DNS 103: DNS Performance And Security

Dyn.com | @dyninc

DNS 103: DNS Performance and Security

Tom Daly Chief Scien5st, Dyn Labs [email protected] | @tomdyninc

DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc

Agenda •  Welcome and Introduc5on

•  Quick Review: DNS Basics

•  DNS Performance

•  DNS Security and DNSSEC

•  Q&A

Quick Review: DNS Basics

hOp://www.poslovnipuls.com/wp-‐content/uploads/2011/05/sta5s5ka_v.jpg


The Domain Name System (DNS) •  Fundamentally, the DNS is a mul5-‐level database distributed throughout the world.

•  DNS maps domain names to network resources, such as the IP address of a web server, FTP server, or e-‐mail server.

•  This is accomplished through a variety of DNS record types. Record types give you the hint about the type of remote server you’re contac5ng.

Working Together: The Lifecycle of a DNS Request

<root>

server1.www.dyn.com.

204.13.248.106

.com

dyn.com

Root DNS Servers

.com Servers

dyn.com Servers

Recursive DNS

DNS Performance

hOp://www.flickr.com/photos/kryptos5/3281740790/sizes/z/in/photostream/

The first DNS Query blocks EVERYTHING your browser can possibly do.


Performance Before the Byte

Bad DNS accounts for ½ of this webpage response Wme!


Two Major Strategies •  Reduce DNS Round Trips:

–  Eliminate excessive points of delega5on from base domain to load balancing devices and CDNs.

–  Op5mal balancing between browser parallel download capacity and number of dis5nct DNS hostnames.

•  Reduce DNS Round Trip Latency: –  Place DNS servers close to your client base to decrease response 5me.

–  Awareness to DNS RTT banding and nameserver selec5on. –  Use IP Anycast as the ul5mate latency reduc5on tool.


Minimize DNS Round Trips •  Most DNS-‐based load balancing systems rely on mul5ple DNS round trips: –  Delegate a subdomain to the GSLB system. –  Set up a CNAME to an external system.

•  More round trips means more lookup latency, more entries to cache, more configura5on to manage.

•  DynECT uniquely combines Managed DNS and Traffic Management in a single plajorm, a single query response every 5me.


Example: Unicast Domain PoinWng to CDN

www.sport.com. ! !300!IN !CNAME !www.sport.com.edgesuite.net.!sport.com. ! !172800!IN !NS !ns40.sport.com.!sport.com. ! !172800!IN !NS !ns50.sport.com.!sport.com. ! !172800!IN !NS !ns60.sport.com.!;; Received 276 bytes from 209.133.83.36#53(ns60.sport.com) in 45 ms!!!www.sport.com.dynect-demo.com. 300 IN !CNAME

!www.sport.com.edgesuite.net.!dynect-demo.com.!172800!IN !NS !ns1.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns3.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns2.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns4.p13.dynect.net.!;; Received 292 bytes from 204.13.250.13#53(ns2.p13.dynect.net) in 18 ms!

~75ms of page load decrease, and more stability!

~62ms of DNS latency decrease!


Example: Extra Lookups on GSLB Servers bank.com.! !172800 !IN !NS !ns1.bank.com.!

bank.com.! !172800 !IN !NS !ns2.bank.com.!



;; Received 183 bytes from 192.5.6.30#53(a.gtld-servers.net) in 188 ms!

!

www.bank.com.! !600 !IN !CNAME !wwwbc.gslb.bank.com.!

gslb.bank.com. !3600!IN !NS !dbes1gbx01.bank.com.!

gslb.bank.com. !3600!IN !NS !dcss1gbx01.bank.com.!

gslb.bank.com. !3600!IN !NS !dbes1gbx02.bank.com.!

gslb.bank.com. !3600!IN !NS !dbws1gbx01.bank.com.!

gslb.bank.com. !3600!IN !NS !drds1gbx01.bank.com.!

gslb.bank.com. !3600!IN !NS !dbws1gbx02.bank.com.!

gslb.bank.com. !3600!IN !NS !drds1gbx02.bank.com.!

;; Received 370 bytes from 159.53.110.152#53(ns05.bank.com) in 90 ms!

~3s of page load decrease!

~140ms of DNS latency decrease plus 2 round trips!


Minimize DNS Latency •  IP Anycast: A globally distributed IP Anycast network of 17 worldwide Points of Presence (POPs).

•  Customers are given 4 nameservers to delegate to: –  4 discrete anycast IP prefixes –  6 worldwide backbone providers

–  Nearly 70 independent network paths.

•  Queries are answered by geographically local sites


The Enemy: DNS Protocol Resiliency •  DNS was designed with crazy protocol level redundancy techniques due to lossy networks of the 1980s – lots of retry mechanisms.

•  Resolvers (in your Windows, Mac, and Linux machines) implement 2-‐10 second 5meouts on a failed query.

•  An offline NS cause 2-‐10 seconds of latency in non-‐cached lookups.

•  DNS RTT banding requires all nameservers in a delega5on to be contacted.

