Related Topics: Security Journal, SOA & WOA Magazine, Web Analytics


Carrier Grade DNS: Performance and Security

Enterprise and service provider networks are facing challenges that are continually being addressed by core IP network elements

With the increasing use of laptops, cell phones and tablets, people's access to the Internet, social media, multimedia applications, and data applications is on the rise. These devices have made it easier for a user to get access to multimedia and applications, whether it's work applications or personal entertainment. However, the resulting increase in traffic, subscriber demands, and security issues require networks to be developed to scale and perform to meet these demands, and still minimize costs. Core IP networks are the key to delivering this demand. Critical Core IP infrastructure elements include IP allocation, Domain Name System (DNS), and network and subscriber security, along with optimized IP access. DNS is the key system used to provide the subscriber with the content and applications that they demand.

DNS has been a crucial part of Internet architecture for several years. It is a crucial for the delivery of content and applications to users both on the Internet and on private networks. Performance and security concerns, however, have complicated the DNS expansion needed to handle the growing demand from subscribers.

DNS is typically deployed in one of two ways: as an authoritative DNS server to support domain resolution for web content, or as a resolver to support user queries to find content on networks. Both of these methods have their independent challenges associated with security, scaling and performance.

Authoritative DNS
Authoritative DNS servers are crucial in their ability to offer web content and, more specifically, e-commerce applications. Since the initial DNS request is the first step that a user takes in requesting web and Internet content, responses from authoritative DNS become crucial in developing a quality user experience. However, these DNS servers are prime targets for attacks. To successfully deploy an authoritative DNS architecture to deliver performance and scaling as well as security, distributed and geographically dispersed authoritative DNS servers are required to provide for performance demands and mitigate the impact of attacks.

DNS deployments must include economical scaling and intelligent management of DNS responses. Technology such as global server load balancing (GSLB) and IP anycast are good tools to help meet this performance and scaling demand. GSLB provides for the determination of the destination address based on the geographic location of the requester and the destination address of the content. IP anycast allows for the same IP address to be used for multiple systems; this allows for scaling and minimizing of downtime to increase the number of systems supporting specific web content.

There are two basic types of attacks against an authoritative DNS server: 1) DoS or DDoS, and 2) DNS session hijacking. In a DoS or DDoS attack, a DNS server is flooded with requests to the point that it cannot respond to a DNS request. If an attacker is going to try to use a DDoS or DoS attack, there is no way to prevent this from getting to the Internet; however the impact of these attacks can be mitigated. The goal is to continue to provide a quality user experience even though your DNS architecture is coming under attack. Distributing the DNS systems and using tools such as GSLB can mitigate DoS and DDoS attacks against DNS.

DNS session hijacking is where a user sends a request for DNS resolution and receives an authoritative answer from a DNS server that is not the authoritative DNS for that URL. In an e-commerce environment, this could mean that the subscriber would receive a false address and end up at the wrong location on the Internet, or that subscriber information may be lost, or it could mean the prevention of an e-commerce transaction. DNSSEC was designed to prevent this type of an attack by creating a system that provides for authoritative DNS responses to be signed by the proper authoritative server. This signature guarantees that a known authoritative DNS server is providing the DNS response.

Resolver DNS
DNS architecture deployed as a resolver is used to provide DNS responses for subscribers looking for applications and content. When a subscriber connects to a network, after the initial IP allocation, the first transaction that goes on the network after the initial IP allocation is a DNS request and resolution. If this DNS request and response is delayed, the first element of the user experience is impacted. Traditionally, DNS resolver architectures have addressed this problem through the use of DNS cache. DNS caching is where the DNS server loads an IP resolution for a URL into cache memory, and uses this address to create a non-authoritative DNS response. As data transactions on the Internet increase, these DNS caching servers are required to increase in size in order to meet these performance demands. In order to prevent constant scaling of DNS caching servers, a more intelligent method of handling these resolutions is required in future DNS servers.

Historically DNS resolvers have been used for resolving for subscribers going to the Internet. However, there is a growing trend in using DNS resolvers for internal networks in order to direct traffic for user applications and content that is located in enterprise or service providers' networks. This internal use for resolving provides for a traffic management system to provide high availability and distribution of systems across geographically separated data centers. This innovative use of DNS to implement and enforce high availability and scalability increases the importance and the need for a more intelligent DNS architecture.

Enterprise and service provider networks are facing challenges that are continually being addressed by core IP network elements, such as DNS. For communication service providers, carrier-grade DNS is required to handle the millions of transactions per second, along with providing security for subscribers and DNS transactions. The methods that service providers are using to deploy these DNS systems and provide for this demand are addressing issues that enterprises will be facing in the future. As new devices, phones, and tablets are developed, along with the applications and content supporting these new devices, DNS will become an even more crucial element for the success of networks.

More Stories By Ray Vinson

Ray Vinson is a Senior Technical Marketing Manager at F5 Networks focused on the Service Provider Market. He has over 15 years of experience in developing products for the Wireless Service Provider Market.

At LogicaCMG, he was a Product Manager for wireless internet products that included Wireless Application Protocol (WAP) and Multi-Media Messaging (MMS). While at LogicaCMG, he participated and authored standards for the WAP Forum’s WAP 2.0 specification and 3GPP’s MMS standards. Vinson also held Product Management and Product Marketing positions at Bridgewater Systems, focusing on the development of Policy Products for wireless networks. His career has included software development, consulting, network operations, product management, product marketing and technical marketing, along with serving in the U.S. Army as a Signal Intelligence Analyst.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.