Upload
dyn
View
882
Download
13
Embed Size (px)
DESCRIPTION
Citation preview
Dyn.com | @dyninc
DNS 103: DNS Performance and Security
Tom Daly Chief Scien5st, Dyn Labs [email protected] | @tomdyninc
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Agenda • Welcome and Introduc5on
• Quick Review: DNS Basics
• DNS Performance
• DNS Security and DNSSEC
• Q&A
Quick Review: DNS Basics
hOp://www.poslovnipuls.com/wp-‐content/uploads/2011/05/sta5s5ka_v.jpg
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
The Domain Name System (DNS) • Fundamentally, the DNS is a mul5-‐level database distributed throughout the world.
• DNS maps domain names to network resources, such as the IP address of a web server, FTP server, or e-‐mail server.
• This is accomplished through a variety of DNS record types. Record types give you the hint about the type of remote server you’re contac5ng.
Working Together: The Lifecycle of a DNS Request
<root>
server1.www.dyn.com.
204.13.248.106
.com
dyn.com
Root DNS Servers
.com Servers
dyn.com Servers
Recursive DNS
DNS Performance
hOp://www.flickr.com/photos/kryptos5/3281740790/sizes/z/in/photostream/
The first DNS Query blocks EVERYTHING your browser can possibly do.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Performance Before the Byte
Bad DNS accounts for ½ of this webpage response Wme!
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Two Major Strategies • Reduce DNS Round Trips:
– Eliminate excessive points of delega5on from base domain to load balancing devices and CDNs.
– Op5mal balancing between browser parallel download capacity and number of dis5nct DNS hostnames.
• Reduce DNS Round Trip Latency: – Place DNS servers close to your client base to decrease response 5me.
– Awareness to DNS RTT banding and nameserver selec5on. – Use IP Anycast as the ul5mate latency reduc5on tool.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Minimize DNS Round Trips • Most DNS-‐based load balancing systems rely on mul5ple DNS round trips: – Delegate a subdomain to the GSLB system. – Set up a CNAME to an external system.
• More round trips means more lookup latency, more entries to cache, more configura5on to manage.
• DynECT uniquely combines Managed DNS and Traffic Management in a single plajorm, a single query response every 5me.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Example: Unicast Domain PoinWng to CDN
www.sport.com. ! !300!IN !CNAME !www.sport.com.edgesuite.net.!sport.com. ! !172800!IN !NS !ns40.sport.com.!sport.com. ! !172800!IN !NS !ns50.sport.com.!sport.com. ! !172800!IN !NS !ns60.sport.com.!;; Received 276 bytes from 209.133.83.36#53(ns60.sport.com) in 45 ms!!!www.sport.com.dynect-demo.com. 300 IN !CNAME
!www.sport.com.edgesuite.net.!dynect-demo.com.!172800!IN !NS !ns1.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns3.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns2.p13.dynect.net.!dynect-demo.com.!172800!IN !NS !ns4.p13.dynect.net.!;; Received 292 bytes from 204.13.250.13#53(ns2.p13.dynect.net) in 18 ms!
~75ms of page load decrease, and more stability!
~62ms of DNS latency decrease!
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Example: Extra Lookups on GSLB Servers bank.com.! !172800 !IN !NS !ns1.bank.com.!
bank.com.! !172800 !IN !NS !ns2.bank.com.!
bank.com.! !172800 !IN !NS !ns05.bank.com.!
bank.com.! !172800 !IN !NS !ns06.bank.com.!
;; Received 183 bytes from 192.5.6.30#53(a.gtld-servers.net) in 188 ms!
!
www.bank.com.! !600 !IN !CNAME !wwwbc.gslb.bank.com.!
gslb.bank.com. !3600!IN !NS !dbes1gbx01.bank.com.!
gslb.bank.com. !3600!IN !NS !dcss1gbx01.bank.com.!
gslb.bank.com. !3600!IN !NS !dbes1gbx02.bank.com.!
gslb.bank.com. !3600!IN !NS !dbws1gbx01.bank.com.!
gslb.bank.com. !3600!IN !NS !drds1gbx01.bank.com.!
gslb.bank.com. !3600!IN !NS !dbws1gbx02.bank.com.!
gslb.bank.com. !3600!IN !NS !drds1gbx02.bank.com.!
;; Received 370 bytes from 159.53.110.152#53(ns05.bank.com) in 90 ms!
~3s of page load decrease!
~140ms of DNS latency decrease plus 2 round trips!
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Minimize DNS Latency • IP Anycast: A globally distributed IP Anycast network of 17 worldwide Points of Presence (POPs).
• Customers are given 4 nameservers to delegate to: – 4 discrete anycast IP prefixes – 6 worldwide backbone providers
– Nearly 70 independent network paths.
• Queries are answered by geographically local sites
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
The Enemy: DNS Protocol Resiliency • DNS was designed with crazy protocol level redundancy techniques due to lossy networks of the 1980s – lots of retry mechanisms.
• Resolvers (in your Windows, Mac, and Linux machines) implement 2-‐10 second 5meouts on a failed query.
