Soumettre la recherche
Mettre en ligne
PLNOG 9: Adam Obszyński - DNS Caching
•
0 j'aime
•
12 vues
PROIDEA
Suivre
DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki
Lire moins
Lire la suite
Présentations et discours publics
Signaler
Partager
Signaler
Partager
1 sur 40
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
Hostingultraso phoenix
Hostingultraso phoenix
tanyaseo
A study of our DNS full-resolvers
A study of our DNS full-resolvers
Bangladesh Network Operators Group
Webinar: Untethering Compute from Storage
Webinar: Untethering Compute from Storage
Avere Systems
Data core makes_ha_nas_practical_20mar12
Data core makes_ha_nas_practical_20mar12
jelenaveskovic
Recommandé
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
What is new in BIND 9.11?
What is new in BIND 9.11?
Men and Mice
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
A. S. M. Shamim Reza
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
Hostingultraso phoenix
Hostingultraso phoenix
tanyaseo
A study of our DNS full-resolvers
A study of our DNS full-resolvers
Bangladesh Network Operators Group
Webinar: Untethering Compute from Storage
Webinar: Untethering Compute from Storage
Avere Systems
Data core makes_ha_nas_practical_20mar12
Data core makes_ha_nas_practical_20mar12
jelenaveskovic
DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)
Tola LENG
HP 3PAR SSMC 2.1
HP 3PAR SSMC 2.1
Ivan Iannaccone
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
Episode 2 DB2 pureScale Installation, Instance Management & Monitoring
Episode 2 DB2 pureScale Installation, Instance Management & Monitoring
Laura Hood
Memcache as udp traffic reflector
Memcache as udp traffic reflector
Bangladesh Network Operators Group
Hostingultraso south-korea
Hostingultraso south-korea
vinodkinoni
Automating Yourself Out of Trouble
Automating Yourself Out of Trouble
Jose De La Rosa
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Tommy Lee
100 M pps on PC.
100 M pps on PC.
Redge Technologies
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Tommy Lee
Give Your Site a Boost with Memcache
Give Your Site a Boost with Memcache
Ben Ramsey
Tuned
Tuned
Reanimation Bk
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles Shiflett
Jim St. Leger
Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?
EDB
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
Resolution for a Faster Site
Resolution for a Faster Site
Ido Safruti
RHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
Radien software
Implementing DNS in Samba PDC
Implementing DNS in Samba PDC
Jalpa Soni
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training
videos
Apache HTTP Server
Apache HTTP Server
Tan Huynh Cong
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
SPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint People
NCCOMMS
Contenu connexe
Tendances
DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)
Tola LENG
HP 3PAR SSMC 2.1
HP 3PAR SSMC 2.1
Ivan Iannaccone
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
Episode 2 DB2 pureScale Installation, Instance Management & Monitoring
Episode 2 DB2 pureScale Installation, Instance Management & Monitoring
Laura Hood
Memcache as udp traffic reflector
Memcache as udp traffic reflector
Bangladesh Network Operators Group
Hostingultraso south-korea
Hostingultraso south-korea
vinodkinoni
Automating Yourself Out of Trouble
Automating Yourself Out of Trouble
Jose De La Rosa
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Tommy Lee
100 M pps on PC.
100 M pps on PC.
Redge Technologies
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Tommy Lee
Give Your Site a Boost with Memcache
Give Your Site a Boost with Memcache
Ben Ramsey
Tuned
Tuned
Reanimation Bk
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles Shiflett
Jim St. Leger
Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?
