The Domain Name System (DNS) was created in 1983 to enable humans to identify all the computers, services, and resources connected to the Internet by name.  Back then, security was not included in the original DNS design since at the time scalability, rather than malicious behavior, was the primary concern. Many feel that securing DNS would go a long way to securing the Internet at large.  Just this year, the main DNS registrar in Puerto Rico was hacked by a DNS attack in which local versions of Microsoft, Google, Yahoo, PayPal and others were re-directed to defaced or blank sites.  Also in 2009, one of Brazil’s largest banks got hit and a redirect took unsuspecting users to a malicious site which attempted to install malware and steal passwords.

With the release of BIG-IP v10.1, F5’s BIG-IP Global Traffic Manager (GTM) can provide real-time DNS Security with the DNSSEC add-on feature, protecting organizations from a host of DNS attacks.  DNSSEC ensures that the answer you receive when asking for name resolution comes from a trusted name server. Since DNSSEC is still far from being globally deployed and many resolvers either haven’t been updated or don’t support DNSSEC, implementing the BIG‑IP GTM DNSSEC feature can greatly enhance your DNS security right away. It can help you comply with federal DNSSEC mandates and help protect your valuable domain name and web properties from rogue servers sending invalid responses.

F5’s unique, patent-pending solution to the GSLB DNSSEC problem addresses DNSSEC by signing answers at the time the GTM device decides what the DNS response should be.  This is a real-time DNSSEC solution, and, with it, F5 is the only GSLB provider to have a true DNSSEC solution that works. While others have proposed a system in which every possible response is pre-signed, most have concluded that this isn’t a feasible approach.

From the press release:

Key DNSSEC features for BIG-IP GTM enable organizations to:

• Meet compliance mandates for DNSSEC by the 2009 federal deadline
• Sign DNS responses in real time and provide the means to deploy DNSSEC quickly and easily in an existing environment
• Determine accurately where a user is based on their IP address
• Provide the capability to sign the DNS responses to protect against rogue DNS servers
• Ensure that end-users receive correct web responses

The combination of BIG‑IP Local Traffic Manager + BIG‑IP GTM + DNSSEC on one box provides a drop-in DNSSEC solution for any existing DNS deployment, instantly giving you greater control and security over your DNS infrastructure while meeting U.S. Government mandates for DNSSEC compliance.  Rather than ripping and replacing your current DNS infrastructure, you can simply drop BIG‑IP GTM in front of your existing DNS servers and reduce your management costs with implementation and maintenance all on the same appliance.

Resources

Reference: Portions of this entry are excerpted from: DNSSEC: The Antidote to DNS Cache Poisoning and other DNS Attacks - White paper