Unleash the Power of a Hardened DNS Appliance
Contact us to know more!
When a TCPWave DNS appliance is provisioned, it automatically determines the network topology of your enterprise and it automatically creates the BGP or OSPF configuration on the newly provisioned TCPWave Anycast appliance to advertise Anycast Virtual IP Addresses (VIPs) into the network. This advanced feature, that is unique to the TCPWave IPAM, understands how your shared services routers, core routers and edge routers are configured. The TCPWave IPAM then refers to a set of global configuration options and updates newly provisioned Anycast appliances with minimal user intervention. As your routing topologies change, the configuration gets updated automatically. The administrator gets a full control on how and when the configuration gets deployed or updated. The monitoring module of the TCPWave IPAM ensures that each Anycast appliance is advertising the correct VIPs and if the core and edge routers are receiving the correct Anycast routes. This integration between DNS and routing is widely acclaimed in the industry, thereby making TCPWave as a prominent leader in the Software Defined Networking (SDN) arena.
TCPWave is the first and only DNS service provider to offer an advanced DNS appliance with advanced features listed below. Our two flavors of DNS share a common SNMP (Simple Network Management Protocol) MIB to provide fault and performance statistics. Our devices running in a recursive cache only mode can become standalone emergency masters to serve the clients when there is a wide area network outage. Our success story is shared by our customers running our DNS appliances on their global internal corporate network. By pre-fetching the IP addresses, the TCPWave cache appliance can reply to the DNS requests immediately, without having the delay of a recursive DNS lookup. This method is extremely valuable in low latency trading environments. Additionally, the Dell TCPWave appliance uses the fastest operating system available, a hardened Linux kernel. The appliances leverages the latest Intel Xeon processors, with multithreading enabled in the kernel, which is over 4 times faster than running DNS on a Solaris platform. Finally, the appliance comes with twelve exclusive disaster recovery features that result in the most resilient DNS appliance available in the market. Contact Us to get a whitepaper and a case study, containing an in-depth design analysis and topology layouts of DNS Cache deployments in a large enterprise.
Common DNS Problems in a typical deployment
- High cost of server management:Too many servers to patch and update efficiently resulting in DNS risks.
- Single Point of failure: The same BIND DNS software on both the primary and back up servers.
- Limited routing redundancy: Without Anycast, the backup servers are also vulnerable to a DDoS Attack.
- Limited dashboard management: No compatibility with customer’s existing dashboards.
- No automatic disaster recovery features: Resulting in outages while fixes are being put in place
- Vendor Disputes: Multiple vendors for DNS software, servers, and the routing protocol results in delayed resolution for mission critical issues and security vulnerabilities.
Business Advantage with TCPWave DNS Appliances
- Reduce Costs: The TCPWave cache appliance does not require any server administration: Reducing server management costs by about 80%.
- Resiliency: Two diverse DNS programs on a hardened kernel: one automatically backing up the other in the case of a bug or attack.
- Enhanced Security: TCPWave’s packet filtering module can restrict the types of queries that end users can send.
- Smart Anycast routing: For a balanced meshed DNS network, all appliances backing up each other.
- Black Hole protection: Intelligent Watch Dogs do continual health checks on all aspects of DNS, and react to disasters.
- Customized SNMP NOC management: Working with the customer’s existing Dashboard for better appliance management.
- 12 Automatic Disaster Recovery Features: Exclusive to the Dell TCPWave appliance for unsurpassed resiliency.
- One vendor: No finger pointing between DNS software, the hardware, nor the network DNS routing.
Technical Highlights of a TCPWave DNS Appliance
Simplified Configuration with SDN
TCPWave DNS cache appliances get auto-provisioned for their BGP or OSPF, BIND and Unbound, NTP, SNMP, TACACS+, health check and syslog configurations by the TCPWave IPAM in a seamless fashion. The configurations are then passed to the TCPWave Configuration Assurance Inspection Engine to ensure that the appliance configurations are in strict accordance with the preset standards set in each enterprise on the TCPWave IPAM. This revolutionary technology minimizes user intervention and is much less prone to errors that cause network outages.
DNS Code Diversity
Running in a Chrooted environment— you will have two flavors of DNS; TWC DNS and ISC BIND DNS software, each backing up the other, neither sharing the same code, for true diversity. When a bug or attack interrupts one DNS software, your DNS appliance automatically toggles over to the other. Then notifies your NOC with specific details of the problem.
Serve when Sane
TWC DNS self monitors, if problems are detected, and not repaired by auto restart, then the NOC is notified using SNMP, the server shuts itself down (customer configurable option) and traffic is rerouted using BGP or OSPF. Syslog and query logs are captured for analysis.
All the critical components including; DNS, BGP, SNMP, NTP will auto restart if there is an interruption in service or if a problem is detected. The auto restart feature will attempt to fix the problem three times in a span of 15 seconds. If the problem persists the server will shut down, and automatically reroute traffic to the other servers. Your NOC will be notified each step of the way.
DNS Flood Detector
TWC DNS will detect top talkers or DDoS attacks, then send an alarm to the NOC, including the offending IP address, allowing the customer to block the attacker’s IP address and investigate.
Cache to Master
TCPWave has engineered the appliance to switch over to an emergency non-recursive authoritative server when isolated from the production network. Then— when connections to the DNS roots are restored, it will automatically (or manually) switch back to a recursive server. DNS Zones are pulled daily.
Black Hole detection
If an appliance is running BGP or OSPF while DNS is down, TWC DNS will stop advertising routes to the backbone routing network and notify the NOC. Thus allowing other appliances to automatically take over.
Deep packet Inspector
TCPWave DNS appliance come with a deep packet inspection engine. A stateful firewall determines if a DDOS attack is taking place or not. Stateful firewall engine on each TCPWave appliance allows you to define filters to allow or deny DNS traffic to the cache appliance: Incoming DNS requests can be configured to get dropped and logged when a conditional match of a DNS query is observed or when a conditional match of a resource record type is seen or if a DNS rate limit threshold is exceeded.
TWC DNS sanitizes query result. Any data that the scrubber cannot confirm as authoritative will not be added to the cache; thus eliminating cache poisoning.
Source Port Randomization
TWC DNS can offer the maximum amount of randomization, the range of random ports can be specified by the customer; thus reducing the chances of being affected by the Kaminsky Virus without having to implement DNSSEC. Organizations choosing to implement DNSSEC can secure the environment further by managing the TCPWave’s cache appliances with TCPWave’s IP Address Management Software.
The most secure centralized login management system offered allowing you to make login password changes from one central location for all appliances. Additionally, the customer can segregate the administrator’s level of authority based on their entitlements. Upon authentication, all keystrokes are logged.
TCPWave customizes SNMP to work with Customer’s existing toolsets such as InfoVista, AlterPoint Nagios and EMC Smarts. Thus eliminating training needed at the NOC while improving visibility and management of the appliances
Snap Shot and Roll Back
If an appliance stops working, TWC DNS has the ability to roll back the settings to the last known working configuration. This allows the customer to keep the appliance working, while a trouble ticket is being investigated.