EDB
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
Resolution for a Faster Site
Resolution for a Faster Site
Ido Safruti
RHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
Radien software
Implementing DNS in Samba PDC
Implementing DNS in Samba PDC
Jalpa Soni
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training
videos
Apache HTTP Server
Apache HTTP Server
Tan Huynh Cong
Tendances
(20)
DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)
HP 3PAR SSMC 2.1
HP 3PAR SSMC 2.1
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Episode 2 DB2 pureScale Installation, Instance Management & Monitoring
Episode 2 DB2 pureScale Installation, Instance Management & Monitoring
Memcache as udp traffic reflector
Memcache as udp traffic reflector
Hostingultraso south-korea
Hostingultraso south-korea
Automating Yourself Out of Trouble
Automating Yourself Out of Trouble
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-final
100 M pps on PC.
100 M pps on PC.
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Give Your Site a Boost with Memcache
Give Your Site a Boost with Memcache
Tuned
Tuned
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles Shiflett
Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
Resolution for a Faster Site
Resolution for a Faster Site
RHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
Implementing DNS in Samba PDC
Implementing DNS in Samba PDC
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training
Apache HTTP Server
Apache HTTP Server
Similaire à PLNOG 9: Adam Obszyński - DNS Caching
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
SPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint People
NCCOMMS
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Men and Mice
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
Ceph Community
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
Operating and supporting HBase Clusters
Operating and supporting HBase Clusters
enissoz
Operating and Supporting Apache HBase Best Practices and Improvements
Operating and Supporting Apache HBase Best Practices and Improvements
DataWorks Summit/Hadoop Summit
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
Решение Cisco Collaboration Edge
Решение Cisco Collaboration Edge
Cisco Russia
DNS Survival Guide
DNS Survival Guide
APNIC
DNS Survival Guide.
DNS Survival Guide.
Qrator Labs
Mellanox Storage Solutions
Mellanox Storage Solutions
Mellanox Technologies
Emc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshop
solarisyougood
Emc
Emc
Sachin Tyagi
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
bryan_call
VMworld Europe 2014: Virtual SAN Best Practices and Use Cases
VMworld Europe 2014: Virtual SAN Best Practices and Use Cases
VMworld
BIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c Presentation
Francisco Alvarez
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
Heiko Loewe
Similaire à PLNOG 9: Adam Obszyński - DNS Caching
(20)
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
SPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint People
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Operating and supporting HBase Clusters
Operating and supporting HBase Clusters
Operating and Supporting Apache HBase Best Practices and Improvements
Operating and Supporting Apache HBase Best Practices and Improvements
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Решение Cisco Collaboration Edge
Решение Cisco Collaboration Edge
DNS Survival Guide
DNS Survival Guide
DNS Survival Guide.
DNS Survival Guide.
Mellanox Storage Solutions
Mellanox Storage Solutions
Emc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshop
Emc
Emc
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
VMworld Europe 2014: Virtual SAN Best Practices and Use Cases
VMworld Europe 2014: Virtual SAN Best Practices and Use Cases
BIND 9 logging best practices
BIND 9 logging best practices
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c Presentation
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
Dernier
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
mohammadalnahdi22
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
Vipesco
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
Pooja Nehwal
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
Senaatti-kiinteistöt
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lodhisaajjda
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
Report Writing Webinar Training
Report Writing Webinar Training
KylaCullinane
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
NhPhngng3
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
saastr
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
hlharris
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Pooja Nehwal
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
nswingard
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Hasting Chen
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
Islamia university of Rahim Yar khan campus
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
Dernier
(20)
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Report Writing Webinar Training
Report Writing Webinar Training
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
PLNOG 9: Adam Obszyński - DNS Caching
1.
© 2011 Infoblox
Inc. All Rights Reserved. DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki 1 Adam Obszyński, CISSP, CCIE #8557 Regional Sales Engineer Eastern Europe aobszynski@infoblox.com
2.
© 2011 Infoblox
Inc. All Rights Reserved. Dawno temu AD 2000 2
3.
© 2011 Infoblox
Inc. All Rights Reserved. Two kind of External DNS Servers ? Internet users > http://www.company.com ETHERNET BIND DNS Webserver Mailserver BIND DNS > http://www.google.com ETHERNET Internal users Internal applications Internet Forwarders (aka resolvers, dns cache) Enable web surfing, sending emails, etc. Authoritative Name Servers hosting company.com (corporate web site : www.company.com)
4.
