The Men & Mice Blog

The RIPE-javik logs: Day 2

Posted by Carsten Strotmann on 5/22/19 8:31 AM

ripe day 2

carsten@menandmice:~$ cat ~/ripe/ripejavik-day2.txt | blog-publish

The second day of RIPE 78 started with the plenary, and three presentations on the topic of Distributed Denial of Service (DDoS).

DDoS

DDoS attacks are an increasing risk on the Internet. Mattijs Jonker from the University of Twente explained how DDoS attacks work. His research has revealed that many businesses have all their Internet services (website, mailserver, etc.) in a single network. In case of a DDoS attack, all services are impacted. He counted 31 thousand websites, 3.5 thousand mailservers, and 323 DNS servers that are on a single network and would suffer in case of an attack. An alternative IP address from a different network (autonomous system/AS) would make the services more resilient.

Matthias Wichtlhuber from the German Internet Exchange DE-CIX found that DDoS attackers only use certain protocols for their amplification attacks:

  • unspecified (Port 0)
  • NTP (Port 123)
  • LDAP (Port 389)
  • DNS (Port 53)
  • Chargen (Port 19)
  • Memcache (Port 11211)

Filtering these ports (in transport networks) will stop most DDoS attacks. The problem is that most ISPs cannot do fine-grained filtering. Most can only filter on networks or IP addresses, which blocks all traffic from or to a certain machine. DE-CIX has developed a new fine-grained black-holing system for DDoS attacks that is currently in beta testing.

Koen van Hove, also from the University of Twente, presented the DDOS clearinghouse: a project to collect data of DDoS attacks in a central place. The aim is to be able to research DDoS attacks and develop fast responses to them. The DDoS clearinghouse collects network measurements, identifies DDoS attacks across networks with unique fingerprints, and stores this data in a database (DDoSDB). From the database, attack information and metadata can be retrieved to help users feed fingerprint signatures into their network systems to stop DDoS attacks.

DNS

After the morning break, the main topic was DNS. David Huberman from ICANN discussed the root server system. After talking about the history of the DNS root server system, he explained that there has been no process so far for selecting new root server operators.

With over 1.120 root server instances in the world, 340 of which are in the RIPE region, the root server system is stable and there is currently no need to add additional root server operators beyond the 12 that run the 13 logical root-server addresses. ICANN is not working on a defined governance model for the root server system.

OpenINTEL

Next on the stage was Roland van Rijswijk (NLnet Labs) presenting the OpenINTEL project he has contributed to. OpenINTEL is a massive active measurement system that sends 218 million DNS queries per day from several vantage points on the Internet, resolving a defined set of DNS names. The results will be collected in a big database (Big Data helps to get research funds these days), which so far contains 3.1 trillion results since the start of the project in 2015.

The OpenINTEL system allows researchers to search for various kinds of interesting data: parent-child TTL mismatches, distribution of authoritative DNS-Servers in different AS networks, or even silly things stored in DNS TXT records (like funny IPv6 addresses or private cryptographic keys). The project can be found at https://openintel.nl

KSK roll

Like always, Geoff Huston (APNIC) delivered a highly entertaining talk, this time about the KSK roll in October 2018.

Officially, there was no impact seen for the DNSSEC validating resolvers. But some operators, like EIR in Ireland, have missed all notices about the roll in the two years leading up to it and failed to change the trust anchor of their DNS resolvers which lead to a full-day outage of their DNS resolver services. Other smaller operators were affected as well, some of which fixed the issue by disabling DNSSEC. All except two have re-enabled DNSSEC after fixing their DNS resolver configurations. Geoff also noted that the DNSSEC trust state signaling (RFC 6975 and RFC 8145) does not work reliably to detect broken KSK rolls in the root zone.

Migration from IPv4 to IPv6

In "Get Ready for Mixed World: Economic Factors Affecting IPv6 Deployment", Brenden Kürbis and Milton Mueller from the Georgia Institute of Technology talked about the economics behind network migration from IPv4 to IPv6.

