Using DNS to Shape, Steer, or Blackhole Your Traffic
Are you not entertained?!
How many times have you been travelling outside of your home country and want to curl up in your hotel room to watch your favourite TV show, only to find out it’s not available where you’re located? I know I have, plenty of times! This is by design and usually down to local copyright and contractual laws. But how are those services able to do this so effectively? In this blog, we'll explore how you can use DNS to shape good, bad and unwanted traffic efficiently, before it knocks on any front doors to your applications.
Central casting: The many roles of DNS
DNS administrators are often tasked with managing more than just domain names. Their responsibilities can include traffic management, security enforcement, and ensuring the user gets to their destination 100% of the time. Understanding how to use DNS to influence traffic patterns can simplify many of these tasks. Traffic steering involves directing users to different servers or data centres based on various criteria such as location, load, or service type. By using DNS-based traffic management, you can ensure users are directed to the most appropriate resources, enhancing performance and reliability but also setting explicit rules around traffic you may not want to hit your application, due to internal business policies (ex. we cannot serve this content in your region) or geo-political reasons (ex. we don’t do business in that country).
Not too secure….
Security teams usually care about the network they are in control of and not what happens outside of their four (fire)walls. This is because, traditionally, hardware-based firewalls did a lot of the brunt work of stopping unwanted traffic. With modern enterprises moving to hybrid or multi-cloud environments, a lot of the network security responsibility has moved over to the hyper-scaler providers themselves. This does mean that security teams have less control over their environments, so there is even more of an emphasis over visibility and governance of outside users accessing applications. Using traffic analytics tools paired with traffic steering rules, security and network teams can start to work together to build out policies and rulesets to shape traffic pro-actively and reactively. For example, we have many customers who cannot operate business in specific geo's, so we can set up explicit Geo-Fencing rules, where all queries from IPs originating from certain countries or regions, respond with an answer that points to an HTML page with those dreaded words, “we cannot serve content in your country!”
Lights, Camera, Automate!
Reactive changes don’t always have to be a bad thing. Firewall logs are a great resource for alerting on suspicious/malicious activity but by that point, it’s usually already knocked on the front door of your environments. What if you can make steering decisions closer to the user, to stop these kinds of unwanted queries being answered. Utilising IBM NS1 Connect’s DNS and API-first platform, we can change those explicit policies on the fly, based on network alerting noticed by SOC/NOC teams. A good first pass at noticing these traffic trends is by using NS1’s DNS Observability tool, DNS Insights. Cross-correlate that useful public DNS query data with firewall logs or network performance tools, like SevOne, and alert on any spikes, baseline anomalies or targeted attacks. You can then set up automated changes to DNS rulesets, based on those alerts, with no-code/low-code workflows, like IBM Rapid Network Automation. Those changes for specific IP Prefixes/ASN's/Geo's, down to specific states/provinces, can even point to a place of no return (0.0.0.0), effectively black-holing that traffic. While DNS is not the hammer that’s going to knock out all unwanted traffic, setting up and automating changes based on all the observability data at your disposal, is a good first pass at shaping your traffic however you see fit.
#Technical