• An offline NS cause 2-‐10 seconds of latency in non-‐cached lookups.
• DNS RTT banding requires all nameservers in a delega5on to be contacted.
RTT Banding through the DelegaWon
www.dyn.com? cdn.dyn.com? pixel.dyn.com? gns.dyn.com? mail.dyn.com? smtp.dyn.com?
Recursive DNS
ns1.dyn.com (150ms)
ns2.dyn.com (65ms)
ns3.dyn.com (20ms)
ns4.dyn.com (10ms)
While the Recursive DNS server warms up, it needs to contact every server in the delega5on. Average ini5al response 5me: 62ms.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
ns1: SeaOle
ns2: Palo Alto
ns3: Los Angeles
ns4: New York
ns5: Ashburn
ns6: Miami
Unicast Experience
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Latency in Fiber OpWcs • Photons of light travel at 50% the speed of light in fiber opWc cable
• This means 1ms of latency for every 50km of fiber cable traversed
• Worst-‐case scenarios: complete world traversal @ 430ms per round trip.
hOp://www.flickr.com
/photos/36368604@N07/3391695435/sizes/l/in/photostream
/
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
The Sheer Gains of the Network
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Anycast Experience
ns1: SeaOle
ns2: Palo Alto
ns3: Los Angeles
ns1: New York
ns2: Ashburn
ns3: Miami
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Lying to the Internet • Anycast allows us to break the fundamental rule that IP addresses are supposed to be “unique” on the Internet.
• We “inject” the same IP address mul5ple 5mes from mul5ple loca5ons around the backbone.
• Hot Potato rou5ng usually off-‐ramps the traffic to us in the closest loca5on.
• DNS is generally stateless (UDP) or short-‐lived (TCP) so we don’t “crowbar” flows apart.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Internet Scale RouWng
AS 1
AS 2 AS 3
AS 4 ns1: New York
A network is defined as an ASN. BGP is exchanges “best” routes between networks. OSPF floods “all” routes inside a network.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
BGP RouWng
AS 1
AS 2 AS 3
AS 4 ns1: New York
With BGP, the shortest AS path is selected as the best path.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
AS 1
AS 2 AS 3
AS 4 ns1: New York
OSPF RouWng in AS4
Within the ASN, OSPF picks paths based upon metric preferences
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Puing it All Together
AS 1
AS 2 AS 3
AS 4 ns1: New York
ns1: Los Angeles
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Unicast vs. Anycast DNS www.domain.com. !1800 !IN !A !X.Y.162.26!domain.com. !1800 !IN !NS !ns1-auth.sprintlink.net.!domain.com. !1800 !IN !NS !ns2-auth.sprintlink.net.!domain.com. !1800 !IN !NS !ns3-auth.sprintlink.net.!domain.com. !1800 !IN !NS !ns-XXX-01.lXXig.com.!domain.com. !1800 !IN !NS !ns-XXX-02.lXXig.com.!;; Received 199 bytes from 144.228.255.10#53(ns3-auth.sprintlink.net) in 99 ms!
www.domain.com.dynect-demo.com. 1800 IN A X.Y.162.26!dynect-demo.com.!86400 !IN !NS !ns4.p13.dynect.net.!dynect-demo.com.!86400 !IN !NS !ns2.p13.dynect.net.!dynect-demo.com.!86400 !IN !NS !ns1.p13.dynect.net.!dynect-demo.com.!86400 !IN !NS !ns3.p13.dynect.net.!;; Received 157 bytes from 204.13.251.13#53(ns4.p13.dynect.net) in 11 ms!!
~100ms of page load decrease!
~60ms of DNS latency decrease!
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
hOp://up
load.wikim
edia.org/w
ikiped
ia/com
mon
s/4/43/Q
ueuing_z01.jp
g
DNS Security and DNSSEC
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
DNS Security Concerns • Ensuring a secure DNS system is cri5cal the con5nued success and growth of the Internet. – Global Communica5ons – Business – E-‐Commerce
• The use of layered defenses is crucial: – System Overprovisioning – DNS Security Extensions (DNSSEC) – Business Process and Prac5ce
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Threats Against the DNS • Availability – does dyn.com resolve?
– (Distributed) Denial of Service AOacks
• Integrity – when dyn.com resolves, does it take you to the right IP address? – Pharming AOacks – Registry / Registrar Data Hacking
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
DDoS as a Way of Life • Brawn of Your Network
– Can you withstand mul5ple 10Gb/sec flows against DNS servers?
– Inbound network capacity, filtering capacity, DNS resolu5on capacity.
• Brains of Your Network – Intelligent filtering DNS queries at line rate – Strategic deployment of IP anycast – Use of pooling strategies to distribute risk
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
The Unicast DDoS
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
The Anycast DDoS
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Pharming Ajacks • DNS Pharming aOacks aOempt to insert malicious DNS data into recursive DNS servers.
• A targeted recursive DNS server will ul5mately redirect unsuspec5ng users to phishing websites.
• In DNS, the first response received by a resolver with the right transac5on ID and source port will be accepted.