RTT Banding through the DelegaWon

www.dyn.com? cdn.dyn.com? pixel.dyn.com? gns.dyn.com? mail.dyn.com? smtp.dyn.com?

Recursive DNS

ns1.dyn.com (150ms)

ns2.dyn.com (65ms)

ns3.dyn.com (20ms)

ns4.dyn.com (10ms)

While the Recursive DNS server warms up, it needs to contact every server in the delega5on. Average ini5al response 5me: 62ms.


ns1: SeaOle

ns2: Palo Alto

ns3: Los Angeles

ns4: New York

ns5: Ashburn

ns6: Miami

Unicast Experience


Latency in Fiber OpWcs •  Photons of light travel at 50% the speed of light in fiber opWc cable

•  This means 1ms of latency for every 50km of fiber cable traversed

•  Worst-‐case scenarios: complete world traversal @ 430ms per round trip.

hOp://www.flickr.com

/photos/36368604@N07/3391695435/sizes/l/in/photostream

/


The Sheer Gains of the Network


Anycast Experience

ns1: SeaOle

ns2: Palo Alto

ns3: Los Angeles

ns1: New York

ns2: Ashburn

ns3: Miami


Lying to the Internet •  Anycast allows us to break the fundamental rule that IP addresses are supposed to be “unique” on the Internet.

•  We “inject” the same IP address mul5ple 5mes from mul5ple loca5ons around the backbone.

•  Hot Potato rou5ng usually off-‐ramps the traffic to us in the closest loca5on.

•  DNS is generally stateless (UDP) or short-‐lived (TCP) so we don’t “crowbar” flows apart.


Internet Scale RouWng

AS 1

AS 2 AS 3

AS 4 ns1: New York

A network is defined as an ASN. BGP is exchanges “best” routes between networks. OSPF floods “all” routes inside a network.


BGP RouWng

AS 1

AS 2 AS 3

AS 4 ns1: New York

With BGP, the shortest AS path is selected as the best path.


AS 1

AS 2 AS 3

AS 4 ns1: New York

OSPF RouWng in AS4

Within the ASN, OSPF picks paths based upon metric preferences


Puing it All Together

AS 1

AS 2 AS 3

AS 4 ns1: New York

ns1: Los Angeles


Unicast vs. Anycast DNS www.domain.com. !1800 !IN !A !X.Y.162.26!domain.com. !1800 !IN !NS !ns1-auth.sprintlink.net.!domain.com. !1800 !IN !NS !ns2-auth.sprintlink.net.!domain.com. !1800 !IN !NS !ns3-auth.sprintlink.net.!domain.com. !1800 !IN !NS !ns-XXX-01.lXXig.com.!domain.com. !1800 !IN !NS !ns-XXX-02.lXXig.com.!;; Received 199 bytes from 144.228.255.10#53(ns3-auth.sprintlink.net) in 99 ms!

www.domain.com.dynect-demo.com. 1800 IN A X.Y.162.26!dynect-demo.com.!86400 !IN !NS !ns4.p13.dynect.net.!dynect-demo.com.!86400 !IN !NS !ns2.p13.dynect.net.!dynect-demo.com.!86400 !IN !NS !ns1.p13.dynect.net.!dynect-demo.com.!86400 !IN !NS !ns3.p13.dynect.net.!;; Received 157 bytes from 204.13.251.13#53(ns4.p13.dynect.net) in 11 ms!!

~100ms of page load decrease!

~60ms of DNS latency decrease!


hOp://up

load.wikim

edia.org/w

ikiped

ia/com

mon

s/4/43/Q

ueuing_z01.jp

g

DNS Security and DNSSEC


DNS Security Concerns •  Ensuring a secure DNS system is cri5cal the con5nued success and growth of the Internet. –  Global Communica5ons –  Business –  E-‐Commerce

•  The use of layered defenses is crucial: –  System Overprovisioning –  DNS Security Extensions (DNSSEC) –  Business Process and Prac5ce


Threats Against the DNS •  Availability – does dyn.com resolve?

–  (Distributed) Denial of Service AOacks

•  Integrity – when dyn.com resolves, does it take you to the right IP address? –  Pharming AOacks –  Registry / Registrar Data Hacking


DDoS as a Way of Life •  Brawn of Your Network

–  Can you withstand mul5ple 10Gb/sec flows against DNS servers?

–  Inbound network capacity, filtering capacity, DNS resolu5on capacity.

•  Brains of Your Network –  Intelligent filtering DNS queries at line rate –  Strategic deployment of IP anycast –  Use of pooling strategies to distribute risk


The Unicast DDoS


The Anycast DDoS


Pharming Ajacks •  DNS Pharming aOacks aOempt to insert malicious DNS data into recursive DNS servers.

•  A targeted recursive DNS server will ul5mately redirect unsuspec5ng users to phishing websites.

•  In DNS, the first response received by a resolver with the right transac5on ID and source port will be accepted.

•  Ul5mately, every DNS query is a race!


