You are on page 1of 56

Scale your DNS

Infrastructure Ensure App


and Service Availability
Nigel Ashworth
Solution Architect EMEA
n.ashworth@f5.com
+44 77 88 436 325

Agenda
DNS and F5
Use Cases - The top four
Firewall for DNS or a DNS Firewall ?
DNS Reputational Intelligence
Competitive Comparisons
DNS Mitigation Test framework
Context and DNS
F5 Agility 2014

DNS and F5

F5 DNS
GSLB to DNS Delivery

11.3
11.1 / 11.2
11.0
10.X
COMPREHENSIVE
GSLB.

F5 Agility 2014

VISIBILITY AND REPORTING

HIGH PERFORMANCE
CACHING &
RESOLVING.

HIGH PERFORMANCE
DNS DELIVERY.

F5 DNS
Secure High Performance DNS

11.5
11.4
SECURITY
AND
ELASTIC
SCALABILITY
.

F5 Agility 2014

EASE OF USE.
EASE OF DEPLOYMENT.
SERVICE PROVIDER
ENHANCEMENTS.

CURRENT RELEASE

F5 DNS
Secure High Performance DNS

11.6
11.5
11.4
SECURITY
AND
ELASTIC
SCALABILITY
.

F5 Agility 2014

SECURI
TY
DOS

EASE OF USE.
EASE OF DEPLOYMENT.
SERVICE PROVIDER
ENHANCEMENTS.

CURRENT RELEASE

F5 DNS Key Drivers


CONVENTIONAL DNS THINKING

Performance and Consolidation


Service Providers need scale to support millions of subscribers.

Internet

External
Firewall

DNS Load
Balancing

Array of DNS
Servers

Internal Firewall

Hidden Master
DNS

F5 DNS products have unprecedented scale in virtual, appliances and chassis versions.
F5 DNS integrates an ICSA certified firewall into the same footprint.
Integrate with other F5 modules running on the same hardware.

DMZ

Security

Datacenter

F5 PARADIGM SHIFT

DNS Protocol Validation scrubs the incoming DNS queries to only answer valid clients.
Massive scale allows BIG-IP to absorb large attacks.
Query type filtering and rate limiting features can further protect DNS resources.

Master DNS
Infrastructure

Internet

30M RPS

BIG-IP
Global Traffic Manager

Flexible GSLB Integrated with LTM


GTM provides the best answer for DC availability through Intelligent DNS.
Base answers on topology, geo-location, health and more.

Addresses Key Customer Pain Points, reducing OpEx and CapEx


F5 DNS Solutions can scale existing DNS installations. Scale without impacting operations.
Optimized Service Provider DNS solutions maximize uptime and match core resources with customer demand.

F5 Agility 2014

Use Cases
The top four

Local DNS

Where is www.f5.com?

F5 Agility 2014

Local DNS

Where is www.f5.com?

Authoritative DNS

Where is www.bell.co.za?

F5 Agility 2014

10

Local DNS

GSLB DNS

Data
Center

Where is www.f5.com?

Data
Center

Where is the closest service

Authoritative DNS

Where is www.bell.co.za?

F5 Agility 2014

11

Local DNS

GSLB DNS

Data
Center

Where is www.f5.com?

Authoritative DNS

Data
Center

Where is the closest service

GGSN / PGW
Mobile Core
DNS and
GSLB

GGSN/
PGW

MME

Where is www.bell.co.za?

F5 Agility 2014

(e)Node
B

BIG-IP Platform
SGW/
SGSN

12

!
1

Local DNS

DNS Firewall

GSLB DNS

Data
Center

Where is www.f5.com?

Authoritative DNS

Data
Center

Where is the closest service

GGSN / PGW
Mobile Core
DNS and
GSLB

GGSN/
PGW

MME

Where is www.bell.co.za?

F5 Agility 2014

(e)Node
B

BIG-IP Platform
SGW/
SGSN

13

Firewall for DNS


or a DNS
Firewall ?