• Ul5mately, every DNS query is a race!
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Typical DNS InteracWon
Web Server #1 (192.168.54.87)
ISP DNS
Home User Bank.com DNS Server
HTTP Connec5on to 192.168.54.87
DNS Query for www.bank.com returns with 192.168.54.87
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Pharming DNS InteracWon
Web Server #1 (192.168.54.87)
ISP DNS
Home User Bank.com DNS Server
HTTP Connec5on to 192.168.87.87
DNS Query for www.bank.com returns with 192.168.87.87
Evil Web Server (192.168.87.87)
Evil DNS Server
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Dealing with Pharming • Exploits a widely known design flaw in the stateless, UDP-‐based communica5on protocol in which DNS has its default implementa5on upon.
• Major patch effort in 2008 awer exposed by Dan Kaminsky to push for DNS source port randomiza5on.
• A low latency IP Anycast DNS network also provides a layer of protec5on – a faster network to win the race with.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Registry / Registrar Data Hacking • AOacking domain registra5on data is another aOempt to invalidate the integrity of the DNS.
• AOacker simply changes the delega5on of the domain and registra5on details of the domain to their own evil servers.
• AOack vectors include social engineering, SQL injec5on, EPP hacking, etc.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
DNS Security Extensions (DNSSEC) • An answer to DNS integrity threats, including DNS pharming and registry / registrar data hacking.
• DNSSEC bring cryptographic signature support into the DNS.
• Cryptologic signing of DNS data permits valida5on of response data by recursive DNS servers and end users.
• Ensures integrity of DNS responses at every layer of delega5on.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Design Concepts for AuthoritaWve Servers
• Sign your zone with DNSSEC records: – RRSIG – Crypto signatures for A, AAAA, NS, MX, etc. Tracks the type and number at each “node.”
– NSEC or NSEC3 – Confirms the NXDOMAIN response. – DNSKEY – Public keys for the en5re zone. Private side is used to generate RRSIGs.
– DS Record – Handed up to the parent zone to authen5cate the NS records up there.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Zone Signing • Two crypto key-‐pairs are used in DNSSEC: • Zone Signing Key (ZSK)
– Signs the zone records, and itself – Public part becomes the DNSKEY at zone apex.
• Key Signing Key (KSK) – Signs the keys at the apex of the zone – Public part becomes also a DNSKEY at zone apex. – Can be exported as SEP / DS for that zone!
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Rollover • RRSIGs have a life5me they are good for encoded in them, i.e. valid for 30 days.
• DNSKEYs also have a life5me encoded in them.
• Per NIST SP800-‐01: – KSK – Rollover every 12 months (1 year) – ZSK – Rollover every 1 month (30 days)
• Current and future keys get published simultaneously to help support this.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Zone Signing Record RelaWonships
DS (for Parent)
KSK Private Key Used for Signing
ZSK Private Key Used for Signing
DNS KEY KSK
DNS KEY ZSK
SOA
NS
A
RRSIG by KSK
RRSIG by ZSK
RRSIG by ZSK
RRSIG by ZSK
RRSIG by ZSK
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Resolver -‐ Trust Anchors • Trust anchors are the records used to validate apex RRSIGs for DNSKEY (usually KSK).
• Come in forms of: – Manually obtained trusted keys or ITAR – DS records at parent – DNS Lookaside Valida5on – Root Signed SEP
• Root needs to be signed to create a full chain of trust.
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Resolver -‐ ValidaWon • Formulate DNS query, with DNSSEC enabled, and await
response. • Along with the response (A record), an RRSIG will be
delivered back. • Use DNSKEY from the zone (public part of ZSK) to
validate the RRSIG. • Validate that DNSKEY with corresponding RRSIG. • Validate that RRSIG using a public key from KSK. Use the
trust anchor here. • If you don't have a trust anchor, traverse upwards for a
DS, then validate. Repeat as needed.
DNSSEC ValidaWon Process
<root>
server1.www.dyn.com.
204.13.248.106
.com
dyn.com
Root DNS Servers
.com Servers
dyn.com Servers
Recursive DNS
Root DNSSEC Key
DynECT Managed DNS SoluWons
hOp://www.flickr.com/photos/nhuisman/3168683736/sizes/l/in/photostream/
DNS 103: Performance and Security Tom Daly @tomdyninc #dnschat Dyn.com | @dyninc
Today’s Sales Pitch • Integrated global server load balancing and CDN rou5ng services to reduce DNS round trips.
• Global IP anycast DNS network for low latency DNS responses and resistance to DNS pharming aOacks.
• Excessive overprovisioning and intelligent systems to handle DNS DDoS aOacks.
• Finally, full support for DNSSEC zone signing, key management, and rollover in a simple Web UI.
Dyn.com | @dyninc
Stay Tuned! Learn More!
Intro to DynECT Email Delivery
Date and Time TBD!
Thanks for listening!
Dyn.com | @dyninc
Thank You!
Hit us on TwiOer:
@tomdyninc
#dnschat
Thanks for listening!