The problem of IPv6 is that it is not possible to switch off IPv4 right away. Instead, IPv4 must be kept enabled for some amount of time (dual stack deployment). The cost generated due to IPv4 depletion will stay, the cost of introducing IPv6 will come on top. Only after some years will the cost benefits be visible. Depending on the growth pattern of the company and the networks, the first cost savings can appear as early as 4 to 10 years. Larger companies will have more benefit from IPv6, while smaller companies will not see economic benefits. In the following Q&A session, people from the audience challenged some of the assumptions in the research that generated this report.

DNS flag day

In the last DNS talk of the day, Petr Špaček from CZ.NIC and Ondřej Surý from ISC gave some insight into the DNS flag day in February 2019.

DNS vendors (Bind 9, Knot, PowerDNS, Unbound, and others) and large DNS resolver operators (Google, Cloudflare, Quad9, etc.) disabled workarounds for broken EDNS implementations. The workarounds were developed to help with DNS servers on the internet that had faulty implementations of the DNS protocol. However, because the workarounds existed, the operators of these faulty servers had no motivation to fix their systems. The cost of developing and maintaining the workarounds fell to the vendors of the DNS products.

For the February 2019 flag day, there was an estimated breakage of 5.68% of all DNS servers. Two large DNS operators were responsible for 66% of this breakage. The flag day was considered a success, as the pressure generated compelled the operators to fix their systems, and no other significant breakage was reported on that day.

Motivated by the success of this first flag day, the DNS server vendors plan another in 2020. No exact date has been set at the moment. On the next flag day, new DNS software releases will change the default settings for EDNS buffer size from today's 4096 bytes to a value around 1220 bytes. The goal is to prevent fragmentation of IP packets, which is known to be broken in some networks and can be a security risk. For this change, authoritative servers and DNS resolvers must be able to operate over TCP in addition to UDP. The main problem is misconfigured firewalls that block DNS over port 53/TCP.

The flag day website will be updated with detailed information about the date and will include online tests so that DNS administrators can test their systems.

More tomorrow!

RIPE 78 is a busy event, with much more going on than we were able to report here. Do visit the session archives to check the other presentations - there are plenty more good talks to dig into. We’ll be back with more RIPE coverage tomorrow!

Topics: IPv6, IPv4, DNS, DDoS, RIPE 78, OpenINTEL, KSK roll

How to explain Network Management to relatives and friends over the holiday (GIFs)

Posted by Greg Fazekas on 4/18/19 8:15 AM

 

Life isn’t always easy for network managers and architects. The C-suite is constantly demanding more efficiency and smoother operations, at low cost. Your colleagues are asking for more user-friendly policies and services. And you have to keep up with an ever-changing landscape of technology (infrastructure sprawl) and its ripples into your domain. (Pun absolutely intended.) Uptime and security are everything. Then, you constantly have to explain to people what you actually do for a living.

Over the holiday weekend, there’s a good chance, in addition to being asked to fix someone’s computer, phone or tablet, you’ll be asked “what is it you do again?”

How do you illustrate what you do? Maybe it’d be a lot easier to explain being a fireman, astronaut, or brain surgeon? We've pulled together some helpful GIFs to make this conversation more efficient. 

 

 

via GIPHY

Enter Ralph Breaks the Internet. (holiday movie idea!)

If ever there was an indicator that networking has permeated our everyday lives it’s an animated family movie centered around it. Some concepts are so fundamental to modern life that we aren’t even consciously thinking about them anymore.

ICYMI: Released in the fall of 2018, Ralph Breaks the Internet provided the subtext and pop culture references we all needed, while depicting basically your everyday.

 

 

via GIPHY

From the moment Ralph and Vanellope slide down the wire, to the hilarious popup advertisers and the wonderfully subtle depiction of DNS —  most every aspect of your job comes to life in a tangible, easy-to-explain-to-relatives way, every aspect of the complexities of networking in a network-driven world.

 

via GIPHY

DNS isn’t specifically named in the movie, but there are plenty of references. Knowsmore, although depicted as a search engine, certainly has his business rooted (see what we did there?) in being a DNS server of sorts. For instance, when Vanellope and Ralph decide to go to Ebay, they were automatically routed to their destination.

