BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Similar documents
ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the.ca domain name registry for over 2.

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

State of the Cloud DNS Report

State of the Cloud DNS Report

High-Performance DNS Services in BIG-IP Version 11

STATE OF DNS AVAILABILITY REPORT

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

K-Root Name Server Operations

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

Computer Networks: Domain Name System

Best Practices in DNS Anycast Service-Provision Architecture. Version 1.1 March 2006 Bill Woodcock Gaurab Raj Upadhaya Packet Clearing House

DNS Best Practices. Mike Jager Network Startup Resource Center

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

DNS Architecture Case Study: Resiliency and Disaster Recovery

Best Practices For Architecting DNS and DHCP Networks. No IP. No Network. No Business.

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

Top Five DNS Security Attack Risks and How to Avoid Them

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

Request Routing, Load-Balancing and Fault- Tolerance Solution - MediaDNS

The Domain Name System (DNS) A Brief Overview and Management Guide

The F5 Intelligent DNS Scale Reference Architecture.

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

Securing DNS Infrastructure Using DNSSEC

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

FortiBalancer: Global Server Load Balancing WHITE PAPER

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

FAQ (Frequently Asked Questions)

Securing an Internet Name Server

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

The OpenDNS Global Network Delivers a Secure Connection Every Time. Everywhere.

Putting Web Threat Protection and Content Filtering in the Cloud

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

Global Server Load Balancing

DNSSEC and DNS Proxying

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Building Nameserver Clusters with Free Software

DOMAIN NAME SECURITY EXTENSIONS

Array Networks NetContinuum. Netli. Fine Ground. StrangeLoop. Akamai. Barracuda. Aptimize. Inkra. Nortel. Juniper. Cisco. Brocade/Foundry.

Use Domain Name System and IP Version 6

Public-Root Name Server Operational Requirements

The Domain Name System from a security point of view

WAN Traffic Management with PowerLink Pro100

Enterprise Buyer Guide

Introduction to the Domain Name System

Network Infrastructure Under Siege

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

Submission of the.au Domain Administration Ltd (auda) to the Australian Government's Cyber Security Review

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

DNS security: poisoning, attacks and mitigation

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Solutions as a Service N.Konstantinidis Technical Director - MNG

Datacenter Transformation

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

Recommended IP Telephony Architecture

Neustar UltraDNS Managed DNS

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

NET0183 Networks and Communications

Acquia Cloud Edge Protect Powered by CloudFlare

Global Server Load Balancing

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

How to Evaluate DDoS Mitigation Providers:

Telecom Business Continuity Solutions FOR INTERNAL USE ONLY

Domain Name Service (DNS) Training Division, NIC New Delhi

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Harness Your Internet Activity!

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Optimize Application Delivery Across Your Globally Distributed Data Centers

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Transcription:

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without it, no one can reach your website, email, or web applications. Additionally, poor DNS performance translates into slow access to your website and lost customers. The cost of outages or unacceptable latency can range from a few unhappy users to millions of dollars per hour depending on the scale of e-commerce. Recent high-profile attacks leveraging the DNS to take down enterprise websites have raised awareness of DNS outages. DDoS attacks are not the only threat. External name servers operate in a hostile environment and can be brought down in a number of ways, including: server failures, network failures, natural disasters, power outages and security breaches. The following are some best practices to help organizations to improve the performance, resiliency and fault tolerance of their external DNS. Best Practice 1 USE A HIDDEN MASTER A hidden master is a name server that is not advertised and does not appear in any name server records. In other words, it is not known publicly on the Internet and does not answer any queries. The hidden master s purpose is to provide zone transfers to a set of secondary name servers that are known publicly and answer queries. The benefits of a hidden master are: Fault tolerance Master can go down without impacting the resolution of your domain. Security IP address of the name server is not published, and is less likely to be hacked. Easy administration Reloads and restarts of the hidden master do not impact resolution of your domain. Best Practice 2 DISABLE RECURSION ON YOUR EXTERNAL NAMESERVERS Disable recursion on your hidden master and authoritative external nameservers. Turning off recursion reduces the vulnerability to denial of service attacks and cache poisoning, and helps improve performance. 2