© 2011 Infoblox
Inc. All Rights Reserved. O Czym my tu dzisiaj? § Dlaczego myślimy o DNS Cache? § Jak można to zrobić lepiej a może najlepiej? § Który element puzzle nas interesuje? S§ Jak zrobili to inni?
5.
© 2011 Infoblox
Inc. All Rights Reserved. O Czym my tu dzisiaj? § Dlaczego myślimy o DNS Cache? § Jak można to zrobić lepiej a może najlepiej? § Który element puzzle nas interesuje? S§ Jak zrobili to inni?
6.
© 2011 Infoblox
Inc. All Rights Reserved. Bandwidth -> Core © Cisco.com
7.
© 2011 Infoblox
Inc. All Rights Reserved. Bandwidth -> Access © http://blogs.broughturner.com/
8.
© 2011 Infoblox
Inc. All Rights Reserved. Serialization -> Access © Cisco.com § It was true in 1999 and 2000 § Not today :-)
9.
© 2011 Infoblox
Inc. All Rights Reserved. DNS: Scale – Number of Queries © NTT Information Sharing Platform Laboratories § Cause of Increase – DNS prefetching function – 28-times increase in one year – FireFox -> enabled 06.2009 – .* Auto Update – Web History YES
10.
© 2011 Infoblox
Inc. All Rights Reserved. O Czym my tu dzisiaj? § Dlaczego myślimy o DNS Cache? § Jak można to zrobić lepiej a może najlepiej? § Który element puzzle nas interesuje? S§ Jak zrobili to inni?
11.
© 2011 Infoblox
Inc. All Rights Reserved. DNS—Not Just Glue . . .
12.
© 2011 Infoblox
Inc. All Rights Reserved. Web Prefetching © Srinivas Krishnan and Fabian Monrose Department of Computer Science University of North Carolina at Chapel Hill
13.
© 2011 Infoblox
Inc. All Rights Reserved. Web Delay – Sample Fast Web Performance Starts with DNS… © http://blog.catchpoint.com/ § http://techcrunch.com/ – 300 objects++ – 60++ domains
14.
© 2011 Infoblox
Inc. All Rights Reserved. Web Delay – Sample 2 Fast Web Performance Starts with DNS… § Two components to DNS latency: – Latency Client <-> Server – Caches <-> name servers • Cache misses • Under provisioning • Malicious traffic © https://developers.google.com/
15.
© 2011 Infoblox
Inc. All Rights Reserved. DNS Challenges § Data traffic explosion drives increasing DNS load – Rise of applications such as Facebook and Mobile devices are causing huge growth in DNS traffic § Customer satisfaction is critical – Unsatisfied mobile customers readily switch providers § Distributed DNS approach places caching servers closer to the customer - Because response time is critical to the customer experience - But centralized management now becomes a critical requirement 4
16.
© 2011 Infoblox
Inc. All Rights Reserved. Costs of Maintaining DNS Infrastructure are on the Rise § More DNS servers = Higher management costs § Security vulnerability patching costs are high § Securing DNS infrastructure requires additional equipment and skills § High availability implementations require significant expenses and skills BIND: 200-330 Min. TASK: Update the DNS software on 15 name servers Infoblox: 5-20 Min. TIME 400-1000% Faster
17.
© 2011 Infoblox
Inc. All Rights Reserved. How ISPs Deal with DNS Today* § Increase the number of DNS servers § Use faster underlying server hardware § Use load balancers to handle load and IPS’s to handle vulnerabilities § Code expensive customized changes into DNS software
18.
© 2011 Infoblox
Inc. All Rights Reserved. O Czym my tu dzisiaj? § Dlaczego myślimy o DNS Cache? § Jak można to zrobić lepiej a może najlepiej? § Który element puzzle nas interesuje? S§ Jak zrobili to inni?
19.
