BIG-IP DNS License
HYPERSCALE AND PROTECT YOUR DNS WHILE
OPTIMIZING GLOBAL APP DELIVERY
Scaling and securing every environment helps protect your business from site outages and improves DNS and application performance. Securing DNS infrastructures from the latest distributed denial-of-service (DDoS) attacks and protecting DNS query responses from cache-poisoning redirects will help keep your business online and viable. To fully achieve these goals, you need efficient ways to monitor DNS infrastructure and application health, and to scale on-demand F5® BIG-IP® DNS distributes DNS and user application requests based on business policies, data center and cloud service conditions, user location, and application performance. The BIG-IP platform delivers F5’s high-performance DNS services with visibility, reporting, and analysis; hyperscales and secures DNS responses geographically to survive DDoS attacks; delivers a real-time DNSSEC solution; and ensures high availability of global applications in all cloud environments.
- Hyperscale DNS up to 100 million RPS with a fully loaded chassi
BIG-IP DNS hyperscales authoritative DNS up to 100 million query responses per second (RPS) and controls DNS traffic. It ensures that users are connected to the best site and delivers on-demand scaling for DNS and global apps.
- Protect against DNS attacks and ensure availability
Ensure DNS and application availability and protection during DNS DDoS attacks or volume spikes. Mitigate DNS threats by blocking access to malicious IP domains.
- Improve global application performance
Send app users to the cloud or on-premises site with the best performance based on application, geolocation, business, and network conditions.
- Deploy flexibly, scale as you grow, and manage efficiently
BIG-IP DNS delivers flexible global application management in virtual and multi-cloud environments. The web-based UI provides easy DNS configuration with centralized menus; advanced logging, statistics, and reporting along with export to 3rd party analytics
UNMATCHED DNS PERFORMANCE
BIG-IP DNS delivers hyperscale performance that can handle even the busiest apps and websites. When apps have a volume spike in DNS queries due to legitimate requests or DDoS attacks, BIG-IP DNS manages requests with multicore processing and F5 DNS Express, dramatically increasing authoritative DNS performance up to 50 million RPS to quickly respond to all queries.
This scalability helps your organization provide the best quality of service (QoS) for your users while eliminating poor application performance. DNS Express improves standard DNS server functions by offloading DNS responses as an authoritative DNS server. BIG-IP DNS accepts zone transfers of DNS records from the primary DNS server and answers DNS queries authoritatively.
Benefits and features of multicore processing and DNS Express include:
- High-speed response and DDoS attack protection with in-memory DNS
- Authoritative DNS replication in multiple BIG-IP or DNS service deployments for faster responses
- Authoritative DNS and DNSSEC in multi-clouds for disaster recovery and fast, secure responses
- Scalable DNS performance for quality of app and service experience
- The ability to consolidate DNS servers and increase ROI
In cases of very high volumes for apps and services or a DNS DDoS attack, BIG-IP DNS with DNS Express enabled plus in Rapid Response Mode (RRM) hyperscales up to 100 million RPS. It extends availability with unmatched performance and security absorbing and responding to queries up to 200 percent of the normal limits. See page 17 for performance metrics and details.
DNS CACHING AND RESOLVING
DNS latency can be reduced by enabling a DNS cache on BIG-IP DNS and having it respond immediately to client requests. BIG-IP DNS can consolidate the cache and increase the cache hit rate. This reduces DNS latency up to 80 percent, with F5 DNS Caching reducing the number of DNS queries for the same site. When used in hardware on the F5 VIPRION platform, DNS caching hyperscales for ultimate query response performance and delivers linear scalability across multi bladed chassis. In addition to caching, BIG-IP DNS allows the device to do its own DNS resolving without requiring the use of an upstream DNS resolver.
Caching profiles available to select for multiple caches include:
- Transparent cache
- BIG-IP DNS site between client and DNS internal/external
- Hot cache
- Caching resolver
- No cache response – BIG-IP DNS sends out requests with responses returned for resolving and caching
- Validating caching resolver
BIG-IP DNS reduces the average DNS response time and latency for mobile and desktop devices from an average of 300 milliseconds (ms) and 100 ms respectively to as little as 15 ms, depending on workloads.
DNS denial-of-service attacks, cache poisoning, and DNS hijacking threaten the availability and security of your applications. BIG-IP DNS protects against DNS attacks and enables you to create polices that provide an added layer of protection for your applications and data. DNS attack protection features include:
- Hardened device—BIG-IP DNS is ICSA Labs Certified as a network firewall, and resists common teardrop, ICMP, and daemon attacks.
- DNS attack protection BIG-IP DNS offers built-in protocol validation in software to automatically drop high-volume UDP, DNS query, NXDOMAIN floods, and malformed packets. You can use BIG-IP DNS in hardware to mitigate these high-volume attacks.
- DNS load balancing The BIG-IP platform can be used to front-end static DNS servers. If the DNS request is for a name controlled by the BIG-IP platform, F5 DNS services will answer the request.
- Security control F5 iRules for DNS can help you create policies that block requests from rogue sites.
- Packet filtering—BIG-IP DNS uses packet filtering to limit or deny websites’ access based on source, destination, or port.
DNS DDoS, cache poisoning of LDNS, and other unwanted DNS attacks and volume spikes can cause DNS outage and lost productivity. These attacks and traffic spikes increase volume dramatically and can take down DNS servers. BIG-IP DNS, with security, scale, performance, and control functionality, provides DNS firewall benefits. It shields DNS from attacks such as reflection or amplification DDoS attacks and other undesired DNS queries and responses that reduce DNS performance.
In addition, you can mitigate complex DNS security threats by blocking access to malicious IP domains with Response Policy Zones. With BIG-IP DNS, you can install a third-party domain filtering service such as SURBL or Spamhaus and prevent client infection or intercept infected responses to known sources of malware and viruses. F5 DNS firewall services reduce the costs of infection resolution and increase user productivity.
Figure 3: Lower your risk of malware and virus communication and mitigate DNS threats by blocking access to malicious IP domains with a domain reputation service such as SURBL or Spamhaus.
Figure 4: BIG-IP DNS keeps apps available with firewall services protecting DNS infrastructure from high-volume attacks and malformed packets.
Complete DNSSEC signing
With BIG-IP DNSSEC support, you can digitally sign and encrypt your DNS query responses. This enables the resolver to determine the authenticity of the response, preventing DNS hijacking and cache poisoning. In addition, receive all the benefits of global server load balancing while also securing your DNS query responses. Alternatively, if a zone has already been signed, BIG-IP DNS manages static DNSSEC responses for higher performance.
Centralized DNSSEC key management
Many IT organizations have or want to standardize on FIPS-compliant devices and secure DNSSEC keys. You can use BIG-IP DNS with FIPS cards that provide 140-2 support for securing your keys. In addition, BIG-IP DNS integrates and uses hardware security modules (HSMs) from Thales for implementation, centralized management, and secure handling of DNSSEC keys, reducing OpEx and delivering consolidation and FIPS compliance.