F5 Smart DNS Security
As we all know, DNS is an old and insecure protocol, but DNS is still a never-ending veteran. From the very beginning, DNS has been responsible for mapping from domain names to IP addresses, and has become an important part of the network's basic resources, responsible for connecting clients to access applications.
Therefore, it can be understood that DNS controls the entrance of network access and decouples direct access from the client to the application, thus becoming the most effective means of traffic scheduling and fault detection. DNS is the most basic and critical component of building a secure, flexible, and highly available network architecture.
However, DNS has also encountered many challenges, such as the massive client access brought by mobile Internet IoT terminals, which challenges the performance of DNS, the deployment of various hybrid cloud scenarios challenges the fault detection and scheduling capabilities of DNS, the capacity of DNS is challenged by a large number of microservices and a large number of domain names in modern application scenarios, the security of DNS is challenged by various DNS attacks, and the risk of DNS information leakage is hijacked by DNS Interference from various carriers and intermediary devices poses a challenge for fast DNS switching.
Harden the security of DNS on the Internet
From the perspective of the architecture of the authoritative DNS on the Internet, the F5 solution is divided into DNS security control unit, DNS resolution management unit, DNS data analysis unit, escape channel, and DNS scrubbing center.
Among them, the DNS security control unit is responsible for the load balancing of the overall DNS traffic, and the DNS security filtering function is pre-installed, and the specific capabilities include: DNS protocol compliance check.
DNS Signature Signature.
DNS DDoS protection.
DNS blacklist and whitelist control.
doh dot services gateway.
IP Reputation Services.
Programmable security guards.
Tens of millions of DNS performance.
DNS access information output.
Among them, the DNS data analysis unit can build a big data platform to record each DNS request and response, build a DNS data model according to user needs, analyze DNS requests in multiple dimensions, and count the number of DNS queries by hours, days and months.
At the same time, you can count the number of domain name resolution errors, analyze the causes, and find the backend DNS service node failures in time. Users can optimize the DNS configuration and optimize the accuracy of the topology algorithm based on the resolution results. In addition, it can analyze key domain names, compare historical traffic changes with set thresholds, and confirm attacks with real-time alarms.
Among them, the DNS resolution snap-in can provide ultra-high performance capacity through DNS Express, and is designed as a DNS read/write splitting model, with the hidden master node (hide master) responsible for DNS changes, modification and writes, and real-time synchronization to other SL**e DNS nodes, and the SL**e DNS node is responsible for responding to DNS query requests.
F5's DNS resolution snap-in is implemented by a dedicated DNS design, which shields zero-day vulnerabilities in common DNS services. In addition, if there are backup centers in other regions, the DNS DNS management unit can also flexibly set up probe pools to detect Internet traffic across centers and carriers, so as to shield potential service unavailability risks caused by carriers' line problems.
The design of the escape channel is completely independent of the existing DNS system in architecture, but can provide the same service capabilities. The escape route is used to isolate the risk of the production DNS. In extreme cases, when the DNS system in the production environment encounters problems, the DNS security control unit can be used to guide traffic to the escape channel environment for emergency response, improving the ability to escape quickly.
The architecture of the external network security DNS mainly provides the security protection capabilities of the external network authoritative DNS, helping users build a secure, stable, reliable and scalable external network DNS architecture.
Harden the security of the internal DNS
From the perspective of the architecture of the intranet DNS, the F5 scheme is divided into a DNS security control unit, a DNS resolution management unit (the root primary domain authority and subdomain authority), a local DNS security unit, a DNS data analysis unit, and a hidden master node.
Among them, the DNS security control for authority is divided into primary domain root authority and subdomain authority. When a domain has a large number of hosts and a large number of domain names, when a domain has a large number of requests and frequent automatic changes, and when there is cross-platform and cross-department management, it is recommended to set up an independent subdomain.
The local DNS security unit, F5 DNS, provides the following capabilities:
Service reliability assurance and DNS health check to monitor whether key domain names can be resolved normally.
DNS service reliability guarantee, F5 DNS is enabled**, and the service capability of the local DNS providing services is guaranteed through the health detection of different forwarders, that is, other LDNS.
High security: F5 DNS provides the following security capabilities:
Single-IP high-frequency protection.
DNS protocol security.
Cache poisoning protection.
bind 0day quarantine.
DNS Tunnel Protection.
DNS domain name blacklist and whitelist.
Reputation-based protection.
Programmability: F5 DNS provides a high degree of programmability, such as the override of nxdomain returns for certain domain names, to ensure that administrator misconfigurations are not incorrectly cached.
The DNS security control unit is responsible for load balancing the overall DNS traffic and pre-sets the DNS security capabilities. In addition to the security capabilities similar to those in the external DNS architecture, due to the internal DNS, users have their own local DNS, and the DNS security control unit can also provide security protection capabilities for the local DNS.
For example, domain reputation-based security filtering, IP reputation-based security filtering, cache poisoning protection, DNS tunnel protection, etc., and provide APIs that can be linked with users' SOAR and other platforms.
For example, if you use NTA network traffic analysis products to locate a domain name with high risk, such as a domain name in the CC control center, the automation platform can issue a domain name blocking policy to the F5 DNS security control unit through the API to achieve blacklist blocking of visiting domain names.
SummaryAs we all know, F5's intelligent DNS capabilities in health detection and traffic scheduling, especially in the construction of active-active or multi-active data centers, and in hybrid cloud scenarios, F5 DNS has been widely used.
However, F5's DNS is not only intelligent DNS, F5 provides a highly secure, high-performance, scalable, and highly available DNS solution, and F5's DNS solution is designed to help users build a secure and complete DNS system.
Whether it is public DNS or private DNS, authoritative DNS or local DNS, whether it is the edge side or the center side, the F5 DNS solution can help users harden security and build a secure, fast, highly stable, high-capacity, high-performance, and scalable DNS system.
The vision of F5's intelligent DNS security solution is to create a secure modern application North Star.