The Brocade ServerIron ADX Series of data-center class application delivery switches provides a broad range of optimization functions to ensure high-performance and secure delivery of DNS and DNSSEC services. Because Internet users rely on their DNS infrastructures to operate smoothly, free of disruption, ensuring the high availability of DNS services is an absolute necessity. To meet these high-availability requirements, the ServerIron ADX switches act as a high-performance proxy for back-end DNS server farms, while delivering up to 18 million DNS queries per second.

Using sophisticated server health checks to detect DNS service availability, the ServerIron ADX switches can efficiently distribute client requests to the best available DNS server in the server pool.

Site Failure Protection via Seamless Integration with DNS and DNSSEC Servers

The ServerIron ADX Global Server Load Balancing (GSLB) GSLB capability allows ServerIron ADX switches to distribute client traffic among geographically disparate data center sites based on site availability, site load, site proximity to client, and several other metrics.

Utilizing its GSLB capability, the ServerIron ADX switches can be positioned in front of a domain's authoritative DNS servers to act on DNS responses and re-order domain IP addresses to direct end-user traffic to the most available and closest possible site. In the event of failure of one of the sites, ServerIron ADX switches remove the failed site's IP address or lower it in the priority list before forwarding a DNS response to the DNS requestor. As a result, client traffic is transparently directed to healthy, available sites without requiring any configuration change or service disruption for end users.

The ServerIron ADX Series provides a DNSSEC-aware GSLB that seamlessly interoperates with the cryptographic signing aspect of DNSSEC without requiring any form of key-offload or key-management functions. Users can take advantage of such capabilities to greatly reduce complexity and cost involved in deploying and maintaining DNSSEC for environments containing multiple data centers.

DNS Attack Prevention

Through the use of specialized embedded hardware, ServerIron ADX switches detect and block many different types of DNS attacks, including Denial of Service (DoS) attacks, using specially designed DNS countermeasures. The ServerIron ADX Series uses the following tools to mitigate DNS attacks: 

• Enforcement of appropriate control policies, including rate limiting after deep inspection of DNS packets for query name, query type, or recursive DNS flag
• Rate limiting of DNS connections based on source IP address of the requesting client
• Policy-based server load balancing for directing traffic to a specific set of DNS servers or dropping of packets
• Access restriction policy using hardware-assisted high-speed access control lists (ACLs)

Intelligent Traffic Distribution

Typically, DNS requests use User Datagram Protocol (UDP) as the underlying transport-layer protocol. The DNS protocol specifications, however, suggest using Transport Control Protocol (TCP) if the size of a DNS response exceeds 512 bytes (due to size and reliability limitations of UDP). As the industry starts deploying DNSSEC, which involves large-size packets, the proportion of DNS traffic using TCP transport is expected to increase. The ServerIron ADX Series enables administrators to intelligently direct DNS traffic to a different set of servers, depending on incoming transport characteristics. This permits optimum support of mixed DNS/DNSSEC environments in which UDP-based DNS requests are routed to standard DNS servers while TCP-based requests are redirected to DNSSEC-enabled DNS servers.

• Data Sheets

  • Brocade ServerIron ADX Series 1000, 4000, and 10000 Switches (2.7 MB)

• Research and Test Reports

  • Tolly Report Brocade ServerIron ADX 10000 Application Switch (530.9 KB)

• Solution Briefs

  • Building High-Performance Carrier-Class DNS Services (649.6 KB)