© 2011 Infoblox
Inc. All Rights Reserved. Mitigations of DNS Cache problems § Over-provisioning Caching DNS resolvers – demand a lot of network input/output – highly vulnerable to cache poisoning (cache miss rate) – Prepare for DoS/DDoS (over-provision with many machines) § Load-balancing for shared caching – Possible backfire -> reduce the cache hit rate (independent caches) – Load-balance without fragmentation – Think about 2 levels • close to the user -> small cache with most popular names • 2nd level -> distributed per names § Distributed clusters for geographical coverage – Closer to your users -> less latency – DNS Anycast (details later) § BUT, Centralized HUGE servers can help with fragmentation! – Low latency from user do DataCenter needed 19
20.
© 2011 Infoblox
Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Routing advertisements Query to 10.0.0.1 Query to 10.0.0.1 Routing advertisements DNS Cache DNS Cache
21.
© 2011 Infoblox
Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Routing advertisements Query to 10.0.0.1 Query to 10.0.0.1 Routing advertisements DNS Cache DNS Cache
22.
© 2011 Infoblox
Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Route removed Queries automatically re-routed to next ‘nearest’ Query to 10.0.0.1 Routing advertisements DNS Cache Query to 10.0.0.1 DNS Cache
23.
© 2011 Infoblox
Inc. All Rights Reserved. Don’t use risky (or old) DNS software (TCP Case) © https://labs.ripe.net/ 241.53: Flags [S], seq 3070710725, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 172155998 ecr 0,sackOK,eol], length 0 .49744: Flags [S.], seq 3594360937, ack 3070710726, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1909669925 ecr 172155998], 241.53: Flags [.], ack 1, win 8235, options [nop,nop,TS val 172156005 ecr 1909669925], length 0 241.53: Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,TS val 172156005 ecr 1909669925], length 1952227+ SOA? . (17) .49744: Flags [P.], seq 1:748, ack 20, win 8326, options [nop,nop,TS val 1909669936 ecr 172156005], length 74752227*- 1/13/22 SOA (745 241.53: Flags [.], ack 748, win 8188, options [nop,nop,TS val 172156016 ecr 1909669936], length 0 241.53: Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,TS val 172156019 ecr 1909669936], length 0 .49744: Flags [.], ack 21, win 8326, options [nop,nop,TS val 1909669946 ecr 172156019], length 0 241.53: Flags [.], ack 748, win 8192, options [nop,nop,TS val 172156025 ecr 1909669946], length 0 .49744: Flags [F.], seq 748, ack 21, win 8326, options [nop,nop,TS val 1909669946 ecr 172156019], length 0 241.53: Flags [.], ack 749, win 8192, options [nop,nop,TS val 172156025 ecr 1909669946], length 0 129.53: Flags [S], seq 2260025309, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 172152327 ecr 0,sackOK,eol], length 0 .49743: Flags [S.], seq 2528398468, ack 2260025310, win 5792, options [mss 1460,sackOK,TS val 2332945284 ecr 172152327,nop,wscale 2], 129.53: Flags [.], ack 1, win 8235, options [nop,nop,TS val 172152328 ecr 2332945284], length 0 129.53: Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,TS val 172152328 ecr 2332945284], length 1914386+ SOA? . (17) .49743: Flags [.], ack 20, win 1448, options [nop,nop,TS val 2332945285 ecr 172152328], length 0 .49743: Flags [P.], seq 1:3, ack 20, win 1448, options [nop,nop,TS val 2332945286 ecr 172152328], length 2 129.53: Flags [.], ack 3, win 8235, options [nop,nop,TS val 172152329 ecr 2332945286], length 0 .49743: Flags [P.], seq 3:748, ack 20, win 1448, options [nop,nop,TS val 2332945287 ecr 172152329], length 74534048 [b2&3=0x1] [13a] [ 129.53: Flags [.], ack 748, win 8188, options [nop,nop,TS val 172152330 ecr 2332945287], length 0 129.53: Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,TS val 172152332 ecr 2332945287], length 0 .49743: Flags [F.], seq 748, ack 21, win 1448, options [nop,nop,TS val 2332945292 ecr 172152332], length 0 129.53: Flags [.], ack 749, win 8192, options [nop,nop,TS val 172152333 ecr 2332945292], length 0
24.
