BLOG

Fortifying DNS Resilience and Performance with Hybrid Architecture

Kok-Yong CHEONG Thumbnail
Kok-Yong CHEONG
Published June 21, 2024

The domain name system (DNS) is often referred to as the phonebook of the internet, translating human-friendly computer hostnames into IP addresses. This crucial function ensures access to internet applications and digital services, forming an essential foundation for online connectivity.

DNS-based attacks have surged in recent years, continuously evolving to exploit the availability, stability, and vulnerabilities of DNS services. According to the F5 Labs' 2023 DDoS Attack Trends Report, cyber attackers are adopting increasingly sophisticated methods, making DNS-based attacks a persistent threat and an assault type favored by cybercriminals. For instance, a significant distributed denial-of-service (DDoS) attack in April 2021 took down multiple Microsoft cloud services, including Xbox Live, Office, SharePoint Online, Teams, and OneDrive, for two hours. Fast forward to April 2023, a series of DNS non-existent domain (NXDOMAIN) DDoS attacks targeted and overwhelmed U.S. healthcare websites. This assault led to network congestion, rendering servers unable to fulfill valid user requests, highlighting the critical need for robust, redundant DNS systems in a hybrid network.

Given the critical nature of DNS, and the rapid evolution of cloud technologies, organizations need to seek out the best high-availability DNS solutions to address DNS resiliency from every angle.

The cloud is great; pairing it with an on-premises companion solution is even better

Cloud-based DNS outages demonstrate that disruptions in cloud services, particularly DNS, do occur despite redundant systems. These disruptions can arise from various factors such as software bugs, misconfigurations, human errors, or power and network reachability issues. Ensuring that a system remains consistently operational is challenging. 
 
Due to the increase in DNS outages, organizations are exploring how to leverage the agility of cloud services while maintaining control over availability and security, even when cloud services are disrupted.

A companion to DNS services, global server load balancing (GSLB)—a load-balancing mechanism built on the DNS protocol—enables multi-data center and multicloud resiliency. It does so by leveraging service resource insights and DNS to intelligently steer traffic across distributed geographic locations based on business and network policies. To ensure continuous uptime for their operations, organizations are actively exploring optimal resilience designs for these tightly coupled core DNS and intelligent DNS services.

Enhancing DNS resilience and performance with an F5-based hybrid architecture

Adopting a SaaS-based DNS service from F5 Distributed Cloud Services to work in tandem with an on-premises F5 BIG-IP DNS solution provides organizations with enhanced elasticity, agility, and DDoS mitigation, along with global scale, performance, and availability. It’s when these solutions combine—one on-premises, one based in the cloud—that the advantages really start to add up. With BIG-IP DNS, users can leverage automation capabilities to ensure complete security and availability, with additional features like hidden primary DNS records and authority to activate on-premises DNS services. 

This architecture enables organizations to use F5 Distributed Cloud Services for authoritative DNS during normal operations. If needed, they can switch to on-premises DNS services, ensuring they maintain control over their DNS infrastructure.

In the F5 hybrid DNS architecture, Distributed Cloud DNS functions as both the authoritative and secondary DNS, leveraging SaaS-based capacity and capabilities such as:   

  • Layers of security: Get dynamic security with automatic failover that prevents DDoS attacks or manipulation of domain responses with built-in protection.   
  • Automatic capacity scaling: Deploy and support applications anywhere. This DNS solution is built on a global data plane that eases deployment and management, plus scales automatically to meet high-volume demand.  
  • Maintain high availability: Built on a global anycast network, it provides highly available and responsive DNS via points of presence across global markets.  
  • Fast deployment and delivery: Configure and provision in minutes, with one set of APIs. 

In unforeseen situations where SaaS-based DNS services are unavailable, organizations can automatically activate on-premises BIG-IP DNS to ensure uninterrupted DNS traffic. BIG-IP DNS provides robust features like:  

  • 100 million RPS performance: BIG-IP DNS uses the DNS Express service and Rapid Response Mode to hyperscale authoritative DNS up to 100 million query responses per second (RPS), ensuring that users connect to the best site. The F5 DNS Express service improves standard DNS functions by offloading DNS responses and scaling from hundreds of thousands to more than 50 million RPS.  
  • DNS Firewall/DDoS: Can be combined with BIG-IP Advanced Firewall Manager (AFM) to provide extensive security, including shielding DNS from volumetric DDoS attacks such as UDP floods or amplification DDoS attacks.  
  • DNSSEC: Protects local domain name servers from cache poisoning and man-in-the-middle attacks with real-time domain name system security extensions (DNSSEC).  
  • Cache consolidation: Reduces latency and response time by up to 80%.  
  • Failover that ensures availability: Failover entire data centers or individual applications and servers to ensure users have uninterrupted access to the apps they need.

This architecture addresses the need for continuous DNS services to keep digital businesses online while leveraging cloud benefits. It ensures that organizations maintain control and avoid being stranded if cloud services go offline.

Take the next step on your DNS journey

Learn more about the F5 hybrid DNS architecture concept and design by exploring a sample configuration developed by F5 Solution Engineer Michelangelo Dorado.

This step-by-step guide outlines the baseline configuration for designing DNS resiliency into your environment. The configuration guide includes:

  • Primary hidden DNS and authoritative secondary DNS setup
  • DNSSEC configuration
  • DNS resiliency setup with active health monitoring
  • Ease of configuration and Integration on Distributed Cloud DNS and BIG-IP DNS, with API-first automation

Discover how F5 Distributed Cloud DNS simplifies DNS delivery across multicloud and modern applications: https://www.f5.com/products/distributed-cloud-services/dns