robert nagy - infoblox€¦ · dh cp f o pe er cache dns only remote sites small to l arge ip am f...
TRANSCRIPT
Robert NagyCEO – DeepDive [email protected]
• Architecture
• DNS Anycast
• DNSSEC Validation
Topics Covered
DNS Architecture
DNS ArchitectureOverview
DNS ArchitectureGoals of today’s DNS
Efficiency Security Scalability
Must handle the needs of the
other Applications
DNS must be a part of the
solution
Growth rates must be
addressable
DNS ArchitectureArchitecture best-practices
DNS ArchitectureDesign goals
Data Centers
Remote SitesVery Small
DxGrid Member
vNIOSDHCP FO Peer
Cache DNS Only
Remote SitesSmall to Large
IPAM Feed
Internet
Root DNS Servers
OutboundQuery
OutboundQuery
InboundQuery
F F FOptional: Dedicated Cache-Only DNS Servers Optional: Dedicated
Cache-Only DNS Servers
E
Secu
re (
TS
IG)
Zon
e
Tra
nsfe
rA1
Grid MasterIB-1550 HANo Services
Secure Grid Communications
MS Active DirectoryDNS Updates
L
Optional: External DNS queriesTo Hosting Site
Optional: Dedicated Logging Member
Forwarders to Cache-only
PPortIQ Discovery
AxMaster Candidate
DR SiteIB-1550 HA
B1Grid MemberIB-1550 HA
Primary Master DNS
CGrid MemberIB-1550 HA
DHCP FO Peer
D1Grid Member
IB-xx50DHCP FO Peer
Cache DNSLimited Auth DNS
DHCPFailover
DHCPFailover
BxGrid MemberIB-1550 HA
Authoritative DNS
BxGrid MemberIB-1550 HA
Authoritative DNS
Fo
rwa
rd to
Data
Ce
nte
r an
d/o
r C
ache
O
nly
DN
S M
em
be
rs
Anycast
DNS Anycast
10.128.1.12
2001:db8::256:180:c223:214e
10.128.1.12
2001:db8::256:180:c223:214e
10.128.1.12
2001:db8::256:180:c223:214e
10.128.1.12
2001:db8::256:180:c223:214e
DNS Query
(example: nslookup)
DNS Server europe.corp100.com
DNS Server us.corp100.com
DNS Server asiapac.corp100.com
DNS Server australia.corp100.com
Client
europe.corp100.com
DNS Query
Intranet
Overview – If one is good, more is better
• Nodes share a single IP address
• Routing allows clients to connect to the “nearest” node
• DNS Servers advertise this IP as a route when DNS is available
DNS Anycast
Everywhere!
• Authoritative• Internal
• External
• Recursive/Caching
Where to use it
Data Centers
Remote SitesVery Small
DxGrid Member
vNIOSDHCP FO Peer
Cache DNS Only
Remote SitesSmall to Large
IPAM Feed
Internet
Root DNS Servers
OutboundQuery
OutboundQuery
InboundQuery
F F FOptional: Dedicated Cache-Only DNS Servers Optional: Dedicated
Cache-Only DNS Servers
E
Secu
re (
TS
IG)
Zon
e
Tra
nsfe
r
A1Grid MasterIB-1550 HANo Services
Secure Grid Communications
MS Active DirectoryDNS Updates
L
Optional: External DNS queriesTo Hosting Site
Optional: Dedicated Logging Member
Forwarders to Cache-only
PPortIQ Discovery
AxMaster Candidate
DR SiteIB-1550 HA
B1Grid MemberIB-1550 HA
Primary Master DNS
CGrid MemberIB-1550 HA
DHCP FO Peer
D1Grid Member
IB-xx50DHCP FO Peer
Cache DNSLimited Auth DNS
DHCPFailover
DHCPFailover
BxGrid MemberIB-1550 HA
Authoritative DNS
BxGrid MemberIB-1550 HA
Authoritative DNS
Fo
rwa
rd to
Data
Ce
nte
r an
d/o
r C
ache
O
nly
DN
S M
em
be
rs
Anycast
• Routing protocols in use
• Network complexity
• DNS team’s access to routing information
• Troubleshooting
Considerations
DNSSEC
DNSSEC
Client queries for www.infoblox.com1. Client queries it’s locally configured DNS Server A
2. Server A Queries Root
3. Root name servers replies with NS and A records
for .com (delegation)
4. Server A queries .com Name Servers
5. .com name servers reply with NS and A records for
infoblox.com (delegation)
6. Server A queries Infoblox Name Servers
7. Infoblox Name Servers replies with A Record for
www.infoblox.com
8. Server A caches the answer and returns the record
to the Client
Traditional DNS walkthrough
3
2
6
7
4
5
1
8
Root (.)Name Server
.comName Server
Infobox.comName Server
LocalRecursive
Name Server
Server A
Client
How do I connect to www.infoblox.com
DNSSEC
Client queries for www.infoblox.com• Steps 1-7 happen as before.
• In 2, 4 and 6 each time the recursive server queries it adds a DO bit to indicate it would like DNSSEC info
• Each response in 3, 5 and 7 includes DNSSEC records including;
• DNSKEY, DS and RRSIG
• Once Server A receives an answer it begins the validation
DNSSEC validation walkthrough
3
2
6
7
4
5
1
8
Root (.)Name Server
.comName Server
Infobox.comName Server
LocalRecursive
Name Server
Server A
Client
How do I connect to www.infoblox.com
DNSSECValidation is in use today
• Google 8.8.8.8
• Comcast
• Neustar DNS Advantage
• …
• ad flag: Shows we have Authenticated Data
DNSSECEnabling validation
Questions?