SlideShare une entreprise Scribd logo

PLNOG 9: Adam Obszyński - DNS Caching

PROIDEA
PROIDEA

DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki

Présentations et discours publics
1  sur  40
Télécharger pour lire hors ligne
© 2011 Infoblox Inc. All Rights Reserved. DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki 1 Adam Obszyński, CISSP, CCIE #8557 Regional Sales Engineer Eastern Europe aobszynski@infoblox.com
© 2011 Infoblox Inc. All Rights Reserved. Dawno temu AD 2000 2
© 2011 Infoblox Inc. All Rights Reserved. Two kind of External DNS Servers ? Internet users > http://www.company.com ETHERNET BIND DNS Webserver Mailserver BIND DNS > http://www.google.com ETHERNET Internal users Internal applications Internet Forwarders (aka resolvers, dns cache) Enable web surfing, sending emails, etc. Authoritative Name Servers hosting company.com (corporate web site : www.company.com)
© 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
© 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
© 2011 Infoblox Inc. All Rights Reserved. Bandwidth -> Core © Cisco.com
© 2011 Infoblox Inc. All Rights Reserved. Bandwidth -> Access © http://blogs.broughturner.com/
© 2011 Infoblox Inc. All Rights Reserved. Serialization -> Access © Cisco.com §  It was true in 1999 and 2000 §  Not today :-)
© 2011 Infoblox Inc. All Rights Reserved. DNS: Scale – Number of Queries © NTT Information Sharing Platform Laboratories §  Cause of Increase –  DNS prefetching function –  28-times increase in one year –  FireFox -> enabled 06.2009 –  .* Auto Update –  Web History YES
© 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
© 2011 Infoblox Inc. All Rights Reserved. DNS—Not Just Glue . . .
© 2011 Infoblox Inc. All Rights Reserved. Web Prefetching © Srinivas Krishnan and Fabian Monrose Department of Computer Science University of North Carolina at Chapel Hill
© 2011 Infoblox Inc. All Rights Reserved. Web Delay – Sample Fast Web Performance Starts with DNS… © http://blog.catchpoint.com/ §  http://techcrunch.com/ –  300 objects++ –  60++ domains
© 2011 Infoblox Inc. All Rights Reserved. Web Delay – Sample 2 Fast Web Performance Starts with DNS… §  Two components to DNS latency: –  Latency Client <-> Server –  Caches <-> name servers •  Cache misses •  Under provisioning •  Malicious traffic © https://developers.google.com/
© 2011 Infoblox Inc. All Rights Reserved. DNS Challenges §  Data traffic explosion drives increasing DNS load –  Rise of applications such as Facebook and Mobile devices are causing huge growth in DNS traffic §  Customer satisfaction is critical –  Unsatisfied mobile customers readily switch providers §  Distributed DNS approach places caching servers closer to the customer -  Because response time is critical to the customer experience -  But centralized management now becomes a critical requirement 4
© 2011 Infoblox Inc. All Rights Reserved. Costs of Maintaining DNS Infrastructure are on the Rise §  More DNS servers = Higher management costs §  Security vulnerability patching costs are high §  Securing DNS infrastructure requires additional equipment and skills §  High availability implementations require significant expenses and skills BIND: 200-330 Min. TASK: Update the DNS software on 15 name servers Infoblox: 5-20 Min. TIME 400-1000% Faster
© 2011 Infoblox Inc. All Rights Reserved. How ISPs Deal with DNS Today* §  Increase the number of DNS servers §  Use faster underlying server hardware §  Use load balancers to handle load and IPS’s to handle vulnerabilities §  Code expensive customized changes into DNS software
© 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
