to Implementing Application Load Balancing for Non-Stop Availability and Higher Performance DEPLOYMENT GUIDE Prepared by: Jim Puchbauer Coyote Point Systems Inc. The idea of load balancing
The recognized leader in proven and affordable load balancing and application delivery solutions White Paper 7 Easy Steps to Implementing Application Load Balancing For 100% Availability and Accelerated
Planning for VoIP by John Q. Walker and Jeffrey T. Hicks a NetIQ Corporation whitepaper, April 2, 2002 Treating VoIP as a Major IT Project 2 Getting It Going...2 Keeping It Running Well...3 Planning, Analysis,
INTRODUCING THE WATCHGUARD INTELLIGENT LAYERED SECURITY ARCHITECTURE: BETTER SECURITY FOR THE GROWING ENTERPRISE NOVEMBER 2005 WHY INTELLIGENT LAYERED SECURITY? The security landscape grows more complex
DATA SHEET VERISIGN INTERNET DEFENSE NETWORK FAQS WHAT IS A DOS OR DDOS ATTACK? A Denial of Service attack or Distributed Denial of Service attack occurs when a single host (DoS), or multiple hosts (DDoS),
Firewalls in the Data Center: Main Strategies and Metrics Joel Snyder, PhD Senior Partner, Opus One What You Will Learn Measuring performance in networks has usually involved looking at one number: throughput.
Network Monitoring with Xian Network Manager Did you ever got caught by surprise because of a network problem and had downtime as a result? What about monitoring your network? Network downtime or network
FortiBalancer: Global Server Load Balancing WHITE PAPER FORTINET FortiBalancer: Global Server Load Balancing PAGE 2 Introduction Scalability, high availability and performance are critical to the success
IP TELEPHONY POCKET GUIDE BY BARRY CASTLE 2nd Edition September 2004 ShoreTel, Inc. 960 Stewart Drive Sunnyvale, CA 94085 408.331.3300 1.800.425.9385 www.shoretel.com firstname.lastname@example.org TABLE OF CONTENTS
Linux on IBM Netfinity Servers A Collection of Papers Introduces Linux high availability solutions Describes systems and network management tools Explores interoperability of Linux solutions Jonathan Follows
A Layman's Guide to Global Server Load Balancing Zeus Technology Limited (UK) Sales: +44 (0)1223 568555 Zeus Technology, Inc. (U.S.) Phone: (650) 965-4627 The Jeffreys Building Main: +44 (0)1223 525000
Fifty Critical Alerts for Monitoring Windows Servers Best practices The importance of consolidation, correlation, and detection Enterprise Security Series White Paper 6990 Columbia Gateway Drive, Suite