Anatomy of a DNS Firewall

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

F5 Agility 2014

15

Anatomy of a DNS Firewall

Request
Response
AXFR Request
AXFR Response
DNS Server Pool
Clients

Local BIND

DNS 6-4

DNS LB
Pool

RPZ
/Cache /
Resolver

DNS
Express

6
4

GSLB iRules

6
4

iRules

DNSSEC

GSLB

DNSSEC

iRules

Protocol
Validatio
n + ACL

Zone XFR

TCP / UDP

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

IPv4 / IPv6

Zone XFR

F5 Agility 2014

16

Anatomy of a DNS Firewall


IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

TMOS

Performa
nce

8x
4x

SMP

2x
Single
Process
or

Time
F5 Agility 2014

17

Anatomy of a DNS Firewall

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

F5 Agility 2014

18

Anatomy of a DNS Firewall

Advanced DNS Analytics


IP Anycast
Applications
Pre filter
Virtual Servers
Packet inspection
Query Name
Performance
Query Type
Scaling resolution
Client IP
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

F5 Agility 2014

19

Anatomy of a DNS Firewall

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

F5 Agility 2014

Ingress DNS path


RESPONSE POLICY ZONES*

Screens a DNS request against domain names with a bad reputation.

MITIGATES THREATS BY
FQDN
Any IP Protocol with iRules
IP INTELLIGENCE

Categorize the IP address from the response & make a decision.

MITIGATES THREATS BY
FQDN
HTTP, HTTPS and DNS with iRules
URL FILTERING
MITIGATES THREATS BY
FQDN
POLICY CONTROL BY FQDN

Categorize the FQDN from the request & make a decision.

20

Anatomy of a DNS Firewall

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

Next-Generation
Firewall

Financial
Services

SSL attacks:
SSL
renegotiatio
n,
SSL flood

Legitimate
Users
Access
Control,
Policy
Enforcemen
t
HTTP
attacks:
Slowloris,
slow POST,
recursive
POST/GET

ISPa/b
Network
and DNS
DNS
attacks:
DNS
amplificatio
n,
query flood,
dictionary
attack,
DNS
poisoning

DDoS
Attacker
Cloud
Scrubbing
Service

Threat Feed
Intelligence

Scann
er

F5 Agility 2014

Tier 2
2
Tier

Tier 1
Network
attacks:
ICMP flood,
UDP flood,
SYN flood

Multiple
ISP
strategy

Corporate Users

Anonym
ous
Proxies

Anonym
ous
Request
s

Botnet

Attack
ers

ECommerce
Applicatio
n

Subscriber

IPS

Strategic Point of Control

21

Anatomy of a DNS Firewall

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

Platforms

VIPRION4800

VIPRION44xxChassis

VIPRION2400Chassis

BIGIP10x00

BIGIP7x00

BIGIP5x00
BIGIP4x00

F5 Agility 2014

22

Anatomy of a DNS Firewall

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

F5 Agility 2014

CONVENTIONAL DNS THINKING

Internet

External
Firewall

DNS Load
Balancing

Array of DNS
Servers

DMZ

Internal Firewall

Hidden Master
DNS

Datacenter

F5 PARADIGM SHIFT

Master DNS
Infrastructure

Internet

30M RPS

BIG-IP
Global Traffic Manager

23

Anatomy of a DNS Firewall

IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification

F5 Agility 2014

24

DNS
Reputational
Intelligence

Protecting the Client


The internet isnt an altogether safe place
MALICIOUS THREATS

UNDESIRABLE
CONTENT

BotNets

Offensive

Inadvertently downloaded and


used to mount distributed
attacks.

Content may violate HR or local


rules.
Violation of decency standards.
Be age inappropriate.

Viruses
Once installed, causes malicious
activity on end-user device,
sometimes for ransom.

OS Vulnerabilities
Unprotected, unpatched devices
are extremely vulnerable.

F5 Agility 2014

DUPING THE USER


Phishing scams and
Man in the Middle
Websites which impersonate real
websites, often linked from email or
a website.

Irrelevant

Scammers aim to capture


credentials.

Distractive content incompatible with


job function or policy.

Site redirection

Illegal content
File sharing or sites identified as
hosting banned material.

DNS traffic is captured and sent to a


malicious DNS server serving bad
DNS results (such as a
compromised CPE).

26

DNS IP and Name Reputation Choices


Ingress DNS path
RESPONSE POLICY
ZONES*

MITIGATES THREATS BY
FQDN

Screens a DNS request against domain names with a bad reputation.


