F5 Friday: No DNS? No … Anything.
#v11 DNS remains one of the most critical – and necessarily public – services within the data center. Neglect its security at your own peril….
DNS is still like your mom. Too often underappreciated and taken for granted, DNS – like many network and infrastructure services – is largely ignored until there’s a problem. Unfortunately for critical services like DNS, firewall, and load balancing, by the time there’s a problem there’s a PROBLEM.
It’s important to not only actively manage DNS today, but actively protect it, too. After all, it is the primary means by which people find your site/application/revenue-generating-content and thus it’s pretty important to not only the technical side of your organization, but the business itself.
The cost of ignoring DNS, or not being active enough in its protection, can be devastatingly high.
And there are a multitude of attack types with which you must be concerned. There’s the general DNS DDoS, highly disruptive to all services if successful. The less often seen but potentially embarrassing and dangerous DNS cache poisoning, in which your services can end up resolving to sites of ill-repute or that carry malicious infections designed to turn your would-be customers’ devices into just another node in their ever growing network of zombie-bots.
Then there are even less frequently seen but also harrowing attacks – vulnerabilities in DNS servers themselves as well as a man-in-the-middle and end-user host file hacking that can disrupt services and essentially take them off the map.
None of these outcomes are desirable but none of them are necessarily unavoidable, either. Proactive protection against these attacks can provide insurance against the potential hijacking and disruption of services resulting from a successful attack.
PREVENTING DNS ATTACKS
So how do you mitigate these attacks? General solutions for preventing negative impacts from attacks generally involve scaling the infrastructure. That’s because DNS simply must be public; it’s designed to be public, and the Internet as a whole relies upon it being public. So you can’t lock it away and there are, aside from DNSSEC, no native authentication protocols that could be layered atop the service. We’re already seeing the difficulties inherent in deploying DNSSEC – and the time it’s taking – so layering an access control mechanism atop DNS is likely a non-solution due to logistical and topological constraints.
Thus, addressing the potential attacks means scaling DNS – one way or another.
- Horizontal Scalability
Scale out by adding more DNS servers to handle more queries. This includes DNS load balancing-based solutions which also require more servers to handle increasing load. The load-balancing solution often combines horizontal scalability with DNS caching to significantly increase capacity.
- Vertical Scalability
Scale up by procuring bigger, faster name servers.
- DNS Caching
A more recent mitigation has been the use of DNS caching; that is, using bigger, faster hardware solutions (handling a significant multiplier more queries per second) to cache DNS responses. But We (the corporate We) have discovered that DNS caching is itself vulnerable to DDoS attacks, making it a less optimal solution than some might believe.
A more comprehensive solution is required; one that isn’t solely based on the premise that throwing more hardware (even if that “hardware” is really “virtual”) at the problem will effectively prevent the success of an attack. What’s needed is an architecture; a holistic, collaborative-based architecture that provides real protection while simultaneously supporting multiple sites as well as DNSSEC deployment (which is not as simple as you might think).
We’ve previously talked about DNS Express, our new high-speed DNS delivery services available in BIG-IP GTM/LTM v11. DNS Express is a part of our new, architectural-based DNS scalability solution that combines global, multi-site resiliency with the ability to withstand concerted DDoS attacks as well as fend off hijacking and poisoning attempts. It’s important to distinguish DNS Express from DNS caching solutions because the requirement that a DNS caching solution query the authoritative server for each new name encountered is part of what makes a DNS caching solution vulnerable to attack. DNS Express transfers a copy of the zone to itself and is authoritative for that zone, so it’s more like a high-speed slave server than a cache. Because it is deployed atop F5’s core TMOS technology, it gains native protections against typical denial of service attacks as well as many more advanced protection techniques, making it ultimately more secure than DNS caching solutions. Also, DNS Express along with GTM built inside the Traffic Management Microkernel or TMM means that we can scale dramatically and support up to 6 million DNS queries per second. Since most high-end DNS Servers only support up to approx. 120 to 130 DNS queries per second, F5 GTM enables a massive increase in response effectively absorbing and eliminating DNS DDoS attacks and continuing to support legitimate customer requests.
The second piece of the DNS architectural puzzle is improvements to IP Anycast support in BIG-IP GTM. This enables geographically disparate pairs of BIG-IP GTM to route to the best available data center. So times the scalability of DNS queries per second in the prior paragraph per device by the number of devices implemented for a truly exponential increase in DNS queries per second response. At the same time IP Anycast allows one IP address to be attacked while the load of attacks is distributed amongst all devices in a pool with attacks for one IP address being directed to the nearest available GTM in a pool.Combined with improved integration across BIG-IP GTM deployments monitoring virtual server statuses via RHI (Route Health Injection), such routes can be updated dynamically as necessary. The use of IP Anycast further protects DNS infrastructure from DDoS by making it difficult to attackers to target any single device and obscuring the actual number of servers and devices answering DNS queries.
BIG-IP GTM with IP Anycast support also enables better scalability of DNS services themselves, and lends itself well to a hybrid cloud computing -based architecture in which cheaper compute from cloud providers may be leveraged to assist in scaling out DNS services under heavy attack, if necessary. You can’t, after all, stop the actual attack – you can only prevent deleterious impacts from occurring by keeping DNS services available and responsive long enough that the attackers give up and go home.
An F5 DNS services architecture leverages collaboration between BIG-GTM as well as with BIG-IP LTM to provide a more holistic, strategic DNS services architecture capable of scaling out on-demand and mitigating the threat of disruption to DNS through DoS attacks or common vulnerabilities in software and/or at the protocol layers.
Table 1 SOURCE: High-Performance DNS Services in BIG-IP Version 11
- BIG-IP v11 Information
- High-Performance DNS Services in BIG-IP Version 11
- DNSSEC (BIG-IP GTM)
- Attacks Cannot Be Prevented
- DNS is Like Your Mom
- F5 Friday: Multi-Layer Security for Multi-Layer Attacks
- The Many Faces of DDoS: Variations on a Theme or Two
- F5 Friday: When the Solution to a Vulnerability is Vulnerable You Need a New Solution
- F5 Friday: Eliminating the Blind Spot in Your Data Center Security Strategy