© 2011 Infoblox Inc. All Rights Reserved. Mitigations of DNS Cache problems §  Over-provisioning Caching DNS resolvers –  demand a lot of network input/output –  highly vulnerable to cache poisoning (cache miss rate) –  Prepare for DoS/DDoS (over-provision with many machines) §  Load-balancing for shared caching –  Possible backfire -> reduce the cache hit rate (independent caches) –  Load-balance without fragmentation –  Think about 2 levels •  close to the user -> small cache with most popular names •  2nd level -> distributed per names §  Distributed clusters for geographical coverage –  Closer to your users -> less latency –  DNS Anycast (details later) §  BUT, Centralized HUGE servers can help with fragmentation! –  Low latency from user do DataCenter needed 19
© 2011 Infoblox Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Routing advertisements Query to 10.0.0.1 Query to 10.0.0.1 Routing advertisements DNS Cache DNS Cache
© 2011 Infoblox Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Routing advertisements Query to 10.0.0.1 Query to 10.0.0.1 Routing advertisements DNS Cache DNS Cache
© 2011 Infoblox Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Route removed Queries automatically re-routed to next ‘nearest’ Query to 10.0.0.1 Routing advertisements DNS Cache Query to 10.0.0.1 DNS Cache
© 2011 Infoblox Inc. All Rights Reserved. Don’t use risky (or old) DNS software (TCP Case) © https://labs.ripe.net/ 241.53: Flags [S], seq 3070710725, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 172155998 ecr 0,sackOK,eol], length 0 .49744: Flags [S.], seq 3594360937, ack 3070710726, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1909669925 ecr 172155998], 241.53: Flags [.], ack 1, win 8235, options [nop,nop,TS val 172156005 ecr 1909669925], length 0 241.53: Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,TS val 172156005 ecr 1909669925], length 1952227+ SOA? . (17) .49744: Flags [P.], seq 1:748, ack 20, win 8326, options [nop,nop,TS val 1909669936 ecr 172156005], length 74752227*- 1/13/22 SOA (745 241.53: Flags [.], ack 748, win 8188, options [nop,nop,TS val 172156016 ecr 1909669936], length 0 241.53: Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,TS val 172156019 ecr 1909669936], length 0 .49744: Flags [.], ack 21, win 8326, options [nop,nop,TS val 1909669946 ecr 172156019], length 0 241.53: Flags [.], ack 748, win 8192, options [nop,nop,TS val 172156025 ecr 1909669946], length 0 .49744: Flags [F.], seq 748, ack 21, win 8326, options [nop,nop,TS val 1909669946 ecr 172156019], length 0 241.53: Flags [.], ack 749, win 8192, options [nop,nop,TS val 172156025 ecr 1909669946], length 0 129.53: Flags [S], seq 2260025309, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 172152327 ecr 0,sackOK,eol], length 0 .49743: Flags [S.], seq 2528398468, ack 2260025310, win 5792, options [mss 1460,sackOK,TS val 2332945284 ecr 172152327,nop,wscale 2], 129.53: Flags [.], ack 1, win 8235, options [nop,nop,TS val 172152328 ecr 2332945284], length 0 129.53: Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,TS val 172152328 ecr 2332945284], length 1914386+ SOA? . (17) .49743: Flags [.], ack 20, win 1448, options [nop,nop,TS val 2332945285 ecr 172152328], length 0 .49743: Flags [P.], seq 1:3, ack 20, win 1448, options [nop,nop,TS val 2332945286 ecr 172152328], length 2 129.53: Flags [.], ack 3, win 8235, options [nop,nop,TS val 172152329 ecr 2332945286], length 0 .49743: Flags [P.], seq 3:748, ack 20, win 1448, options [nop,nop,TS val 2332945287 ecr 172152329], length 74534048 [b2&3=0x1] [13a] [ 129.53: Flags [.], ack 748, win 8188, options [nop,nop,TS val 172152330 ecr 2332945287], length 0 129.53: Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,TS val 172152332 ecr 2332945287], length 0 .49743: Flags [F.], seq 748, ack 21, win 1448, options [nop,nop,TS val 2332945292 ecr 172152332], length 0 129.53: Flags [.], ack 749, win 8192, options [nop,nop,TS val 172152333 ecr 2332945292], length 0