Any IP Protocol with iRules

IP INTELLIGENCE
MITIGATES THREATS BY
FQDN

Categorize the IP address from the response & make a decision.


HTTP, HTTPS and DNS with iRules

URL FILTERING
MITIGATES THREATS BY
POLICY FQDN
CONTROL BY

Categorize the FQDN from the request & make a decision.

FQDN
*Response Policy Zones (RPZ) are a form of DNS firewall in which the rule sets are expressed as specially constructed DNS zones.
In this case, using RPZ means subscribing to commercial threat feeds that provide the up-to-date RPZ lists of bad domains.
F5 Agility 2014

27

Technical Use Cases


Nature of Threat
http://www.badsite.com

RPZ

Protect users from


accessing malicious
websites. DNS lookup
required.

IP
INTELLIGENCE

URL
FILTERING

Limited to IP
address reputation.

Protect users from

http://194.71.107.15

accessing a malicious
website by IP address.*

No DNS
lookup to filter.

No URL or
FQDN to
examine.

No DNS lookup issued

http://www.facebook.com

Social networking
Against corp policy.

Cover
malicious
content only.

Limited to IP
address reputation.

*IPI blocks both the bad IP address (http://194.71.107.15) AND the domain name (www.badsite.com) mapped to the bad IP address.

F5 Agility 2014

28

Use Case Client Protection


Prevent subscribers from reaching known bad domains
Prevent malware and sites hosting malicious content from ever communicating with a client.
Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity.

Updates

RPZ feed
REPUTATI
ON
DATABASE
SPECIAL
HANDLING

F5 Agility 2014

RESOLVE
R

CACHE

IRULES

PROTOCOL
VALIDATION

IPV4/V6
LISTENER

BIG-IP GTM

29

Use Case Parental or Enterprise Behavior Controls


Customized DNS decisions based on domain categories
Determine subscriber policies and use the iControl API to furnish these into iRules.
Classify client traffic by source and retrieve their specific policy for categories and permissions.
Block or provide walled garden responses according to subscriber preferences.
Provided through the URL Filtering license and DNS iRules.
URL Feed

Subscriber Policy

iControl
QUERY: WWW.DOMAIN.COM

iQuery
DNS iRules

PARKED
DOMAIN
GAMES

CACHE

SOCIAL

RESOLVER

BUSINESS
SUBSCRIBER
DATAGROUPS

F5 Agility 2014

ALL OTHERS
LOG

30

Use Case Layered Client Protection

Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad doma
URL Filtering further provides granular policy controls using categories.
IP Intelligence blocks based on the resolved IP.
It can also be used in the data path for other protocols.
RPZ Feed

Subscriber
Policy
iControl

QUERY:
WWW.DOMAIN.COM

IPI Feed

URL Feed

iQuery

URL Filtering
iRule

DNS Request Path

RESOLVER

INGRESS DNS
PATH

RPZ

DNS iRules (Request / Response)


CACHE

DNS Response Path

IP Intelligence

F5 Agility 2014

EGRESS DNS
PATH

31

Competitive
Comparisons

A word on terminology
DNS EXPRESS

A high performance Authoritative DNS Slave.


Zone transfer from an existing DNS server and get scale and security.

DNS CACHING

Place the F5 BIG-IP in front of a DNS Resolver and massively


increase DNS performance by caching responses.

DNS RESOLVER

F5 Agility 2014

Use the high performance DNS resolver in BIG-IP to consolidate


all DNS and firewall functions into one platform.

