Extending Your Security Infrastructure to Include DNS

For years, F5 has been a key player in DNS with its BIG-IP Global Traffic Manager (GTM). Today, F5 continues the development that has made it an industry leader, focusing on GTM, making it feature-rich, and renaming it BIG-IP DNS. Now through the BIG-IP DNS product you can add speed, reliability, and security to your DNS infrastructure improving both your end-user experience and your company security stance.

Global availability is still an important feature for BIG-IP DNS, but serving and protecting your DNS infrastructure has also taken center stage within this module.

BIG-IP DNS is a proxy like Local Traffic Manager (LTM), but it only services DNS. It consumes incoming DNS queries, parses the request against its configuration, or sends the request on to another server. Like LTM, BIG-IP DNS leverages purpose-built hardware to enhance, accelerate, and secure your DNS service. BIG-IP also offers flexibility and scalability for small to large companies protecting against surges and sudden growth.

On the front line, BIG-IP DNS protects against DNS DDOS by answering queries faster than most traditional DNS installs. Most BIND installs tap out at about 50,000 requests per second (RPS). A good DNS install provides in the neighborhood of 200,000 to 250,000 RPS. A BIG-IP DNS appliance can handle 10,000,000. Add in geolocation and/or IP intelligence, and you can selectively answer queries based on IP, city, state, country, region etc. Deploy BIG-IP DNS in an active sync group and sleep better at night.

Once BIG-IP DNS sorts through incoming queries, it can safely and efficiently address requests.  This is where DNS Cache, DNS Express, and DNSSEC come into play

DNS caching is the initial level for increased DNS performance. BIG-IP DNS can be a transparent cache for your existing infrastructure, adding single point of control and reducing administration overhead. Since you won’t need to run a cache engine on each individual server, this frees up more resources and reduces load on DNS servers. BIG-IP DNS also decreases lookup times by using purpose-built hardware and serving records from memory. This decreases response times and increases end user experience.

In my opinion, DNS Express™ is the highlight feature of BIG-IP DNS. In a nutshell, DNS Express sets up a virtual DNS server in RAM, transfers your DNS zone into it, and provides high speed queries to all of your records. It does this by pulling in new records created in your infrastructure and constantly checking in with the DNS Master just like a secondary server.

DNS Express acts authoritatively for this zone and has unhandled query functions. DNS Express also handles Zone transfers and can be secured using TSIG keys. Additionally, it handles both IPv4 and IPv6 traffic. A key benefit to this is it runs only a subset of BIND, so it’s not susceptible to most vulnerabilities and makes your install even more secure.

If more security is requested or required, BIG-IP DNS supports DNSSEC. This nifty little industry standard allows signing of DNS responses and protections against things like cache poisoning and phishing. It does this by using zone signing keys and, yes, they can be HSM keys.

The signing key setup can be made to automatically roll over based on user-defined thresholds. This adds even more security. Both of these apply to the key-signing keys as well. You can run the HSM locally, in appliances, or offload to a network-based model. Lastly, performance is not an issue here since you use purpose-built hardware for the DNS piece and the keys stored locally.

Overall, BIG-IP DNS goes a long way to filling a strong security role in your infrastructure. For those of you using ‘Better’ or ‘Best’ licensing models, you should have the needed licensing to utilize these capabilities today. If you have an older SKU for GTM, you may need add-on licenses for these features.

GuidePoint’s team of professionals can review your use case and speak to you regarding your solution options. We have several F5 Certified Technology Specialists in GTM to assist you and can help you maximize your installs potential and secure your resources.

If you’re a GuidePoint client and have questions about BIG-IP DNS, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization is interested in learning more about BIG-IP DNS and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.