Ralph Also Teaches us DDoS

But if you had to showcase just one thing about your work, it could be how you have to prevent DDoS attacks against your company’s network — essentially how you have to be the hero against a million or billion Ralphs.

Explaining DNS to anyone, particularly to people not in networking (and let’s face it, even some people IN networking don’t really get DNS), is easier when you can point to the colorful transport GIFs from an animated movie. Grasping the concept of a botnet or a crippling DDoS attack is more memorable when it’s an ever-replicating bunch of clones of a funny character like Ralph. And you do get malware by clicking unscrupulous links.

tumblr_pgyjbw4Wy01s40634o6_540

via 'Disney' on Blogberth

DDoS is essentially the towering Ralphzilla of mindless objects with a single goal. Exploiting vulnerabilities in web servers, they overwhelm the system with a repeated, single query. Not only is this meant to disrupt user experience, more sinister objectives may be in play, such as bringing down firewalls.

We’ve talked a lot on this blog about DNS education. Education for both professionals — training, if you will — and for everyone, in order to understand new technologies and challenges affecting our businesses. Knowing why and how insecure networks are a liability and how important it is to defend against malicious attacks that can wreck the internet is useful for everyone.

The movie exaggerates concepts to either serve the plot or get a laugh. But the foundation for showcasing how networks and the internet work (or occasionally don’t work) is solid.

tumblr_p9ta2xlRol1tfb0neo2_540

via 'Disney' on Blogberth

Come this holiday (provided you don’t have to work because of some real-world Ralph threatening your company’s network) sit down at the family dinner, armed with GIFs and your favorite streaming service, to explain what you do and why.

And since it is a holiday weekend, here's a blog about all of the Ralph Breaks the Internet Easter Eggs. 

Image credits:Not a Real Company Productions and Disney via Giphy and Blogberth

Topics: DDoS, Disney

Men & Mice at VMworld 2018, Las Vegas Part 1: DATA CENTER AND CLOUD

Posted by Greg Fazekas on 7/30/18 6:30 AM

men_mice_dns_vmworld2018

We’re returning to VMworld in Las Vegas, August 26-30 (Booth #2124, come say hi!) — and excited to not only see how our industry is evolving to virtualization and automation, but to also contribute our two cents to the dialog (Or 9.1 cents, as it were).

Since the newly released Men & Mice Suite v9.1 offers highly scalable and efficient APIs that act as an abstraction layer to manage an organization’s whole DNS, DHCP and IP address infrastructure, across multiple vendors and cloud platforms, we’re focusing on two main tracks from the VMWorld agenda: Data Center and Cloud and Networking and Security, the first of which we’ll discuss in this post (the latter will appear in the next post).

DATA CENTER AND CLOUD

VMworld’s focus on integrated IT strategy plays nicely with the Men & Mice Suite v9.1 release (and our larger objectives as well).

Men & Mice has been providing compatibility with VMware’s vRealize Orchestrator and vRealize Automation for years now. As the industry turns toward virtualization and cloud technology to build its next-generation, hyper-converged infrastructure in hybrid cloud environments, running cloud-native applications to cut costs and increase efficiency, so to have we adapted our Men & Mice Suite of DNS, DHCP and IPAM solutions to help organizations manage networks effectively and at scale.

The Men & Mice Suite v9.1 supports Unix/Linux, Windows, and Cisco IOS and stretches into the cloud with functionality across Azure DNS, Amazon Route 53, Dyn, NS1 and Akamai Fast DNS, as well as IPAM in AWS, Azure and OpenStack.  It can be dropped on top of an organization’s existing infrastructure to manage, sync and automate network changes, authorizations and provide comprehensive insight into large-scale networks through one unified dashboard.

The Men & Mice Suite v9.1 supports thousands of concurrent users and API connections, with millions of managed IPs and DNS records, for automation and provisioning.