© 2011 Infoblox Inc. All Rights Reserved. Cache Poisoning Checklist by Cricket Liu §  Use dedicated Forwarders §  Run the most robust server code §  Split external/internal and forwarders §  Filter traffic to/from your forwarders 24
© 2011 Infoblox Inc. All Rights Reserved. Other cases §  For DNSSEC – size is important :-) §  TCP – Check your ACLs §  EDNS/DNSSEC – Check your Firewalls §  Spoofing - check RFC 5452 for Security §  DNS Cache Pollution –  RFC1918 ranges (AS112) –  .local & .localhost domains –  Flood §  Educate your users! §  Newest concepts: DNS Cache server per user? §  Hardened OS 25
© 2011 Infoblox Inc. All Rights Reserved. Devices v Solutions Dedicated vs Self made. §  Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses 26 Bind 9.8 HW DNS Cache Avg. Latency (Seconds) a
© 2011 Infoblox Inc. All Rights Reserved. Focus. Dedicated vs Self made. §  Note how the response rate drops off at 35k queries per second. This is a result of the total number of outstanding recursive requests hitting the processing limit. 27 a
© 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
© 2011 Infoblox Inc. All Rights Reserved. / Servers 29
© 2011 Infoblox Inc. All Rights Reserved. Google, OpenDNS and more… 30
© 2011 Infoblox Inc. All Rights Reserved. Removed 31
© 2011 Infoblox Inc. All Rights Reserved. 32 Removed
© 2011 Infoblox Inc. All Rights Reserved. 33 Removed
© 2011 Infoblox Inc. All Rights Reserved. 34 Removed
© 2011 Infoblox Inc. All Rights Reserved. 35 Removed
© 2011 Infoblox Inc. All Rights Reserved. 36 Removed
© 2011 Infoblox Inc. All Rights Reserved. Number of Servers/Appliances Needed to Reach 500K and 1M DNS QPS 37 # of servers/appliances needed to reach 500K DNS QPS # of servers/appliances needed to reach 1M DNS QPS BIND 13 25 HW DNS Appliance 1 1 An Hardware DNS appliance can achieve over 1 M DNS QPS BIND require 13 servers to reach 500K DNS QPS 25 servers to achieve 1M DNS QPS and
© 2011 Infoblox Inc. All Rights Reserved. DNS Challenges They had… §  ISPs need reliable, high performance DNS servers –  Limited options for carrier-grade server hardware –  Needs field replaceable, hot swap-able PSU/Fan/HDD §  DNS Queries/sec performance needs to be high –  Avoid buying and managing large number of servers –  Reduce support cost §  Protection against network threats is a growing concern §  Traditional ISP DNS uses BIND software on generic servers –  Extensive maintenance burden §  Customers want to move away from software-only solutions –  Need high performance appliance, plus ease of management –  No field software installs to customer units –  SLA 38
© 2011 Infoblox Inc. All Rights Reserved. 39 aobszynski@infoblox.com Pytania?
© 2011 Infoblox Inc. All Rights Reserved. Anti DoS/DDoS Techniques §  TCP-SYN Flood –  Tracks the number of SYN requests per second, if the number of SYN requests goes above a threshold the code examines the requests to see if the clients are responding with ACK's if not the clients are added to a temp gray list and any pending connections are torn down. §  UDP Flood –  If it detects that a high number of packets with a very small payload are being received from a client or pool of clients, the client I.P address will be placed on a gray list –  All traffic from addresses on the gray list will be dropped for 60 seconds then removed from the gray list §  Spoofed Source Addresses –  The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. 40

Recommandé

Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyA. S. M. Shamim Reza
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Hostingultraso phoenix
Hostingultraso phoenixHostingultraso phoenix
Hostingultraso phoenixtanyaseo
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
Webinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageWebinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageAvere Systems
 
Data core makes_ha_nas_practical_20mar12
Data core makes_ha_nas_practical_20mar12Data core makes_ha_nas_practical_20mar12
Data core makes_ha_nas_practical_20mar12jelenaveskovic
 

Recommandé

Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyA. S. M. Shamim Reza
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Hostingultraso phoenix
Hostingultraso phoenixHostingultraso phoenix
Hostingultraso phoenixtanyaseo
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
Webinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageWebinar: Untethering Compute from Storage
Webinar: Untethering Compute from StorageAvere Systems
 
Data core makes_ha_nas_practical_20mar12
Data core makes_ha_nas_practical_20mar12Data core makes_ha_nas_practical_20mar12
Data core makes_ha_nas_practical_20mar12jelenaveskovic
 
DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)Tola LENG
 
HP 3PAR SSMC 2.1
HP 3PAR SSMC 2.1HP 3PAR SSMC 2.1
HP 3PAR SSMC 2.1Ivan Iannaccone
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley
 
Episode 2 DB2 pureScale Installation, Instance Management &amp; Monitoring
Episode 2 DB2 pureScale Installation, Instance Management &amp; MonitoringEpisode 2 DB2 pureScale Installation, Instance Management &amp; Monitoring
Episode 2 DB2 pureScale Installation, Instance Management &amp; MonitoringLaura Hood
 
Memcache as udp traffic reflector
Memcache as udp traffic reflectorMemcache as udp traffic reflector
Memcache as udp traffic reflectorBangladesh Network Operators Group
 
Hostingultraso south-korea
Hostingultraso south-koreaHostingultraso south-korea
Hostingultraso south-koreavinodkinoni
 
Automating Yourself Out of Trouble
Automating Yourself Out of TroubleAutomating Yourself Out of Trouble
Automating Yourself Out of TroubleJose De La Rosa
 
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-finalShak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-finalTommy Lee
 
100 M pps on PC.
100 M pps on PC.100 M pps on PC.
100 M pps on PC.Redge Technologies
 
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-finalShak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-finalTommy Lee
 
Give Your Site a Boost with Memcache
Give Your Site a Boost with MemcacheGive Your Site a Boost with Memcache
Give Your Site a Boost with MemcacheBen Ramsey
 
Tuned
TunedTuned
TunedReanimation Bk
 
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettDPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettJim St. Leger
 
Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?EDB
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
Resolution for a Faster Site
Resolution for a Faster SiteResolution for a Faster Site
Resolution for a Faster SiteIdo Safruti
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
Implementing DNS in Samba PDC
Implementing DNS in Samba PDCImplementing DNS in Samba PDC
Implementing DNS in Samba PDCJalpa Soni
 
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_trainingvideos
 
Apache HTTP Server
Apache HTTP ServerApache HTTP Server
Apache HTTP ServerTan Huynh Cong
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
SPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint PeopleSPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint PeopleNCCOMMS
 

Contenu connexe

Tendances

DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)Tola LENG
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley
 
Episode 2 DB2 pureScale Installation, Instance Management &amp; Monitoring
Episode 2 DB2 pureScale Installation, Instance Management &amp; MonitoringEpisode 2 DB2 pureScale Installation, Instance Management &amp; Monitoring
Episode 2 DB2 pureScale Installation, Instance Management &amp; MonitoringLaura Hood
 
Hostingultraso south-korea
Hostingultraso south-koreaHostingultraso south-korea
Hostingultraso south-koreavinodkinoni
 
Automating Yourself Out of Trouble
Automating Yourself Out of TroubleAutomating Yourself Out of Trouble
Automating Yourself Out of TroubleJose De La Rosa
 
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-finalShak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-finalTommy Lee
 
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-finalShak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-finalTommy Lee
 
Give Your Site a Boost with Memcache
Give Your Site a Boost with MemcacheGive Your Site a Boost with Memcache
Give Your Site a Boost with MemcacheBen Ramsey
 
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettDPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettJim St. Leger
 
Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?EDB
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
Resolution for a Faster Site
Resolution for a Faster SiteResolution for a Faster Site
Resolution for a Faster SiteIdo Safruti
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
Implementing DNS in Samba PDC
Implementing DNS in Samba PDCImplementing DNS in Samba PDC
Implementing DNS in Samba PDCJalpa Soni
 
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_trainingvideos
 

Tendances (20)

DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)DNS windows server(2008R2) & linux(SLES 11)
DNS windows server(2008R2) & linux(SLES 11)
 
HP 3PAR SSMC 2.1
HP 3PAR SSMC 2.1HP 3PAR SSMC 2.1
HP 3PAR SSMC 2.1
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
Episode 2 DB2 pureScale Installation, Instance Management &amp; Monitoring
Episode 2 DB2 pureScale Installation, Instance Management &amp; MonitoringEpisode 2 DB2 pureScale Installation, Instance Management &amp; Monitoring
Episode 2 DB2 pureScale Installation, Instance Management &amp; Monitoring
 
Memcache as udp traffic reflector
Memcache as udp traffic reflectorMemcache as udp traffic reflector
Memcache as udp traffic reflector
 
Hostingultraso south-korea
Hostingultraso south-koreaHostingultraso south-korea
Hostingultraso south-korea
 