Typical DNS InteracWon

Web Server #1 (192.168.54.87)

ISP DNS

Home User Bank.com DNS Server

HTTP Connec5on to 192.168.54.87

DNS Query for www.bank.com returns with 192.168.54.87


Pharming DNS InteracWon

Web Server #1 (192.168.54.87)

ISP DNS

Home User Bank.com DNS Server

HTTP Connec5on to 192.168.87.87

DNS Query for www.bank.com returns with 192.168.87.87

Evil Web Server (192.168.87.87)

Evil DNS Server


Dealing with Pharming •  Exploits a widely known design flaw in the stateless, UDP-‐based communica5on protocol in which DNS has its default implementa5on upon.

•  Major patch effort in 2008 awer exposed by Dan Kaminsky to push for DNS source port randomiza5on.

•  A low latency IP Anycast DNS network also provides a layer of protec5on – a faster network to win the race with.


Registry / Registrar Data Hacking •  AOacking domain registra5on data is another aOempt to invalidate the integrity of the DNS.

•  AOacker simply changes the delega5on of the domain and registra5on details of the domain to their own evil servers.

•  AOack vectors include social engineering, SQL injec5on, EPP hacking, etc.


DNS Security Extensions (DNSSEC) •  An answer to DNS integrity threats, including DNS pharming and registry / registrar data hacking.

•  DNSSEC bring cryptographic signature support into the DNS.

•  Cryptologic signing of DNS data permits valida5on of response data by recursive DNS servers and end users.

•  Ensures integrity of DNS responses at every layer of delega5on.


Design Concepts for AuthoritaWve Servers

•  Sign your zone with DNSSEC records: –  RRSIG – Crypto signatures for A, AAAA, NS, MX, etc. Tracks the type and number at each “node.”

–  NSEC or NSEC3 – Confirms the NXDOMAIN response. –  DNSKEY – Public keys for the en5re zone. Private side is used to generate RRSIGs.

–  DS Record – Handed up to the parent zone to authen5cate the NS records up there.


Zone Signing •  Two crypto key-‐pairs are used in DNSSEC: •  Zone Signing Key (ZSK)

–  Signs the zone records, and itself –  Public part becomes the DNSKEY at zone apex.

•  Key Signing Key (KSK) –  Signs the keys at the apex of the zone –  Public part becomes also a DNSKEY at zone apex. –  Can be exported as SEP / DS for that zone!


Rollover •  RRSIGs have a life5me they are good for encoded in them, i.e. valid for 30 days.

•  DNSKEYs also have a life5me encoded in them.

•  Per NIST SP800-‐01: –  KSK – Rollover every 12 months (1 year) –  ZSK – Rollover every 1 month (30 days)

•  Current and future keys get published simultaneously to help support this.


Zone Signing Record RelaWonships

DS (for Parent)

KSK Private Key Used for Signing

ZSK Private Key Used for Signing

DNS KEY KSK

DNS KEY ZSK

SOA

NS

A

RRSIG by KSK

RRSIG by ZSK

RRSIG by ZSK

RRSIG by ZSK

RRSIG by ZSK


Resolver -‐ Trust Anchors •  Trust anchors are the records used to validate apex RRSIGs for DNSKEY (usually KSK).

•  Come in forms of: –  Manually obtained trusted keys or ITAR –  DS records at parent –  DNS Lookaside Valida5on –  Root Signed SEP

•  Root needs to be signed to create a full chain of trust.


Resolver -‐ ValidaWon •  Formulate DNS query, with DNSSEC enabled, and await

response. •  Along with the response (A record), an RRSIG will be

delivered back. •  Use DNSKEY from the zone (public part of ZSK) to

validate the RRSIG. •  Validate that DNSKEY with corresponding RRSIG. •  Validate that RRSIG using a public key from KSK. Use the

trust anchor here. •  If you don't have a trust anchor, traverse upwards for a

DS, then validate. Repeat as needed.

DNSSEC ValidaWon Process

<root>

server1.www.dyn.com.

204.13.248.106

.com

dyn.com

Root DNS Servers

.com Servers

dyn.com Servers

Recursive DNS

Root DNSSEC Key

DynECT Managed DNS SoluWons

hOp://www.flickr.com/photos/nhuisman/3168683736/sizes/l/in/photostream/


Today’s Sales Pitch •  Integrated global server load balancing and CDN rou5ng services to reduce DNS round trips.

•  Global IP anycast DNS network for low latency DNS responses and resistance to DNS pharming aOacks.

•  Excessive overprovisioning and intelligent systems to handle DNS DDoS aOacks.

•  Finally, full support for DNSSEC zone signing, key management, and rollover in a simple Web UI.

Dyn.com | @dyninc

Stay Tuned! Learn More!

Intro to DynECT Email Delivery

Date and Time TBD!

Thanks for listening!

Dyn.com | @dyninc

Thank You!

Hit us on TwiOer:

@tomdyninc

#dnschat

Thanks for listening!

Technology

DNS 103: DNS Performance And Security