Virtualized Infrastructure and Applicationsmen & mice_secure_visible_dns

We favor virtualization over physical appliances and platform-specific, custom hardware allocation. Turns out, our customers do too.  We want our customers to be able to make the right choices for their network infrastructure (DDI) needs. Then, we offer our environment- and platform-agnostic Men & Mice Suite to help them manage it.

Virtualized infrastructure is both cost and performance efficient. Men & Mice Suite gives organizations the flexibility and adaptability they need as every area of business operations goes digital, providing the managaibility and visibility needed for high-availability networks to be, well, highly available.

Our new Men & Mice Suite v9.1, an overlay network management solution, offers many advantages for virtualizing and automating, as well as increasing visibility and ease-of-management of an enterprise organization’s network infrastructure, including its new web-based management application, which takes the “daunt” out of day-to-day operations and reporting.

Another way we’re making virtualization easier is through the Men & Mice virtual appliances, the DNS software for which we’ve upgraded to BIND 9.11, supporting various new features as well as DNSTAP. For example, details on DNS queries received and DNS replies sent by the Men & Mice virtual appliances can now be logged for further processing by enabling and utilizing the powerful DNSTAP feature with minimal performance impact on the appliances. They can also function as NTP (Network Time Protocol) servers and be served by the same network infrastructure as DNS and DHCP.

men_mice_hybrid network managementPrivate, Hybrid, and Public Clouds

Every cloud vendor is different. Different platforms and configurations offer different advantages (and drawbacks) for customers. They also offer very different, and often incompatible APIs. Men & Mice Suite v9.1 services complex enterprise hybrid and multi-cloud networks by providing single-pane-of-glass visibility and cross-platform functionality for DNS, DHCP and IPAM (DDI) operations, whose networks use either multiple cloud (cloud native) vendors or a combination of on-prem and cloud (hybrid).

The ability to bulk migrate DNS zones and DHCP scopes, ability to implement role-based authorizations, as well as providing 3 management interfaces (Windows-based management console, web-based management application and REST, SOAP and JSON-RPC APIs), the Men & Mice Suite v9.1 overlay software solution eliminates many of the complexities of today's large-scale networks while mitigating DNS failures such as configuration errors and DDoS attacks.

Further, Men & Mice Suite's xDNS Redundancy provides a level of abstraction that builds automation, provides centralized views, eliminates human error and removes conflicting DNS service provider platform complexities (e.g. incompatible APIs).

The Men & Mice Suite v9.1 also allows organizations to add Active Directory zones to xDNS groups. This, tied with the read-only members of xDNS groups, makes it easy for organizations to bring their internal, on-premises DNS into their virtual private clouds, and vice versa.

Cloud operations monitoring, a topic to which we’re looking greatly forward discussing at VMworld, is transparent and easy in the Men & Mice Suite v9.1. Not only have we integrated true cloud DNS into the Men & Mice Suite, but we also paid attention to the cloud-unique challenges it brings with it.

Can’t make it? No worries!

You can book an appointment to meet our team onsite at VMWorld (Booth #2124).

Or, if you’re missing the event, book a walk-thru any time by clicking the button below.

We’re always happy showcase the benefits of deploying our best-in-class overlay management solution on top of your network.

Book appointment

DNS, DHCP & IPAM Software Trial

Topics: DDI, Men & Mice, DNS, DHCP, API, VMware, Redundant DNS, DNS redundancy, DDoS, networking best practices, IP address management, hybrid cloud, hybrid network, "cloud dns"

Men & Mice Suite 9.1: cloud-ready network management for DNS, DHCP and IPAM

Posted by Men & Mice on 7/11/18 7:47 AM

Changing the way the world sees LI

Our commitment to efficient network management has a new number! The Men & Mice Suite 9.1 is a feature release with a host of cloud-ready enhancements plus the usual suspects (bug fixes and improvements).  

Network Management just got easier

Transparency, responsiveness, and ease-of-use are all core principles of Men & Mice for keeping networks healthy and safe from DDoS attacks and other DNS network failures.

