BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Similar documents
USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS. Protect your business

In the Domain Name System s language, rcode 0 stands for: no error condition.

A Better Way to a Redundant DNS.

DNS SECURITY BEST PRACTICES

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

Cloud DNS. High Performance under any traffic conditions from anywhere in the world. Reliable. Performance

BIG-IP DNS Services: Implementations. Version 12.0

BIG-IP DNS Services: Implementations. Version 12.1

The Interactive Guide to Protecting Your Election Website

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Etisalat DNS. Internet Core Services. By Mohamed Albanna. Manager/ Internet Core Services

Draft Applicant Guidebook, v3

Running A Highly Scaled Registry DNS Platform. ICANN 55 Tech Day Anycast Panel Chris Griffiths -

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

Draft Applicant Guidebook, v4

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

The F5 Intelligent DNS Scale Reference Architecture

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

ICANN SSR Update. Save Vocea PacNOG17 Samoa 13 July 2015

August 14th, 2018 PRESENTED BY:

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Rock-solid Internet infrastructure. (Yeah, we keep our stuff in bunkers.)

Imperva Incapsula Product Overview

DNS Anycast for High Availability and Performance

Network Security Part 3 Domain Name System

gtld Applicant Guidebook (v ) Module 5

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Technical Description: Nixu Registry Server

AKAMAI CLOUD SECURITY SOLUTIONS

The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla

Tech Day Home Network Registry Idea

.BIZ Agreement Appendix 10 Service Level Agreement (SLA) (22 August 2013)

K-Root Nameserver Operations

A Security Evaluation of DNSSEC with NSEC Review

Domain Name System.

CNT Computer and Network Security: DNS Security

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

An ARIN Update. Susan Hamlin Director of Communications and Member Services

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Running the Setup Web UI

WHITE PAPER. DNS: Key Considerations Before Deploying Your Solution

Neustar Security Solutions Overview

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Registry Vulnerabilities An Overview

K-Root Name Server Operations

Never Drop a Call With TecInfo SIP Proxy White Paper

DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)

The Changing DNS Market: A Technical Perspective

DDoS on DNS: past, present and inevitable. Töma Gavrichenkov

THE UTILITY OF DNS TRAFFIC MANAGEMENT

UPS system failure. Cyber crime (DDoS ) Accidential/human error. Water, heat or CRAC failure. W eather related. Generator failure

Are You Fully Prepared to Withstand DNS Attacks?

DNS Security. Ch 1: The Importance of DNS Security. Updated

Distributing Applications for Disaster Planning and Availability

Twilio cloud communications SECURITY

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

A White Paper on VeriSign Managed DNS Services

Less is More Cipher-Suite Negotiation for DNSSEC

How to Choose a CDN. Improve Website Performance and User Experience. Imperva, Inc All Rights Reserved

CS 344/444 Computer Network Fundamentals Final Exam Solutions Spring 2007

Dynamic Registry Updates. John Dickinson Senior Researcher Nominet UK

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

DNS Security DNSSEC. * zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

Protecting Against DNS Cache Poisoning Attacks

A Guide to Ensuring Security and Resiliency

Hands-on Lab. Infoblox Core DDI Infoblox Inc. All rights reserved. Hands-on lab - Infoblox integration with Microsoft Page 1 of 61

Denial of Service Protection Standardize Defense or Loose the War

Running the Setup Web UI

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

CSC 574 Computer and Network Security. DNS Security

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

Quad9: A Free, Secure DNS Resolver. Nishal Goburdhan Internet Infrastructure Analyst Packet Clearing House

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Configuring Network Load Balancing

Comprehensive datacenter protection

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Cloudflare Advanced DDoS Protection

African Domain Name System Market Study 2016

Managing Authoritative DNS Server

Updates: 2535 November 2003 Category: Standards Track

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

DNS Survival Guide. Artyom Gavrichenkov

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

DNS Authentication-as-a-Service Preventing Amplification Attacks

Network Security. Thierry Sans

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Domain Name System Security

F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution

Step into the future. HP Storage Summit Converged storage for the next era of IT

Vulnerability Management & Vulnerability Assessment. Nessus Attack Scripting Language (NASL). CVE databases, NVD database

Cloud DNS Phone: (877)

CIS 5373 Systems Security

Cisco CCIE Security Written.

Transcription:

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE 12-07-2016

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without it, no one can reach your website, email, or web applications. Additionally, poor DNS performance translates into slow access to your website and lost customers. The cost of outages or unacceptable latency can range from a few unhappy users to millions of dollars per hour depending on the scale of e-commerce. Recent high-profile attacks leveraging the DNS to take down enterprise websites have raised awareness of DNS outages. DDoS attacks are not the only threat. External name servers operate in a hostile environment and can be brought down in a number of ways, including: server failures, network failures, natural disasters, power outages and security breaches. The following are some best practices to help organizations to improve the performance, resiliency and fault tolerance of their external DNS. Best Practice 1 USE A HIDDEN MASTER A hidden master is a name server that is not advertised and does not appear in any name server records. In other words, it is not known publicly on the Internet and does not answer any queries. The hidden master s purpose is to provide zone transfers to a set of secondary name servers that are known publicly and answer queries. The benefits of a hidden master are:! FAULT TOLERANCE Master can go down without impacting the resolution of your domain. SECURITY IP address of the name server is not published, and is less likely to be hacked. EASY ADMINISTRATION Reloads and restarts of the hidden master do not impact resolution of your domain.