© 2011 Infoblox
Inc. All Rights Reserved. Cache Poisoning Checklist by Cricket Liu § Use dedicated Forwarders § Run the most robust server code § Split external/internal and forwarders § Filter traffic to/from your forwarders 24
25.
© 2011 Infoblox
Inc. All Rights Reserved. Other cases § For DNSSEC – size is important :-) § TCP – Check your ACLs § EDNS/DNSSEC – Check your Firewalls § Spoofing - check RFC 5452 for Security § DNS Cache Pollution – RFC1918 ranges (AS112) – .local & .localhost domains – Flood § Educate your users! § Newest concepts: DNS Cache server per user? § Hardened OS 25
26.
© 2011 Infoblox
Inc. All Rights Reserved. Devices v Solutions Dedicated vs Self made. § Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses 26 Bind 9.8 HW DNS Cache Avg. Latency (Seconds) a
27.
© 2011 Infoblox
Inc. All Rights Reserved. Focus. Dedicated vs Self made. § Note how the response rate drops off at 35k queries per second. This is a result of the total number of outstanding recursive requests hitting the processing limit. 27 a
28.
© 2011 Infoblox
Inc. All Rights Reserved. O Czym my tu dzisiaj? § Dlaczego myślimy o DNS Cache? § Jak można to zrobić lepiej a może najlepiej? § Który element puzzle nas interesuje? S§ Jak zrobili to inni?
29.
© 2011 Infoblox
Inc. All Rights Reserved. / Servers 29
30.
© 2011 Infoblox
Inc. All Rights Reserved. Google, OpenDNS and more… 30
31.
© 2011 Infoblox
Inc. All Rights Reserved. Removed 31
32.
© 2011 Infoblox
Inc. All Rights Reserved. 32 Removed
33.
© 2011 Infoblox
Inc. All Rights Reserved. 33 Removed
34.
© 2011 Infoblox
Inc. All Rights Reserved. 34 Removed
35.
© 2011 Infoblox
Inc. All Rights Reserved. 35 Removed
36.
© 2011 Infoblox
Inc. All Rights Reserved. 36 Removed
37.
© 2011 Infoblox
Inc. All Rights Reserved. Number of Servers/Appliances Needed to Reach 500K and 1M DNS QPS 37 # of servers/appliances needed to reach 500K DNS QPS # of servers/appliances needed to reach 1M DNS QPS BIND 13 25 HW DNS Appliance 1 1 An Hardware DNS appliance can achieve over 1 M DNS QPS BIND require 13 servers to reach 500K DNS QPS 25 servers to achieve 1M DNS QPS and
38.
© 2011 Infoblox
Inc. All Rights Reserved. DNS Challenges They had… § ISPs need reliable, high performance DNS servers – Limited options for carrier-grade server hardware – Needs field replaceable, hot swap-able PSU/Fan/HDD § DNS Queries/sec performance needs to be high – Avoid buying and managing large number of servers – Reduce support cost § Protection against network threats is a growing concern § Traditional ISP DNS uses BIND software on generic servers – Extensive maintenance burden § Customers want to move away from software-only solutions – Need high performance appliance, plus ease of management – No field software installs to customer units – SLA 38
39.
© 2011 Infoblox
Inc. All Rights Reserved. 39 aobszynski@infoblox.com Pytania?
40.
© 2011 Infoblox
Inc. All Rights Reserved. Anti DoS/DDoS Techniques § TCP-SYN Flood – Tracks the number of SYN requests per second, if the number of SYN requests goes above a threshold the code examines the requests to see if the clients are responding with ACK's if not the clients are added to a temp gray list and any pending connections are torn down. § UDP Flood – If it detects that a high number of packets with a very small payload are being received from a client or pool of clients, the client I.P address will be placed on a gray list – All traffic from addresses on the gray list will be dropped for 60 seconds then removed from the gray list § Spoofed Source Addresses – The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. 40
Télécharger maintenant