The 9.1 release continues our mission to simplify network management without sacrificing features. Included in Men & Mice Suite v9.1:

  • A new web-based Men & Mice Suite management application
  • Optimized and enhanced cloud support
  • Improved xDNS Redundancy read-only zones for hybrid and multi-cloud networks
  • DNS software on appliances upgraded to BIND 9.11 with DNSTAP support
  • NTP functionality for virtual appliances
  • Various improvements and bug fixes

5 Things You’ll Love About Men & Mice Suite v9.1

Men & Mice Suite v9.1 focuses on features and refinements gleaned from customer feedback and engagement as well as refinements of previously introduced functionality. Here's what you will find in the new release: 

Web-based management application

The new web-based management application serves as an alternative to the Men & Mice Suite Windows-based management console. It’s designed to make performing day-to-day tasks, management functions and generating reports related to DNS and DHCP operations easier. The application features three sections: DNS, Networks and Reporting.

  • The DNS section makes all your DNS zones accessible from a single place.
  • The Networks section gives you instant access and overview of your networks.
  • Reporting lets you quickly find and run existing reports.

men_and_mice_quick_command-1

Its Quick Command functionality cuts down time on common tasks such as finding and working with DNS zones or records, IP address ranges, DHCP scopes and IP addresses.

Read-only zones in xDNS Redundancy groups

xDNS Redundancy, which can be used to synchronize DNS zones hosted with multiple cloud providers, now includes support for Active Directory-hosted zones. Zones in a redundancy group can be assigned to read-only mode, so that changes made to a DNS zone outside of the Men & Mice Suite will not be replicated to all other zone instances.

Optimized and enhanced Cloud support


Version 9.1 streamlines the migration and management of a large number of DNS zones with Azure DNS and Amazon Route 53 by utilizing cloud-native features to monitor changes to DNS made outside of the Men & Mice Suite, greatly improving synchronization of DNS data from the cloud providers.

Men & Mice virtual appliances upgraded to BIND 9.11 with 

DNSTAP support

DNS software on Men & Mice virtual appliances has been upgraded to BIND 9.11, which supports various new features as well as DNSTAP. Details on DNS queries received and DNS replies sent by the Men & Mice virtual appliances can now be logged for further processing by enabling and utilizing the powerful DNSTAP feature with minimal performance impact on the appliances.

NTP functionality for virtual appliances

The virtual appliances can also now function as NTP (Network Time Protocol) servers and be served by the same network infrastructure as DNS and DHCP.  Currently this functionality is manual and can be implemented per request with our support team. 

Nearly 30 years of DNS experience in one solution

The Men & Mice Suite v9.1 represents our commitment to enabling customers to adapt their infrastructure to be more software-enabled, cloud-ready and redundant, with increased visibility, control, security and automation.” --Magnús Björnsson, CEO of Men & Mice.

Complex enterprise network infrastructure can — and should — have the same elegant simplicity and responsiveness as IT professionals expect from customer-grade solutions. In the new release, Men & Mice has combined its nearly 30 years of expertise in developing DNS, DHCP and IPAM solutions with modern UX best practices to deliver a compelling, enjoyable management interface on top of a best-in-class, robust software-based DDI product.  

 If you want to try Men & Mice Suite v9.1 for free just click the button below. 

DNS, DHCP & IPAM Software Trial

Not ready? Read more about the Men & Mice Suite, or get an online demo.

DNS, DHCP and IPAM Demo

Topics: IPAM, DNS, DHCP, Redundant DNS, DDoS, IP address management, hybrid cloud, hybrid network, "cloud dns"

Network Outages, Human Error and What You Can Do About It

Posted by Men & Mice on 12/18/17 7:14 PM

When your route leaks 

Human error. As far as mainstream reporting on network outages goes, it’s the less flamboyant sidekick to DDoS and other cyber attacks. But in terms of consequences, it’s just as effective.

Once again, beginning of November, large parts of the US found themselves unable to access the internet due to one small error: a misconfiguration at Level 3, an ISP (Internet Service Provider) that underpins other, bigger networks.