Automating Yourself Out of Trouble
Automating Yourself Out of TroubleAutomating Yourself Out of Trouble
Automating Yourself Out of Trouble
 
Shak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-finalShak larry-jeder-perf-and-tuning-summit14-part2-final
Shak larry-jeder-perf-and-tuning-summit14-part2-final
 
100 M pps on PC.
100 M pps on PC.100 M pps on PC.
100 M pps on PC.
 
Shak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-finalShak larry-jeder-perf-and-tuning-summit14-part1-final
Shak larry-jeder-perf-and-tuning-summit14-part1-final
 
Give Your Site a Boost with Memcache
Give Your Site a Boost with MemcacheGive Your Site a Boost with Memcache
Give Your Site a Boost with Memcache
 
Tuned
TunedTuned
Tuned
 
DPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles ShiflettDPDK Summit 2015 - Aspera - Charles Shiflett
DPDK Summit 2015 - Aspera - Charles Shiflett
 
Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?Is There Anything PgBouncer Can’t Do?
Is There Anything PgBouncer Can’t Do?
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
 
Resolution for a Faster Site
Resolution for a Faster SiteResolution for a Faster Site
Resolution for a Faster Site
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
Implementing DNS in Samba PDC
Implementing DNS in Samba PDCImplementing DNS in Samba PDC
Implementing DNS in Samba PDC
 
9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training9 creating cent_os 7_mages_for_dpdk_training
9 creating cent_os 7_mages_for_dpdk_training
 
Apache HTTP Server
Apache HTTP ServerApache HTTP Server
Apache HTTP Server
 

Similaire à PLNOG 9: Adam Obszyński - DNS Caching

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
SPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint PeopleSPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint PeopleNCCOMMS
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...Ceph Community
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Operating and supporting HBase Clusters
Operating and supporting HBase ClustersOperating and supporting HBase Clusters
Operating and supporting HBase Clustersenissoz
 
Operating and Supporting Apache HBase Best Practices and Improvements
Operating and Supporting Apache HBase Best Practices and ImprovementsOperating and Supporting Apache HBase Best Practices and Improvements
Operating and Supporting Apache HBase Best Practices and ImprovementsDataWorks Summit/Hadoop Summit
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
Решение Cisco Collaboration Edge
Решение Cisco Collaboration EdgeРешение Cisco Collaboration Edge
Решение Cisco Collaboration EdgeCisco Russia
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
Emc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshopEmc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshopsolarisyougood
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014bryan_call
 
VMworld Europe 2014: Virtual SAN Best Practices and Use Cases
VMworld Europe 2014: Virtual SAN Best Practices and Use CasesVMworld Europe 2014: Virtual SAN Best Practices and Use Cases
VMworld Europe 2014: Virtual SAN Best Practices and Use CasesVMworld
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationOracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationFrancisco Alvarez
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosHeiko Loewe
 

Similaire à PLNOG 9: Adam Obszyński - DNS Caching (20)

DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
SPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint PeopleSPCA2013 - Windows Azure for SharePoint People
SPCA2013 - Windows Azure for SharePoint People
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
Accelerating Ceph Performance with High Speed Networks and Protocols - Qingch...
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Operating and supporting HBase Clusters
Operating and supporting HBase ClustersOperating and supporting HBase Clusters
Operating and supporting HBase Clusters
 
Operating and Supporting Apache HBase Best Practices and Improvements
Operating and Supporting Apache HBase Best Practices and ImprovementsOperating and Supporting Apache HBase Best Practices and Improvements
Operating and Supporting Apache HBase Best Practices and Improvements
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Решение Cisco Collaboration Edge
Решение Cisco Collaboration EdgeРешение Cisco Collaboration Edge
Решение Cisco Collaboration Edge
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
Mellanox Storage Solutions
Mellanox Storage SolutionsMellanox Storage Solutions
Mellanox Storage Solutions
 
Emc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshopEmc vnx2 technical deep dive workshop
Emc vnx2 technical deep dive workshop
 
Emc
EmcEmc
Emc
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
 
VMworld Europe 2014: Virtual SAN Best Practices and Use Cases
VMworld Europe 2014: Virtual SAN Best Practices and Use CasesVMworld Europe 2014: Virtual SAN Best Practices and Use Cases
VMworld Europe 2014: Virtual SAN Best Practices and Use Cases
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Oracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c PresentationOracle Enterprise Manager 12c - OEM12c Presentation
Oracle Enterprise Manager 12c - OEM12c Presentation
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
 

Dernier

Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 

Dernier (20)

Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 

PLNOG 9: Adam Obszyński - DNS Caching

  • 1. © 2011 Infoblox Inc. All Rights Reserved. DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki 1 Adam Obszyński, CISSP, CCIE #8557 Regional Sales Engineer Eastern Europe aobszynski@infoblox.com
  • 2. © 2011 Infoblox Inc. All Rights Reserved. Dawno temu AD 2000 2
  • 3. © 2011 Infoblox Inc. All Rights Reserved. Two kind of External DNS Servers ? Internet users > http://www.company.com ETHERNET BIND DNS Webserver Mailserver BIND DNS > http://www.google.com ETHERNET Internal users Internal applications Internet Forwarders (aka resolvers, dns cache) Enable web surfing, sending emails, etc. Authoritative Name Servers hosting company.com (corporate web site : www.company.com)
  • 4. © 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
  • 5. © 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
  • 6. © 2011 Infoblox Inc. All Rights Reserved. Bandwidth -> Core © Cisco.com
  • 7. © 2011 Infoblox Inc. All Rights Reserved. Bandwidth -> Access © http://blogs.broughturner.com/
  • 8. © 2011 Infoblox Inc. All Rights Reserved. Serialization -> Access © Cisco.com §  It was true in 1999 and 2000 §  Not today :-)
  • 9. © 2011 Infoblox Inc. All Rights Reserved. DNS: Scale – Number of Queries © NTT Information Sharing Platform Laboratories §  Cause of Increase –  DNS prefetching function –  28-times increase in one year –  FireFox -> enabled 06.2009 –  .* Auto Update –  Web History YES
  • 10. © 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
  • 11. © 2011 Infoblox Inc. All Rights Reserved. DNS—Not Just Glue . . .
  • 12. © 2011 Infoblox Inc. All Rights Reserved. Web Prefetching © Srinivas Krishnan and Fabian Monrose Department of Computer Science University of North Carolina at Chapel Hill
  • 13. © 2011 Infoblox Inc. All Rights Reserved. Web Delay – Sample Fast Web Performance Starts with DNS… © http://blog.catchpoint.com/ §  http://techcrunch.com/ –  300 objects++ –  60++ domains
  • 14. © 2011 Infoblox Inc. All Rights Reserved. Web Delay – Sample 2 Fast Web Performance Starts with DNS… §  Two components to DNS latency: –  Latency Client <-> Server –  Caches <-> name servers •  Cache misses •  Under provisioning •  Malicious traffic © https://developers.google.com/
  • 15. © 2011 Infoblox Inc. All Rights Reserved. DNS Challenges §  Data traffic explosion drives increasing DNS load –  Rise of applications such as Facebook and Mobile devices are causing huge growth in DNS traffic §  Customer satisfaction is critical –  Unsatisfied mobile customers readily switch providers §  Distributed DNS approach places caching servers closer to the customer -  Because response time is critical to the customer experience -  But centralized management now becomes a critical requirement 4
  • 16. © 2011 Infoblox Inc. All Rights Reserved. Costs of Maintaining DNS Infrastructure are on the Rise §  More DNS servers = Higher management costs §  Security vulnerability patching costs are high §  Securing DNS infrastructure requires additional equipment and skills §  High availability implementations require significant expenses and skills BIND: 200-330 Min. TASK: Update the DNS software on 15 name servers Infoblox: 5-20 Min. TIME 400-1000% Faster
  • 17. © 2011 Infoblox Inc. All Rights Reserved. How ISPs Deal with DNS Today* §  Increase the number of DNS servers §  Use faster underlying server hardware §  Use load balancers to handle load and IPS’s to handle vulnerabilities §  Code expensive customized changes into DNS software
  • 18. © 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