33

DNS Authoritative on F5 BIG-IP Appliances


DNS Express is Utilized for BIG-IP Numbers

Responses per Second

1800000
1600000
1400000
1200000
1000000
800000
600000
400000
200000
0
2000S

2200S

4000S

5000S

4200V
11.4

F5 Agility 2014

7000S

10000S

5200V

10200V

7200V

11.5

34

DNS Authoritative on F5 VIPRION


DNS Express is Utilized for BIG-IP Numbers

Responses per Second

25000000

20000000

15000000

10000000

5000000

0
B2150
Blade

B2100
Blade

B2250
Blade

B4200
Blade
11.4

F5 Agility 2014

B4300
Blade

2400
w/B2100

2400
w/B2250

4480
w/B4300

4800
w/B4300

11.5
35

DNS Caching on F5 BIG-IP Appliances


Responses per Second

1400000

1.3M RPS
1200000

1000000

800000

600000

400000

200000

0
2000S

2200S

4000S

4200V

10000S
11.4

F5 Agility 2014

5000S

7000S

10200V

5200V

7200V

11.5
36

DNS Caching on F5 VIPRION


Responses per Second

18000000
16000000

15.5M RPS

14000000
12000000
10000000
8000000
6000000
4000000
2000000
0
B2150
Blade

B2100
Blade

B4300
Blade

B2250
Blade
11.4

F5 Agility 2014

2400
w/B2100

4480
Chassis

2400
w/B2250

4800
Chassis

11.5
37

DNS Caching
Cost per 1K RPS F5 versus Infoblox
1600

Included Functions
Enterprise & SP

Cost in USD based on list

Caching/Resolving Inc.

1400

Authoritative Inc.
GSLB Inc.

1200

Enterprise
Caching/Resolving Inc.

1000
800

Authoritative Inc.
SP
Caching/Resolving Inc.
Authoritative Inc.

600
SP

400

Caching/Resolving Inc.

200
0

F5 Agility 2014

38

DNS Authoritative
Cost per 1K RPS F5 versus Infoblox
1600

Included Functions
Enterprise & SP

Cost in USD based on list

Caching/Resolving Inc.

1400

Authoritative Inc.
GSLB Inc.

1200

Enterprise
Caching/Resolving Inc.

1000
800

Authoritative Inc.
SP
Caching/Resolving Inc.
Authoritative Inc.

600
SP

400

Caching/Resolving Inc.

200
0

F5 Agility 2014

39

DNS Cache Performance


Infoblox Platform by Platform Comparison with F5
1400000

1200000

RPS

1000000

800000

600000

400000

200000

0
2000S

F5 Agility 2014

Infoblox
Trinzic
1420

2200S

Infoblox
Trinzic
2210

4000S

Infoblox
Trinzic
2220

7000S

Infoblox
Trinzic
4010

7200V

Infoblox
Trinzic
4030

Platforms are grouped by like pricing

40

DNS Authoritative Performance


Infoblox Platform by Platform Comparison with F5
1800000
1600000
1400000

RPS

1200000
1000000
800000
600000
400000
200000
0
2000S

F5 Agility 2014

Infoblox
Trinzic
1420

2200S

Infoblox
Trinzic
2210

4000S

Infoblox
Trinzic
2220

7000S

Infoblox
Trinzic
4010

7200V

Infoblox
Trinzic
4030

Platforms are grouped by like pricing

41

DNS Mitigation
Test framework

Test Rig Mid platform 2400

Platforms

Three major Components


Traffic Generation (Internal and External)
DNS server Caching Resolver (Mid Platform
BIG-IP 2400 loaded with 4 blades)
Traffic Responses (External)

VIPRION4800

VIPRION44xxChassis

Traffic generator and


Responder
10M DNS requests / responses

Traffic Generator
10M DNS requests

VIPRION2400Chassis

BIGIP10x00

VIPRION2400Chassis
BIGIP7x00

10 / 40 Gb interfaces and network

BIGIP5x00
BIGIP4x00

F5 Agility 2014

43

Tests to be performed and Why

Platforms

First what to de Risk? Two areas


(they are very different and open to different types of attacks)
Cache in a DNS server
Resolver in a DNS server
VIPRION4800

Types of attacks Many types


Volumetric
Bad protocol / Floods / Amplification / Reflective
Zero ttl consuming resources
DNSsec - Poisoning
Functional
Malware internal and external RPZ lists
Banned lists ACLs against a domain list
DNS tunnelling remove free loaders
F5 Agility 2014

VIPRION44xxChassis

VIPRION2400Chassis

BIGIP10x00

BIGIP7x00

BIGIP5x00
BIGIP4x00

44

Traffic Generation for Caching mitigation


10M requests per second as internal user requests, broken down as:

50% Malware (50/50 customer list and feed lists)


20% bad protocol requests
10% Valid users
10% DNS tunnelling
10% Zero TTL on domains (queue protection for the resolver)