According to reports the outage was the result of what is known as a “route leak”. In short, a route leak occurs when internet traffic is routed into inefficient, or simply wrong, directions due to incorrect information provided by one, or multiple, Autonomous Systems (ASes). ASes are generally used by ISPs to keep track of IP addresses and their network locations. Packets of data are routed between ASes, which use the Border Gateway Patrol (BGP) to establish and communicate the most efficient routes so you can browse the whole internet, and not just the IP addresses on your particular ISPs network.

Route leaks can be malicious, in which case they’re referred to as “route hijacks” or “BGP hijacks”. But in this case, it seems the cause of the outage was nothing more spectacular than a simple employee blunder, when (as speculation goes) a Level 3/Century Link engineer made a policy change which was, in error, implemented to a single router while trying to configure an individual customer BGP. This particular incident constitutes what the IETF defines as a Type 6 route leak,  generally occurring when “an offending AS simply leaks its internal prefixes to one or more of its transit-provider ASes and/or ISP peers.”

Route leaks, small and large, are regular occurrences – it’s part and parcel of the internet’s dependency on the basic BGP routing protocol, which is known to be insecure. Other recent high impact route leaks include the so-called Google/Hathway leak in March 2015 and a misconfiguration at Telekom Malaysia in June 2015 which had a debilitating roll-on effect around the world.

To minimize the possibility of route leaks, ISPs use route filters that are supposed to catch any problems with the IP routes that peers and customers intend to use for the sending and receiving of packets of data.

Other ways of combating route leaks include origin validation, NTT’s peer locking and commercial solutions. Additionally, the IETF is in the process of drafting proposals on route leaks.

Factoring in the human element

Tools and solutions aside, Level 3’s unfortunate misconfiguration once again highlights the fact that, despite keeping a low profile in the news, human error still rules when it comes to causing common network outages.

In an industry focused on how to design, build and maintain machines and systems that enable interconnected entities to send and receive millions of packets of data efficiently every second of every day, it’s maybe not all that odd that the humans behind all of this activity become of secondary importance. Though, as technology advances and systems become more automated, small human errors such as misconfiguring a server prefix are likely to have ever larger knock-on effects. At increasing rates, such incidents will roll out like digital tsunamis across oceans, instead of only flooding a couple of small, inflatable IP pools in your backyard.

Boost IT best practices - focus on humans

So outside of general IT best practices, what can you do to help the humans on your team to avoid human error?

Just as with any network, human interaction is based on established relationships. And just as in any network, a weak link, or a breakdown in the lines of communication, can lead to an outage. Humans who have to operate in an atmosphere of unclear instructions, tasks, responsibilities and communication, can become ineffective and anxious. This eats away at employee morale and workflow efficiency and lays the groundwork for institutional inertia and the stalling of progress. At other times, a lack of defined task-setting and clear boundaries may resort to employees showing initiative in the wrong places and at the wrong times.

To limit outages due to human error, just distributing a general set of best practices or relying on informally communicated guidelines amongst staff are simply not enough. While networking best practices always apply, the following four steps can be very effective in establishing the kind of human relationships needed to strengthen your network and optimize network availability.

 

Define DDI-1.png

1. Define

Draw up, and keep updated, a diagram not only of your network architecture (you do have one, don’t you?), but also make sure you have a workflow diagram for your teams: who is tasked with which responsibility and where does their action fit into the overall process? What are the expected outcomes? And what alternative plans and processes are in place if something goes awry? Most importantly, match tasks and responsibilities with well-defined role-based access management.

2. Communicate

Does everyone on your team, and collaborating teams, know who is responsible for what, when and where, and how the processes flow? Is this information centrally accessible and kept up to date? Clarity, structure and effective communication empower your team members to accept responsibility and show initiative within bounds.

3. Train

Does everyone on your team know what’s expected of them, and did they receive appropriate training to complete their assignments properly and responsibly? Do they have the appropriate resources available to do what they need to do efficiently? Without training and tools in place, unintentional accidents are simply so much more likely to occur.

4. Refresh

Don’t wait until team members run into trouble or run out of steam. Check in with each other regularly, and encourage a culture of knowledge sharing where individuals with different skill sets can have ample opportunity to develop new skills and understanding.