  • 19. © 2011 Infoblox Inc. All Rights Reserved. Mitigations of DNS Cache problems §  Over-provisioning Caching DNS resolvers –  demand a lot of network input/output –  highly vulnerable to cache poisoning (cache miss rate) –  Prepare for DoS/DDoS (over-provision with many machines) §  Load-balancing for shared caching –  Possible backfire -> reduce the cache hit rate (independent caches) –  Load-balance without fragmentation –  Think about 2 levels •  close to the user -> small cache with most popular names •  2nd level -> distributed per names §  Distributed clusters for geographical coverage –  Closer to your users -> less latency –  DNS Anycast (details later) §  BUT, Centralized HUGE servers can help with fragmentation! –  Low latency from user do DataCenter needed 19
  • 20. © 2011 Infoblox Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Routing advertisements Query to 10.0.0.1 Query to 10.0.0.1 Routing advertisements DNS Cache DNS Cache
  • 21. © 2011 Infoblox Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Routing advertisements Query to 10.0.0.1 Query to 10.0.0.1 Routing advertisements DNS Cache DNS Cache
  • 22. © 2011 Infoblox Inc. All Rights Reserved. © 2007 Infoblox Inc. All Rights Reserved. DNS Anycast Anycast address: 10.0.0.1 Anycast address: 10.0.0.1 Routing advertisement Routing advertisement Route removed Queries automatically re-routed to next ‘nearest’ Query to 10.0.0.1 Routing advertisements DNS Cache Query to 10.0.0.1 DNS Cache
  • 23. © 2011 Infoblox Inc. All Rights Reserved. Don’t use risky (or old) DNS software (TCP Case) © https://labs.ripe.net/ 241.53: Flags [S], seq 3070710725, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 172155998 ecr 0,sackOK,eol], length 0 .49744: Flags [S.], seq 3594360937, ack 3070710726, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1909669925 ecr 172155998], 241.53: Flags [.], ack 1, win 8235, options [nop,nop,TS val 172156005 ecr 1909669925], length 0 241.53: Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,TS val 172156005 ecr 1909669925], length 1952227+ SOA? . (17) .49744: Flags [P.], seq 1:748, ack 20, win 8326, options [nop,nop,TS val 1909669936 ecr 172156005], length 74752227*- 1/13/22 SOA (745 241.53: Flags [.], ack 748, win 8188, options [nop,nop,TS val 172156016 ecr 1909669936], length 0 241.53: Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,TS val 172156019 ecr 1909669936], length 0 .49744: Flags [.], ack 21, win 8326, options [nop,nop,TS val 1909669946 ecr 172156019], length 0 241.53: Flags [.], ack 748, win 8192, options [nop,nop,TS val 172156025 ecr 1909669946], length 0 .49744: Flags [F.], seq 748, ack 21, win 8326, options [nop,nop,TS val 1909669946 ecr 172156019], length 0 241.53: Flags [.], ack 749, win 8192, options [nop,nop,TS val 172156025 ecr 1909669946], length 0 129.53: Flags [S], seq 2260025309, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 172152327 ecr 0,sackOK,eol], length 0 .49743: Flags [S.], seq 2528398468, ack 2260025310, win 5792, options [mss 1460,sackOK,TS val 2332945284 ecr 172152327,nop,wscale 2], 129.53: Flags [.], ack 1, win 8235, options [nop,nop,TS val 172152328 ecr 2332945284], length 0 129.53: Flags [P.], seq 1:20, ack 1, win 8235, options [nop,nop,TS val 172152328 ecr 2332945284], length 1914386+ SOA? . (17) .49743: Flags [.], ack 20, win 1448, options [nop,nop,TS val 2332945285 ecr 172152328], length 0 .49743: Flags [P.], seq 1:3, ack 20, win 1448, options [nop,nop,TS val 2332945286 ecr 172152328], length 2 129.53: Flags [.], ack 3, win 8235, options [nop,nop,TS val 172152329 ecr 2332945286], length 0 .49743: Flags [P.], seq 3:748, ack 20, win 1448, options [nop,nop,TS val 2332945287 ecr 172152329], length 74534048 [b2&3=0x1] [13a] [ 129.53: Flags [.], ack 748, win 8188, options [nop,nop,TS val 172152330 ecr 2332945287], length 0 129.53: Flags [F.], seq 20, ack 748, win 8192, options [nop,nop,TS val 172152332 ecr 2332945287], length 0 .49743: Flags [F.], seq 748, ack 21, win 1448, options [nop,nop,TS val 2332945292 ecr 172152332], length 0 129.53: Flags [.], ack 749, win 8192, options [nop,nop,TS val 172152333 ecr 2332945292], length 0
