Scribd
Upload
43 views37 pages

Field Call Dynamic DNS Infrastructure v11.2 (Slides)

The document discusses Dynamic DNS infrastructure and services provided by F5 Networks. It covers improving web performance through faster DNS resolution, protecting domains from DDoS attacks, and directing traffic to appropriate data centers. The presentation highlights new capabilities in BIG-IP GTM version 11.2 for high-performance DNS caching and resolving and complete DNS security validation. It also provides an overview of DNS/HTTP growth drivers and the value of a complete DNS and web solution.

Uploaded by

superthang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
43 views37 pages

Field Call Dynamic DNS Infrastructure v11.2 (Slides)

The document discusses Dynamic DNS infrastructure and services provided by F5 Networks. It covers improving web performance through faster DNS resolution, protecting domains from DDoS attacks, and directing traffic to appropriate data centers. The presentation highlights new capabilities in BIG-IP GTM version 11.2 for high-performance DNS caching and resolving and complete DNS security validation. It also provides an overview of DNS/HTTP growth drivers and the value of a complete DNS and web solution.

Uploaded by

superthang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 37

CONFIDENTIAL

Dynamic DNS Infrastructure

Jonathan George, PMM – DNS/GLSB Services /App.Security


Nathan Meyer, PM – DNS/GSLB Services
CONFIDENTIAL 2

Dynamic DNS Infrastructure

• Improve web performance and browsing

• Protect your site and reputation

• Direct customers to right data center and clouds

• Reduce data center costs

© F5 Networks, Inc.
CONFIDENTIAL 3

Agenda

Demand and Complexity


Current Use Cases and Services
New BIG-IP GTM v11.2 Use Cases and Services
• High performance DNS Caching and Resolving
• Complete DNS Security with Validation
DNS iRules Update
DNS Caching and Resolving Deployment
• Including DNS Monitor in LTM/GTM
Who, how and what to target
Resources and Next Steps

© F5 Networks, Inc.
CONFIDENTIAL 4

Driving Demand for DNS/HTTP

Increase DNS/HTTP due to query growth

Clients

• Last 5 years, volume of DNS queries 2x+* (.com/.net)


• Average daily query load of 57 billion in the first quarter of 2011*
• Future growth is expected to occur at an even faster pace*
© F5 Networks, Inc.
CONFIDENTIAL 5

Larger, More Complex Web = More DNS/HTTP


• Fundamental change in the way apps. are used
• Site requests spawn subsequent DNS requests slowing page loads
• Every image, add button, widget, link, etc. has a potential IP address lookup

© F5 Networks, Inc.
Video by https://www.dnssec-tools.org/
CONFIDENTIAL 6

1 Webpage = Multiple Name Resolutions

https://www.dnssec-
tools.org/ Sponsored by:
DHS S&T

7/20/11 © F5 Networks, Inc.


CONFIDENTIAL 7

Distributing Requests Across Clouds


Cloud-balancing with DNS and GSLB Services

Simple and Robust Cloud DNS Management:


• Ensure DNS queries routed efficiently to best DC or cloud
• Extend query management and caching to cloud deployments
• Increase productivity with fast app. responses
© F5 Networks, Inc.
Complete DNS and HTTP
CONFIDENTIAL 8

Services and Protection


BIG-IP Global Traffic Manager
DNSSEC

LE DNS

ATION

S
SECURE DN
SCALAB

GEOLOC
FAST FAST
DNS SERVICES
SCALABLE IP GEO DNSSEC
SECURE SECURE
HIGH PERFORMANCE DNS
HIGH PERFORMANCE DNS
AVAILABLE AVAILABLE
DNS DDoS PROTECTION BIG-IP
TMOS TMOS DNS DDoS PROTECTION
AVAILABILE GTM
AVAILABLE
DNS IPV6 to IPv4
DNS IPv6 to IPv4

COMPLETE DNS CONTROL


COMPLETE DNS CONTROL
GLOBAL AVAILABI
LITY

GLOBAL AVAILABILITY
S
TMO

S
TMO

S
iRULES

TMO
iCONTROL
iAPPS © F5 Networks, Inc.
CONFIDENTIAL 9

The Value of Complete DNS / Web Solution

Scalable 10x; 70% Denial of Service Mitigation

Support client requests


Complete DNS control and consolidates IT

Access Denied:
IPv6 to IPv4

Route based on geolocation Secure DNS Query Responses

http://f5.com
© F5 Networks, Inc.
CONFIDENTIAL 10

Dynamic Site Response and App. Delivery


DNS Caching and Resolving in BIG-IP GTM.
Data Center

DNS response time:


300ms = Mobile
100ms = PCs

100ms
15ms
15ms BIG-IP
Global Traffic Manager

Cloud
Private Public
400ms = blink of an eye

Internal Clients

• Faster Web browsing from reduced DNS latency


─ 80% reduction in DNS latency delivering faster web
• Reduced DNS infrastructure costs
─ 80% reduction of outbound DNS queries © F5 Networks, Inc.
CONFIDENTIAL 11

Response Time after DNS Caching Implemented


• DNS Benchmark caching
response visual
– BIG-IP GTM DNS
Caching/Resolving
– 80% reduction in latency

© F5 Networks, Inc.
CONFIDENTIAL 12

Secure DNS Query Response

Simple DNSSEC:
• Protection from cache poisoning and reduce management costs
• Ensure trusted DNS queries with dynamically signed responses
• Implement BIG-IP GTM in front of existing DNS servers
© F5 Networks, Inc.
CONFIDENTIAL 13

Slow Response on DNSSEC validation


• Validating secure site responses require lots of steps
that slows response times
• For example:
15 steps!! http://isc.org

A record for is signed by RRSIG record covering is verified by (ZSK) DNSKEY


is signed by
www.isc.org www.isc.org/A record for isc.org

RRSIG record covering is verified by (KSK) DNSKEY record is verified by DS record is signed by
isc.org/DNSKEY for isc.org for isc.org

RRSIG record is verified by (ZSK) DNSKEY is signed by


RRSIG record is verified by
covering isc.org/DS record for org covering org/DNSKEY

(KSK) DNSKEY DS record RRSIG record


is verified by is signed by is verified by
record for org for org covering org/DS

(ZSK) DNSKEY RRSIG record (KSK) DNSKEY


is signed by is verified by
record for . covering ./DNSKEY record for .
© F5 Networks, Inc.
Example provided by infoblox.com
CONFIDENTIAL 14

Complete DNS Security


High performance DNSSEC validations

• Rapid validation of DNSSEC responses


• Offload DNSSEC computations
• Consolidate DNS Infrastructure http://f5.com

Data Center

BIG-IP
Global Traffic Manager

Internal Clients

© F5 Networks, Inc.
CONFIDENTIAL 15

DNS is Vulnerable to Attacks

Data Center

DNS Servers
www.company.com

Clients LDNS

• Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle


• Application timeouts (401 errors)
• Lost customers, lost productivity
• Loss of Revenue and Brand Equity
© F5 Networks, Inc.
CONFIDENTIAL 16

Complete DNS Protection


BIG-IP Global Traffic Manager
Data Center

company.com

X A Q i

Clients LDNS DNS Firewall

F5 DNS Firewall Services


•High Performance DNS – Multicore GTM

X •Scalable DNS - DNS Express


A •Spread the load across devices - IP Anycast
• Secure DNS Queries - DNSSEC
Q • Route based on nearest Datacenter - Geolocation
i • Complete DNS control with – DNS iRules © F5 Networks, Inc.
CONFIDENTIAL 17

DNS iRules Update

© F5 Networks, Inc.
CONFIDENTIAL 18

F5 DNS Delivery Architecture

WHEN
DNS_REQUEST
TMOS
TMM Linux

Balancing
64 Express
DNSSEC

DNS Caching
iRules

DNS

Resolver

Load
GTM iRules
IPv4 / IPv6

TCP / UDP

DNS 64

BIND
GTM
DNS::RETURN
DNSSEC

iRules

Clients
64

Dynamic Routing iRules TMSH GUI iControl API


WHEN
DNS_RESPONSE

High Performance Hardware Switch HSB Crypto FIPS

© F5 Networks, Inc.
CONFIDENTIAL 19

Detailed DNS Statistics


iRule

© F5 Networks, Inc.
CONFIDENTIAL 20

DNS Caching / Resolving Deployment in 11.2

© F5 Networks, Inc.
CONFIDENTIAL 21

DNS Profile
11.0 and 11.1 11.2

© F5 Networks, Inc.
CONFIDENTIAL 22

DNS Transparent Caching


F5 DNS Services
• GTM & Delegation Internet Site
LB • Recursive DNS LB & Screening
X • DNS Express
64 • DNS 64
CR • DNS Caching + Resolver

Datacenter

LB X 64 CR

Clients

11.2 – MAY 2012 © F5 Networks, Inc.