Refresh DDI.png

Finally

The saying goes, a chain is only as strong as its weakest link. The same goes for networks.

At a time in history when we have more technological checks and balances available than ever before, it turns out the weakest networking link is, too often, a human. While we’re running systems for humans by humans, we may as well put in the extra effort to help humans do what they do, better. Our networking systems will be so much stronger for it.

 

New Call-to-action

 

Topics: DDI, DDoS, network outages, IT best practices, IP address management

Secure Your DNS Across Multiple DNS Service Platforms with Men & Mice xDNS Redundancy

Posted by Men & Mice on 7/10/17 12:50 PM

DNS (Domain Name System) is the most critical aspect of any network’s availability. When DNS services are halted, or slowed down significantly, networks become inaccessible, leading to damaging losses in revenue and reputation for enterprises.

To ensure optimal network availability, many enterprises depend on top-tier managed DNS service providers for their external DNS needs. The basic “table stakes” characteristics of an enterprise-class managed DNS service are high reliability, high availability, high performance and traffic management. However, even the most robust DNS infrastructure is not immune to outages.

Outages may be localized, in which only certain DNS servers in the network are not responding, or, less commonly, system-wide. A system-wide DNS failure can take an entire business offline - the equivalent of power failure in every one of their data centers.

To prevent this, top-tier managed DNS systems have a great deal of built-in redundancy and fault tolerance, yet the danger of a single point of failure remains for enterprises that rely solely on a single-source DNS service.

If no system of DNS is failure proof, this begs the question: what should an enterprise do about it?

Using multiple DNS service providers for ultimate DNS redundancy

DNS availability statistics for managed DNS providers shows that the industry norm exceeds 5 nines (99.999%) uptime. This is the equivalent of about 5 minutes per year downtime. However, this top line number does not provide any detail on the impact of degraded performance, or the cascading effect of a system-wide outage of various duration, on individual enterprises.

To discover the true impact of a potential loss of DNS availability, enterprises need to properly assess the business risk associated with relying on a sole source provider, and compare that with the cost of a second source DNS service. What would a 30-minute loss of DNS cost the business in terms of revenue loss, reputation damage, support costs and recovery? What does it cost to maintain a second source DNS service?

Research amongst enterprises for whom online services are mission critical generally concludes that the cost ratios are in the range of 10:1 – one order of magnitude. Put another way, the cost of one outage is roughly estimated to be ten times the annual cost of a maintaining a second service. A business would have to have second source DNS for ten years to equal the cost of one major DNS outage.

Looking at the odds and costs of outages, many enterprises are opting to bring in a second, or even a third, DNS service to hold copies of critical DNS master zones.

This system of external DNS redundancy boosts DNS availability by:

External-DNS-Redundancy.png

1. removing the danger of exposure to a single point of DNS failure.

2. reducing traditional master-slave DNS redundancy vulnerabilities, where slave zones can’t be changed if the master becomes unavailable.

3. improving infrastructure resilience by hosting critical zones with multiple providers, ensuring continued service availability and updates of changes if one DNS service provider becomes unavailable.

The risky business of maintaining DNS redundancy across platforms

In theory, DNS redundancy across multiple DNS service provider platforms should be the best solution for optimal DNS high reliability, high availability and high performance. In practice, however, the complexity of tasks and scope for error involved in replicating and maintaining identical DNS zones on multiple platforms pose additional threats to DNS availability. The situation is made worse by:

  • A lack of centralized views
  • A lack of workflow automation
  • The difficulty of coordinating multiple platform APIs

This inability to view, synchronize and update identical zones’ data simultaneously can, in itself, lead to errors and conflicts in DNS configuration and result in a degradation of network performance, or even a network outage – the very events that multi-provider DNS redundancy is intended to prevent.

Protect your DNS on multiple platforms with Men & Mice xDNS Redundancy

Breaking new ground in the battle against DNS disruption, the Men & Mice xDNS Redundancy feature provides the abstraction level necessary to replicate and synchronize critical DNS master zones across multiple DNS service provider platforms, on-premises, in the cloud, or in hybrid or multi-cloud environments.