  • 24. © 2011 Infoblox Inc. All Rights Reserved. Cache Poisoning Checklist by Cricket Liu §  Use dedicated Forwarders §  Run the most robust server code §  Split external/internal and forwarders §  Filter traffic to/from your forwarders 24
  • 25. © 2011 Infoblox Inc. All Rights Reserved. Other cases §  For DNSSEC – size is important :-) §  TCP – Check your ACLs §  EDNS/DNSSEC – Check your Firewalls §  Spoofing - check RFC 5452 for Security §  DNS Cache Pollution –  RFC1918 ranges (AS112) –  .local & .localhost domains –  Flood §  Educate your users! §  Newest concepts: DNS Cache server per user? §  Hardened OS 25
  • 26. © 2011 Infoblox Inc. All Rights Reserved. Devices v Solutions Dedicated vs Self made. §  Dedicated DNS Cache appliance does not stop answering queries from cache when capacity limits are reached for cache misses 26 Bind 9.8 HW DNS Cache Avg. Latency (Seconds) a
  • 27. © 2011 Infoblox Inc. All Rights Reserved. Focus. Dedicated vs Self made. §  Note how the response rate drops off at 35k queries per second. This is a result of the total number of outstanding recursive requests hitting the processing limit. 27 a
  • 28. © 2011 Infoblox Inc. All Rights Reserved. O Czym my tu dzisiaj? §  Dlaczego myślimy o DNS Cache? §  Jak można to zrobić lepiej a może najlepiej? §  Który element puzzle nas interesuje? S§  Jak zrobili to inni?
  • 29. © 2011 Infoblox Inc. All Rights Reserved. / Servers 29
  • 30. © 2011 Infoblox Inc. All Rights Reserved. Google, OpenDNS and more… 30
  • 31. © 2011 Infoblox Inc. All Rights Reserved. Removed 31
  • 32. © 2011 Infoblox Inc. All Rights Reserved. 32 Removed
  • 33. © 2011 Infoblox Inc. All Rights Reserved. 33 Removed
  • 34. © 2011 Infoblox Inc. All Rights Reserved. 34 Removed
  • 35. © 2011 Infoblox Inc. All Rights Reserved. 35 Removed
  • 36. © 2011 Infoblox Inc. All Rights Reserved. 36 Removed
  • 37. © 2011 Infoblox Inc. All Rights Reserved. Number of Servers/Appliances Needed to Reach 500K and 1M DNS QPS 37 # of servers/appliances needed to reach 500K DNS QPS # of servers/appliances needed to reach 1M DNS QPS BIND 13 25 HW DNS Appliance 1 1 An Hardware DNS appliance can achieve over 1 M DNS QPS BIND require 13 servers to reach 500K DNS QPS 25 servers to achieve 1M DNS QPS and
  • 38. © 2011 Infoblox Inc. All Rights Reserved. DNS Challenges They had… §  ISPs need reliable, high performance DNS servers –  Limited options for carrier-grade server hardware –  Needs field replaceable, hot swap-able PSU/Fan/HDD §  DNS Queries/sec performance needs to be high –  Avoid buying and managing large number of servers –  Reduce support cost §  Protection against network threats is a growing concern §  Traditional ISP DNS uses BIND software on generic servers –  Extensive maintenance burden §  Customers want to move away from software-only solutions –  Need high performance appliance, plus ease of management –  No field software installs to customer units –  SLA 38
  • 39. © 2011 Infoblox Inc. All Rights Reserved. 39 aobszynski@infoblox.com Pytania?
  • 40. © 2011 Infoblox Inc. All Rights Reserved. Anti DoS/DDoS Techniques §  TCP-SYN Flood –  Tracks the number of SYN requests per second, if the number of SYN requests goes above a threshold the code examines the requests to see if the clients are responding with ACK's if not the clients are added to a temp gray list and any pending connections are torn down. §  UDP Flood –  If it detects that a high number of packets with a very small payload are being received from a client or pool of clients, the client I.P address will be placed on a gray list –  All traffic from addresses on the gray list will be dropped for 60 seconds then removed from the gray list §  Spoofed Source Addresses –  The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. 40