Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
On
Designing a Secured
DNS Architecture
(InfoBlox)
Introduction:
DNS is an essential part of any modern-day organization. DNS, or Domain Name System is the protocol
used for converting fully qualified domain names (FQDNs) like www.google.com into machine-usable IP
addresses that computers use to communicate with each other.
In todays networking landscape, it is no longer adequate to have a DNS infrastructure that simply responds
to queries. What is needed is an integrated self-protecting DNS architecture that also enables smart growth.
Architecting DNS:
As the organizations services grows, so does the load on its DNS servers. At some point, whether it is due
to legitimate traffic or a malicious distributed denial of service (DDoS) attack, the load on DNS server
exceeds the capacity of the server. At this point every organization looks for ways to increase DNS queriesper-second (QPS) capacity.
One approach is to deploy a secondary DNS server but two separate servers here can introduce some
interoperability issues in basic features like backup and restore, reporting, and management in general.
Another solution here is to deploy several DNS servers behind a load balancer with unique identifier. This
approach works best if the DNS servers are unified to ensure ease of management and deployment
consistency to all servers.
Securing a DNS Platform:
Hacking of DNS servers is becoming more prevalent every day. Conventional DNS server have multiple
attack surfaces and extraneous ports such as port 80 and port 25 that are open for attack. If our DNS servers
dont support tiered security privileges, any user could potentially gain access to OS-level account privileges
and cause configuration changes that could make your servers vulnerable to hacks.
Defending against DNS Attacks:
DNS servers are vulnerable to attacks such as DNS flood and amplification which can effectively stop our
DNS server from responding. It is also important to prevent these servers from becoming a tool to attacke
other servers (DNS reflection attack).
Even though our DNS server sits behind a firewall, most of these attacks cannot be mitigated by typical
firewalls. Load balancers offer some basic level of protection against DNS floods like NXDOMAIN DDoS
attacks. However, there is a whole suite of DNS-Based attacks that can target our authoritative DNS servers,
and the mitigation capabilities of load balancers fall short when it comes to addressing all of them.
Our DNS infrastructure should protect itself against inevitable DNS attacks on your organization. These
attacks can take one of two major forms: volumetric and DNS-specific attacks.
Conclusion:
Designing a scalable and secure DNS architecture requires more than increased bandwidth and QPS. What
looks simple in a small test lab tends to become very complex in a larger deployment. Infoblox Secure DNS
Architecture, combined with Infoblox Grid technology, provides a comprehensive, secured, and scalable
DNS Solution that not only provides low latency and high throughput but also ensures availability of
essential infrastructure to enable your organization to both grow and protect itself without the need for
frequent infrastructure upgrades.