Men & Mice xDNS provides a unified view and centralized management of DNS data, regardless of the DNS service provider platform. Network administrators and other authorized users can use xDNS to perform necessary updates to their network’s DNS, as well as benefit from building automation with the powerful Men & Mice API, instead of having to dig around in different DNS platforms and deal with coordinating conflicting APIs. DNS-redundancy-and-Men-and-mice-suite.png

Combined with the flexibility of building automation on top of the Men & Mice Suite, xDNS offers you the freedom to better distribute your DNS load based on zone priority, performance requirements and accompanying costs. With xDNS, you are better equipped to steer the tiered price points of externally hosting, for example, critical high-performance or less essential low-performance zones, and utilize the DNS service best suited to your situation at a given time.

 


How xDNS Redundancy Works

Using the Men & Mice xDNS feature, create a zone redundancy group by selecting critical zones from DNS servers and services such as BIND, Windows DNS, Azure DNS, Amazon Route 53, NS1, Dyn and Akamai Fast DNS.

Once an xDNS zone redundancy group has been created, xDNS assists the administrator in creating identically replicated zone content, resulting in multiple identical master zones. Additional zones can be added or removed from the xDNS group as required.

All changes initiated by the user through Men & Mice, both the UI and API, will be applied to all zone instances in the group. All changes made externally to zones existing in the xDNS group, will be synchronized to all zones in that particular xDNS group. However, if DNS record conflicts arise, xDNS will alert the user and provide an option on how to resolve conflicts before the group is re-synchronized.

If an xDNS zone is not available for updating, for instance if one DNS service provider experiences an outage, that zone will be marked as out-of-sync. Once the zone becomes available again, it will be automatically re-synchronized and will receive all updates that were made while the DNS service was unavailable.

 

 

Men & Mice and NS1

NS1, the leading intelligent DNS and traffic management provider, recognizes the growing need for diverse application resiliency. NS1 has joined forces with Men & Mice in improving the efficacy of external DNS redundancy. Kris Beevers, Co-founder and CEO, says:

"Leveraging multiple managed DNS networks is the clear best practice for maintaining 100% uptime in today's rapidly evolving operational environment.  Configuring and operating multiple managed DNS services can be a complex, time-consuming process.  NS1 is excited to partner with Men & Mice to help enterprises minimize management overhead and seamlessly enable redundant DNS. xDNS Redundancy is well-suited to enable multi-network DNS without the usual headaches."

Men & Mice xDNS – making external DNS redundancy truly resilient

DNS redundancy is a great concept on paper, but a daunting challenge in practice. With xDNS, enterprises can seek out second, or even third source DNS services, confident in the knowledge that their DNS, and ultimately their business, will truly be safer that way.

Magnus Bjornsson, Men & Mice CEO, considers xDNS an important step towards providing enterprises with greater, and more reliable, network availability.
“Recent prominent network outages once again illustrate the critical importance of building more effective network resiliency through a powerful and secure system of DNS redundancy. Men & Mice xDNS provides a simple way for companies to manage their DNS on multiple external platforms, with the Men & Mice Suite software automatically taking care of the replication and synchronization of data in a reliable and consistent manner. We are looking forward to cooperating with NS1 on developing xDNS and extending DNS redundancy offerings.”

Men & Mice xDNS takes the ‘daunt’ out of maintaining external DNS redundancy, providing the centralized views and control necessary to reduce the risk of network exposure to a single point of failure, improve network reliability and performance and bolster the successful mitigation of DDoS attacks and other potentially harmful DNS incidents.

To learn more about xDNS Redundancy, check out the xDNS webinar, jointly presented by Men & Mice and NS1.

Check out the video to discover how it DDI all comes together:

Or try it out in the Men & Mice Suite:

New Call-to-action

Topics: DNS, Security, High availability, DNS redundancy, DDoS, External DNS, Failover

Why follow Men & Mice?

The Men & Mice blog publishes educational, informational, as well as product-related material for everyone and anyone interested in IP Address Management, DNS, DHCP, IPv6, DNSSEC and more.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all