10 or 40Gb interfaces for scalability


Can be split across multiple sources / servers

F5 Agility 2014

45

Traffic Generation for Resolver mitigation


Internal Traffic generation and responder on the external side:
200K (Turn cache off so all requests go to the resolver) requests per
second as internal user requests as All Valid users going to the internet
External Traffic generation:
10M requests per second as attacker requests, broken down as:

10% Bad IP addresses Webroot addresses


40% Reflective attackers
40% Amplification attackers
10% bad protocol requests DNS flood

10 or 40Gb interfaces for scalability


Can be split across multiple sources / servers
F5 Agility 2014

46

DNS
Test Framework

?
Scanners

IP Intelligence
Service
Feed

Response Policy Zone (RPZ)

RESPONSE
PAGE

F5 Agility 2014

ACL ON IP
FROM AFM

SUBSCRIBE
R RATE
MANAGEME
NT

IP
INTELLIGENC
E

IRULES

RESOLVE
R

REPUTATION
DATABASE

CACHE

SUBSCRIBE
R RATE
MANAGEME
NT

IRULES

PROTOCOL
VALIDATION

IPV4/V6
LISTENER

ACL ON IP
FROM AFM

BIG-IP GTM and AFM

SPECIAL
HANDLING

SPECIAL
HANDLING

Splunk Logging

47

Outcomes
Agree Measurement for:
Baseline the users performance and that the DNS is available, confidential and
has integrity for Cache and Resolver
Measure that the attacks do not affect the users and that the DNS is available,
confidential and has integrity, compare to baseline

It is about Risk Management to the business


while under DNS attack.

F5 Agility 2014

48

Context and
DNS

DNS over UDP doesnt prove Identity


UDP is the primary transport mechanism for DNS because its low
latency and fast for client resolution
UDP is stateless and trivial to spoof
A hacker client often doesnt care about the response
A hacker client can choose to use the most expensive response
A hacker client can be a random nobody
A hacker client can IMPERSONATE legitimate clients
Techniques to identify clients utilize too much CPU
Big DNS DDoS problem:
No easy way to identify good vs bad clients
F5 Agility 2014

50

Preventing DNS Abuse


DNS Tunneling Prevent it with iRules
Classify the traffic

Suspend
Threshold

Mobile or fixed.
Determine the SLA for RPS and allowed response size.

When a client sends in a query


Is the query for a blocked domain? (A tunnel host)
Is the query rate above allowed rate? Increment score.
Client previously above allowed rate? Increment score.
Resolve request and analyze response.
- Factor in the response size to the score.

Drop
Threshold

QUERY RATE
SCORING

F5 Agility 2014

Client F

Client E

Client D

Client C

Client B

Client A

RESPONSE
SIZE
SCORING

Take an action
Is the client above the score threshold?
- Drop the request
- Suspend DNS service for a period.
51

SERVICE
PROVIDER

DNS Service Protection


Policing Requests for Fairness and Availability

Primary
Customers
CSP

Service Providers need to ensure availability of DNS services to customers according to their service level.
Intelligent per-Client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without
adversely affecting performance.

ACTION
S

RATE LIMIT
CLIENT
LOG
MALICIOUS
IDENTITY

RESOLVE
R

SUSPEND
DNS SERVICE

CACHE

COMPROMISE
D CLIENT

Per-client
DNS
rates

DNS
RATE
LIMITER

MALICIOUS
ACTOR

Rate
limits

REGULAR
CLIENT

F5 Agility 2014

52

PATENTS: Issued Patents


US Patent No 8,261,351
Inventors: Lisa Golden; Peter Thornewell
Title: DNS Flood Protection Platform
for a Network
Filed January 22, 2008
Issued September 4, 2012

F5 Agility 2014

53

DNS
Reference
Architectures

DNS and GSLB in

F5 Agility 2014

CURRENT

FUTURE

1.
2.
3.
4.
5.
6.
7.

8. Intelligent DNS for SPs


9. Multi-Hybrid Data
Centers

Cloud Bursting
Cloud Migration
DDoS Protection
Intelligent DNS Scale
Network Functions Virt.
Security for Service Providers
S/GI Network Simplification

55

You might also like