CONFIDENTIAL 23

DNS Cache Profile – Transparent Cache

© F5 Networks, Inc.
CONFIDENTIAL 24

DNS Monitor in LTM /GTM

© F5 Networks, Inc.
CONFIDENTIAL 25

DNS Caching Resolver in TMOS


F5 DNS Services
• GTM & Delegation Internet Site
LB • Recursive DNS LB & Screening
X • DNS Express
64 • DNS 64
CR • DNS Caching + Resolver

Datacenter

LB X 64 CR

Clients

11.2 – MAY 2012 © F5 Networks, Inc.


CONFIDENTIAL 26

DNS Cache Profile – Resolver Cache

© F5 Networks, Inc.
CONFIDENTIAL 27

DNSSEC Validation
F5 DNS Services
• GTM & Delegation Internet Site
LB • Recursive DNS LB & Screening
X • DNS Express
64 • DNS 64
CR • DNS Caching + Resolver
V • DNSSEC Validation
Datacenter V
LB X 64 CR

Clients

11.2 – MAY 2012 © F5 Networks, Inc.


CONFIDENTIAL 28

DNS Cache Profile – Validating Resolver

© F5 Networks, Inc.
CONFIDENTIAL 29

DNS Cache Statistics

© F5 Networks, Inc.
CONFIDENTIAL 30

F5 DNS Services are Crucial

© F5 Networks, Inc.
CONFIDENTIAL 31

Where are the opportunities?

Who to Target? What to Target? How to Target?


• DNS Admins • Enterprise • How do they
w/High volume scale?
• Network Eng. of DNS, Apps.,
• How do they
• Network Adm. • Federal/Gov’t. manage
• Network Arch. DNSSEC?
• eCommerce
• Dir. of IT • How do they
• DNS DDoS support DNS?
• CIO/VP of IT • Service
Providers

© F5 Networks, Inc.
CONFIDENTIAL 32

Resources and Upcoming Calls

Mark your calendar for these upcoming Field Calls


May22 5pm PST
Fast: Application Delivery Optimization
May 23 8am PST

Manageable: Strong Enterprise Management Week of May 29

• EDGE: Solutions and Strategies


– Product Overviews
– Datasheets
– Whitepapers
– Videos
– Presentations
– Recordings
– Competitive

© F5 Networks, Inc.
CONFIDENTIAL 33

Education and Events

GTM v11.2 Education Location: http://university.f5.com. Search for ‘Resolver’

• Web based training


1. DNS Caching/Resolving
2. DNSSEC Validation

Events
• Interop, May 7 – 10, Vegas
• Agility – July 23 – 26, NYC
• Blackhat – July 21 – 26, Vegas
• RSA – Feb. 2012, was a huge
success in leads and awareness

© F5 Networks, Inc.
CONFIDENTIAL 34

Dynamic DNS Infrastructure for Rapid Growth


with BIG-IP Global Traffic Manager (GTM)

•Robust, Flexible and Secure DNS Infrastructure


•Easily mitigate DNS DDoS Attacks
•Support hybrid IP Environments
•Complete DNS Security
•Scale and manage DNS and apps globally

© F5 Networks, Inc.
CONFIDENTIAL 35

Questions?
To ask a question:
• Press *1 -or-
• Enter your question in the Q&A pod in the top of the LiveMeeting
screen

© F5 Networks, Inc.
CONFIDENTIAL 36

Frequently Asked Questions

Questions:
• How do I obtain DNS Caching?
• What happens with DNS Vendors relationships related
to DNS Caching?
• How does DNSSEC validation affect performance?
• How do I scale the DNS infrastructure?
• When will we see stats and logging for DNS?

© F5 Networks, Inc.
CONFIDENTIAL

© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries

You might also like