DNS Does the Job
Imagine how much you'd use the internet if you had to remember dozens of number combinations to do anything. DNS is arguably the primary technology enabling the Internet – translating the domain names people type into a browser into an IP address so the requested service can be found on the internet. We always expect DNS to work and no one thinks about it until it breaks. Every icon, URL, and all embedded content on a web page requires a DNS look up. Loading complex sites may require hundreds of DNS queries and even simple smart phone apps can require numerous DNS queries just to load. In the last five years, the volume of DNS queries on for .com and .net addresses has more than doubled, increasing to an average daily query load of 77 billion in the fourth quarter of 2012. More than six million domain names were added to the Internet in the fourth quarter of 2012. Future growth is expected to occur at an even faster pace as more cloud implementations are deployed and practically everything connected to the internet, including your future fridge, coffee machine and toilet will need a DNS entry Over the last 5 years, there has been a 180% growth of active websites, 230% growth in active users, a 22% growth in software applications and 100% growth in DNS queries. Add to that, nearly 60% of web users say they expect a website to load on their mobile phone in 3 seconds or less. Organizations are experiencing rapid growth in terms of applications and the volume of traffic accessing those applications. When a user requests a web page, the requests access local DNS services and these in turn communicate with the main DNS servers. This is not a problem until a traffic surge or a hacker floods the server with DNS query requests since it might be more than what the DNS servers can handle which in turn, can disable the main DNS server. The DNS server then stops responding and sites are unavailable, unreachable or even offline. Generally organizations have a set of DNS servers, each one capable of handling up to 150,000 DNS queries per second. High performance DNS servers are capable of handling around 200,000 queries per second. The bad guys can easily exceed that as exemplified by the recent DNS outages affecting NY Times, LinkedIn, Network Solutions and Twitter. DNS failures account for 41% of web infrastructure downtime so organizations must keep their DNS available. According to a survey by the Aberdeen Group, organizations lose an average of $138,000 for every hour their data centers are down. Downtime has an impact on visiting customers, can lead to loss of revenue and can also impact employees trying to access their corporate resources. To address DNS surges, companies add more DNS servers which are not really needed during normal business operations. Instead of worrying about DNS outages and purchasing additional DNS infrastructure to combat surges, simply place BIG-IP in front of your primary DNS server. It’s a full DNS server and handles requests on behalf of your main DNS server. BIG-IP can respond much faster to a DNS query request up to millions of queries per second. Whether it is a legitimate request or an attack, BIG-IP responds. The BIG-IP engine handles application requests at very high levels and it is that same engine that responds to DNS queries. So high, in fact, that even large surges of DNS requests (including the malicious ones) will not cripple your critical content. DNS is always available which is important to having good services for your users. Administrators enjoy the peace of mind that their site will respond to all DNS queries, keeping the site available. If you have high volume DNS coming into your data center, it is more advantageous to respond to those queries from the DMZ rather than from deep within the infrastructure, potentially affecting the back end primary DNS servers along with other critical servers. Instead of responding from deep within the infrastructure, respond using BIG-IP from the DMZ so that no request touches the back end which greatly increases the primary server’s ability can scale. Offload DNS to BIG-IP. With these large scale capabilities, even if a site is flooded due to some unexpected event, DNS can respond to all queries, good or bad. This keeps all your critical web, application and database services available. Organizations can secure DNS while achieving high scale. There is less equipment to purchase, manage and support. Plus, BIG-IP offers easy DNS management that integrates with your existing infrastructure. Error checking, auto population of protocols and importation of zones help eliminate any downtime from DNS errors. Organizations can make their applications fast, available and secure but if DNS is not responding, it doesn’t really matter since no one can get to it anyway. ps Related: f5 Synthesis F5 Introduces Synthesis Architecture Intelligent DNS Scale Video DNS Solutions Scaling DNS Services with BIG-IP Devices So That DNS DDoS Thing Happened DNS Doldrums RSA2013: BIG-IP DNS Services (Video) F5 DNS Express: DNS Die Another Day (Video) Technorati Tags: dns,dns attack,availability,synthesis,dns express,big-ip,f5,silva,reference architecture Connect with Peter: Connect with F5:DNS Doldrums
DNS is one of the primary technologies enabling the Internet – translating the names people type into a browser into an IP address so the requested service can be found on the internet. It is one of the key elements in the network that delivers content and applications to the user. If DNS goes down, most web applications will fail to function properly so it is critical to have a strong, secure and scalable DNS infrastructure. A bunch of recent DNS outages show that while protecting the application from the typical SQLi, XSS and other OWASP Top 10 related risks is important, if DNS is not answering, those application hacks do not really matter since no one can get to the site anyway. This month, 3 Dutch web hosting companies had their name servers altered by attackers. They, according to articles, changed the various company's name servers to malicious servers hosted by the crooks. They apparently managed to break into the national domain registrar, SIDN, to make the malicious change along with setting the Time to Live value to 24 hours. This meant that any ISP that cached the bad information would continue to deliver the wrong address for the next day. Among others, a large Dutch electronic retailer had to take down a bunch of servers that were delivering malware due to the breach but thousands of domains were affected. This past June, the popular business social network LinkedIn was offline for at least a half a day due to a DNS issue. The company claims that this was not due to criminal behavior but internal human error. Somehow the main home page was redirected to a domain parking page which indicated the name was up for sale. Also in June, DNSimple detected a DNS Amplification Attack on their network. This is where an attacker attempts to use additional servers to 'amplify' the attack - small queries that turn into huge responses. Instead of allowing the bounce, DNSimple tried to absorb the attack by blocking some IP addresses but ultimately at some point, all the name servers were no longer responding. All hands to respond. In their incident report, they noted that their current DNS server implementation allowed ANY queries on UDP to pass through and attempted to respond to them, albeit with the TC (truncation) bit set. In addition, the overhead created by their ALIAS resolution system was also a factor, especially with ALIAS records pointing to other records within DNSimple. With some adjustments they hope to mitigate this from happening again. There were a few others of note, In June, Network Solutions had its DNS servers hijacked and reconfigured to a malicious website after it botched efforts to thwart a DDoS attack. The Spamhaus Project was nailed by a DNS DDoS attack. And last week, a reported vulnerability in the BIND DNS software could give an attacker the ability to easily and reliably control queried name servers. We rely on DNS for almost every interaction we have with web applications. It helps us find our favorite e-tailer, social network, travel, news, gaming or entertainment site along with potentially finding our work related resources when we are mobile. For organizations, it helps direct and bring people to your content. Without it, our letter managed mind would have to start remembering a bunch of numbers. Imagine how much you'd use the internet if you had to remember dozens of number combinations to do anything. I bet the growth, the internet of everything, would come to a screeching halt. ps Related: BIND Vulnerability Enables DNS Cache Poisoning Attack DNS impairment redirects thousands of websites to malware How Spamhaus’ attackers turned DNS into a weapon of mass destruction LinkedIn hit by outage from 'DNS issue' Incident Report: DNS Outage due to DDoS Attack DDoS Attack Behind Latest Network Solutions Outage How whitehats stopped the DDoS attack that knocked Spamhaus offline The Domino Effect of LinkedIn’s DNS Outage RSA2013: BIG-IP DNS Services (video) F5 DNS Express: DNS Die Another Day (video) F5 DNS Series (videos) Technorati Tags: dns,f5,outage,dns attack,ddos,security,bind,cache poisoning,big-ip,silva Connect with Peter: Connect with F5:
