DNS Architecture in the 21st CenturyNovember 1, 2012 No Comments
Featured article by Don MacVittie, F5 Networks
DNS is the pervasive glue that holds the Internet together. Without it, organizations would struggle to reach new audiences and deliver quality user experiences. But because it is always there, always on, and “just works” almost all of the time, it is often taken for granted.
A whole collection of external factors are driving the re-emergence of DNS as something that you need to look closely at. After years of just adding and removing servers, or using DNS to reroute traffic to new versions, the emergence of potentially catastrophic DNS-specific attacks, the growth of cloud computing, and mergers have caused DNS to feel “behind”.
This makes sense, overall. How many times have you implemented new protections or functionality in DNS? Not very many. Meanwhile the complexity of the average corporate network is constantly growing. Maybe slowly, but it’s a rare network that gets less complex over time. And upcoming changes like IPv6 are driving more substantial changes to DNS, since the addresses it needs to serve are completely different in IPv6 than IPv4.
So what are the necessary steps to make DNS more useful in this increasingly hostile and complex environment?
- * DNSSEC – To keep DNS safe from forgery.
- * Global DNS – To send users to a cloud provider or a datacenter.
- * IPv6 support – Without which IPv6 is harder to use than IPv4.
- * And possibly Global Load Balancing – to make the most of cloud-bursting.
Let’s take a look at each in turn, so the reason they made the list are clear.
DNS hijacking is a standard tool in the hacker toolbox these days, and yet the vast majority of DNS servers do not yet implement DNSSEC, which uses signing to verify the validity of DNS responses. While the success of DNSSEC depends upon widespread deployment (both sender and receiver have to be configured to use it), the slow adoption rate has hindered its use. But, like shoveling snow out of your driveway, everyone knows it has to be done eventually, most just aren’t in a rush to get started. If your Internet service provider (or whomever has your upstream DNS) supports DNSSEC, implement it. If they do not, urge them to implement it and then implement.
When you move that application to the cloud, you move it into a different realm. When you move it to a separate datacenter you do much the same. The big difference is that, depending upon your vendor, you may not control the IP address in the cloud. Indeed, in some cases the address in the cloud isn’t even static. Global DNS allows IT to direct traffic to the nearest DNS (henceforth called the Local DNS server or LDNS for short), which allows local datacenter or cloud relationship managers to make certain local DNS (and thus global DNS) is correctly configured. In terms of uptime, this makes a lot more sense than corporate headquarters micro-managing IP addresses at a datacenter in another country.
IPv6 is not being adopted in datacenters at the rates that you would expect, but inevitably, it is coming. Just as a growing population needs more houses built, so the growing Internet needs more addresses. Correctly configured IPv6 DNS is essential to support of IPv6, unless you want to direct your users to type something like
to get to your website (example taken from IETF IPv6 RFC document). This is not the way normal humans think, and is even less easy to use than IPv4, so DNS that can handle IPv6 is even more important than past iterations. While an IPv6 gateway can provide flip-of-a-switch support for translating from IPv4 to IPv6 and back, it cannot offer DNS for IPv6. So support is coming to your datacenter, sooner or later.
IGlobal Load Balancing
When implementing an internal cloud that spans datacenters or driving traffic to the cloud only at peak times, it is necessary to understand when to serve up address A to incoming connections and when to serve up address B. Just as balancing load between two local servers is handled by a load balancer, balancing load between to datacenters and/or clouds requires a global approach. If your organization has plans for pushing out to the cloud or sharing applications across datacenters, global load balancing is the best of very few options.
DNS has served us well in the past, the growth of the Internet is highly unlikely to have followed the path it did without some reliable and simple mechanism to give people words instead of complex numbers to get to websites. But networking and applications have grown beyond the constraints that DNS has traditionally assumed. It is time to start looking toward the future, and implementing a DNS architecture that will carry you forward, not hold you in the past.
Don MacVittie is a Technical Marketing Manager at F5 Networks. In this role, he supports outbound marketing, education, and evangelism efforts around development, storage, and IT management topics related to F5 solutions. His role includes authoring technical materials, participating in social and community-based forums, and providing guidance for the development of marketing resources. As an industry veteran, MacVittie has extensive programming experience along with project management, IT management, and systems/network administration expertise.
Prior to joining F5, MacVittie was a Senior Technology Editor at Network Computing, where he conducted product research and evaluated storage and server systems, as well as development and outsourcing solutions. He has authored numerous articles on a variety of topics aimed at IT professionals. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.
APPLICATION INTEGRATION, DATA and ANALYTICS , Fresh Ink