CORPORATE NETWORK PUBLIC INTERNET Zone File Administrator Primary DNS Zone File Secondary DNS Internal DNS Best Practice 3 USE TSIG TO SECURE NAMESERVER TO NAMESERVER COMMUNICATIONS Communication between the hidden master and secondary nameservers should be cryptographically authenticated using Transaction Signatures (TSIG). TSIG is much more secure than source IP address filtering which can be easily spoofed with UDP. Best Practice 4 PLACE NAMESERVERS CLOSE TO USERS The latency of DNS lookups is important for your website. Long latency can translate into lost customers and revenue. Your authoritative nameservers answer queries from other nameservers on the Internet. To ensure a good user experience and fast access to your website, place your nameservers close to, or quickly accessible from the nameservers querying them. Optimally, this would involve placing nameservers in locations with good access to the Internet such as Internet Exchange Points (IXPs). The highly recommended solution is an outsourced secondary anycast DNS service. With anycast, multiple geographically distributed nameservers share a single IP address and queries are routed to the closest nameserver. When selecting an anycast DNS secondary service, make sure the nameservers are located in IXPs that map geographically to your customers. Best Practice 5 MAKE YOUR DNS RESILIENT TO DDOS ATTACKS. DDoS attacks using DNS as the attack vector are on the rise. Increase resiliency to DDoS attacks with the extra query capacity and bandwidth of an anycast DNS cloud. To the world, the anycast cloud appears as a single IP address. In reality it is a network of geographically distributed nameservers. An anycast cloud is much more resilient to a DDoS attack than single unicast servers because it uses geo-location to specify what server answers a query and it has the combined capacity and bandwidth of all the servers. With anycast, the impact of an attack is isolated to the name server closest to the source(s) of the attack. 3

Most DDoS attacks originate offshore. When selecting an anycast DNS service ensure there are international nodes that can soak offshore attacks. An international node sinks traffic from an offshore attack while helping domestic name servers to remain unaffected. UNICAST ANYCAST Best Practice 6 MAKE YOUR DNS DISASTER PROOF Use redundancy to make your external DNS disaster proof. With unicast servers, this means at least two nameservers in different locations. A better alternative is an anycast DNS cloud to provide redundancy. If a nameserver in an anycast cloud goes down, it is automatically removed from the routing tables. In this way, anycast adds redundancy and fault tolerance. With anycast, the highest level of redundancy is achieved with two separate clouds. When compared to unicast redundancy, it is like replacing two unicast nameservers with two anycast clouds. Make sure the clouds use independent hardware and transit providers. This protects against a routing problem or transit network outage from bringing down your DNS. Queries are routed to the nearest instance of the nameserver Automatic failover to another instance of the namesever Best Practice 7 USE ANYCAST DNS Anycast has been in use for more than 10 years to provide name services for the root server on the Internet as well as many top-level domains including.ca. Anycast DNS is the optimal solution for fault-tolerance, DDoS resiliency and placing name servers close to users. For most organizations, building and managing their own anycast DNS infrastructure is too expensive and not practical. Fortunately, an anycast DNS service like D-Zone Anycast DNS can be easily added to your DNS infrastructure. 4

D-ZONE ANYCAST DNS SERVICE HELPING YOU TO PROTECT YOUR BUSINESS The D-Zone Anycast DNS Service is a secondary anycast DNS network designed for Canadian organizations or organizations serving the Canadian market. Features at a glance: 100 per cent availability and service level agreement (SLA). 100 times over-provisioned architecture with state-of-the-art equipment and redundancy at every node. Global DNS nodes within Canada and in international Internet hubs. Local DNS nodes geographically close to, and protecting, in-region traffic from malicious activity against the DNS. Strong Canadian presence reduces the latency for Canadian visitors. Two clouds for failover redundancy and protection from DNS DDoS attacks on local nodes. Secondary service is easily added to an existing DNS infrastructure to improve its overall resilience and performance. Support for DNSSEC. Support for IPv6. LEARN MORE For information on ordering, finding a reseller, or becoming a reseller please contact info@d-zone.ca or visit cira.ca/d-zone. ABOUT CIRA The Canadian Internet Registration Authority (CIRA) manages Canada s.ca domain name registry as a 100 per cent up time service for Canadians and Canadian organisations. In addition to stewardship over.ca, CIRA develops and implements policies that support Canada s Internet community and the.ca registry internationally. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information