Best Practice 2 DISABLE RECURSION ON YOUR EXTERNAL NAMESERVERS CORPORATE NETWORK Zone File Administrator Internal DNS PUBLIC INTERNET Primary DNS Zone File Secondary DNS External DNS Disable recursion on your hidden master and authoritative external nameservers. Turning off recursion reduces the vulnerability to denial of service attacks and cache poisoning, and helps improve performance. Best Practice 3 USE TSIG TO SECURE NAMESERVER TO NAMESERVER COMMUNICATIONS Communication between the hidden master and secondary nameservers should be cryptographically authenticated using Transaction Signatures (TSIG). TSIG is much more secure than source IP address filtering which can be easily spoofed with UDP. Best Practice 4 PLACE NAMESERVERS CLOSE TO USERS The latency of DNS lookups is important for your website. Long latency can translate into lost customers and revenue. Your authoritative nameservers answer queries from other nameservers on the Internet. To ensure a good user experience and fast access to your website, place your nameservers close to, or quickly accessible from the nameservers querying them. Optimally, this would involve placing nameservers in locations with good access to the Internet such as Internet Exchange Points (IXPs). The highly recommended solution is an outsourced secondary anycast DNS service. With anycast, multiple geographically distributed nameservers share a single IP address and queries are routed to the closestnameserver. When selecting an anycast DNS secondary service, make sure the nameservers are located in IXPs that map geographically to your customers.

Best Practice 5 MAKE YOUR DNS RESILIENT TO DDOS ATTACKS DDoS attacks using DNS as the attack vector are on the rise. Increase resiliency to DDoS attacks with the extra query capacity and bandwidth of an anycast DNS cloud. To the world, the anycast cloud appears as a single IP address. In reality it is a network of geographically distributed nameservers. An anycast cloud is much more resilient to a DDoS attack than single unicast servers because it uses geo-location to specify what server answers a query and it has the combined capacity and bandwidth of all the servers. With anycast, the impact of an attack is isolated to the name server closest to the source(s) of the attack. Unicast Anycast Most DDoS attacks originate offshore. When selecting an anycast DNS service ensure there are international nodes that can soak offshore attacks. An international node sinks traffic from an offshore attack while helping domestic name servers to remain unaffected. Best Practice 6 MAKE YOUR DNS DISASTER PROOF Use redundancy to make your external DNS disaster proof. With unicast servers, this means at least two nameservers in different locations. A better alternative is an anycast DNS cloud to provide redundancy. If a nameserver in an anycast cloud goes down, it is automatically removed from the routing tables. In this way, anycast adds redundancy and fault tolerance.

Queries are routed to the nearest instance of the nameserver Automatic failover to another instance of the namesever With anycast, the highest level of redundancy is achieved with two separate clouds. When compared tounicast redundancy, it is like replacing two unicast nameservers with two anycast clouds. Make sure the clouds use independent hardware and transit providers. This protects against a routing problem or transit network outage from bringing down your DNS. Best Practice 7 USE ANYCAST DNS Anycast has been in use for more than 10 years to provide name services for the root server on the Internet as well as many top-level domains including.ca. Anycast DNS is the optimal solution for fault-tolerance, DDoS resiliency and placing name servers close to users. For most organizations, building and managing their own anycast DNS infrastructure is too expensive and not practical. Fortunately, an anycast DNS service like D-Zone Anycast DNS can be easily added to your DNS infrastructure.

D-ZONE ANYCAST DNS SERVICE HELPING YOU TO PROTECT YOUR BUSINESS The D-Zone Anycast DNS Service is a secondary anycast DNS network designed for Canadian organizations or organizations serving the Canadian market. Features at a glance: 100 per cent availability and service level agreement (SLA). 100 times over-provisioned architecture with state-of-the-art equipment and redundancy at every node. Global DNS nodes within Canada and in international Internet hubs. Local DNS nodes geographically close to, and protecting, in-region traffic from malicious activity against the DNS. Strong Canadian presence reduces the latency for Canadian visitors. Two clouds for failover redundancy and protection from DNS DDoS attacks on localnodes. Secondary service is easily added to an existing DNS infrastructure to improve its overall resilience and performance. Support for DNSSEC. Support for IPv6. LEARN MORE For information on ordering, finding a reseller, or becoming a reseller please contact info@d-zone.ca or visit cira.ca/d-zone. ABOUT CIRA The Canadian Internet Registration Authority (CIRA) manages Canada s.ca domain name registry as a 100 per cent up time service for Canadians and Canadian organisations. In addition to stewardship over.ca, CIRA develops and implements policies that support Canada s Internet community and the.ca registry internationally.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback