Check your DNS for 5G deficits

Oct 6, 2021

blog-5g-network

5G networks are installed in large numbers worldwide and the number of 5G subscribers is continuously increasing. These users benefit from the availability of 5G by being able to take full advantage of IoT devices and other technological advances through better performance and lower latency. Network providers benefit from more flexible infrastructure utilization through orchestration, network slicing and containerization. However, these 5G concepts also put additional demands on all network services, including DNS.

Our quick checklist will let you find out how well your DNS installation is equipped for the requirements of 5G. The checklist looks at nine key areas and the measures you should take so that your DNS does not get in the way of your 5G goals:

Deployment

If you are still installing key infrastructure software such as DNS software manually on bare metal, or even on Virtual Machines (VM) in an NFV environment, your competitors will be able to outrun you in the 5G race. To cope with current and future trends, traditional approaches, including NFV, are not efficient and agile enough to meet today’s needs, for example, deploying services to the network edge, which can involve thousands or even tens of thousands of software instances to be deployed and managed. This is why network operators are looking to cloud-native solutions to power their 5G network infrastructure. Cloud-native DNS provides the ability to orchestrate and manage the lifecycle of containerized infrastructure and enables services such as DNS to be deployed at ultra-scale and distributed right to the network edge, while simplifying deployment and lifecycle management for the operations teams.

Performance measurement

DNS performance is extremely important but can be hard to measure. The most critical metrics to measure are the 99.9% latency experienced by real subscribers on your network, but these are typically not the metrics that are available to you as the operator of a DNS platform. If you only measure average latency, you will miss the spikes that will cause dissatisfaction amongst your subscribers, which is why measuring the ‘long-tail’ of latency is so important. This is especially true for those 5G-ready devices, which require low latency.

Measuring latency only at the DNS servers can also give a false impression, for example, if there is a problem with the RAN, or with the interaction between the RAN equipment and the WAN equipment. Your subscribers could experience very high latency that your KPIs completely miss. DNS solutions, especially those used in 5G networks, should provide the ability to measure end-to-end latency, as experienced by your subscribers.

Low latency

A key component of enhancing the user experience with 5G is delivering fast content to users, for example, for video streaming services. For this, the content is located as close to the end-user as possible, typically near the edge of the network. This also requires DNS software to be deployed on the edge, to ensure that users are directed to the most local content server.

Deploying DNS caches so close to users means that future DNS lookups from the same user or other users in the same locality will be delivered from the cache and thus deliver content even faster. This can be combined with tiered caching in the network core, to minimize latency for domains that are looked up less frequently.

Operations options

5G comes with a whole new set of requirements for DNS. For example, services will have to be deployed automatically across hundreds or even thousands of nodes, where configuration changes or upgrades need to be rolled out seamlessly and without downtime, and ops teams should be alerted to service, performance or latency issues. This can only be achieved through automated and orchestrated deployment, network slicing, elastic scaling, and configuration and lifecycle functionality to manage and monitor all these activities.

Privacy features

If the DNS traffic of your subscribers is not protected, anyone monitoring a network would be able to see all of the DNS lookups that a given end-user or mobile device was making. This is a huge privacy, as well as a potential security, issue, if you consider that an MITM attack could also rewrite DNS answers. The fact that the 5G RAN is encrypted does not help when DNS traffic is passing over the wired network core.

There are three main technologies that address the security, privacy and integrity issues inherent in traditional plaintext DNS: DNS encryption via DoH or DoT, DNSSEC and Query Name Minimization. You should ensure that your DNS solution supports these technologies as security and privacy are two of the most important topics for you and your subscribers.

Security measures

DNS solutions should check lookup requests, block malicious content, such as phishing and malware, and notify subscribers and providers about the identified security issues. Of course, this has also been valid before 5G, but with much greater traffic rates and increased content consumption via non-traditional connected appliances, such as IOT devices, not only are subscribers’ devices vulnerable but the mobile network itself can be attacked by these devices acting to conduct DDoS attacks.

IoT security

The threat of malware-infected IoT devices causing damage to physical infrastructure, networks and even human life, is very real. The average subscriber is not able to ensure adequate protection for always connected IoT devices without any interface. Thus, detecting malware-infected IoT devices in the network is the only way to ensure that such devices do not continue to cause harm. This is achieved by using regularly updated threat intelligence feeds which contain information on the IP addresses and hostnames used to host malware Command and Control (C2) servers. By detecting the devices that attempt to connect to known C2 servers, their network access can be blocked, and, optionally, the owner of the device can then be alerted, which could be extremely important for enterprise 5G scenarios. This also provides protection against Distributed Denial of Service (DDoS) attacks originated by botnets coordinating IoT devices on your network.

Monitoring and analysis

Monitoring and analyzing huge amounts of traffic requires new tools. DNS software needs to be able to be connected with solutions that can analyze big data. To feed big data analytics tools with useful and representative information, your DNS solution should be able to save queries long-term and provide a search functionality to scan the data. It should also be capable of monitoring and analyzing the most important DNS functions at any time, including performance measurements. These metrics and statistics should be stored in open databases, and freely available to retrieve via open APIs, and not subject to vendor lock-in.

License model

To cope with future traffic levels from several connected traditional, as well as IoT, devices per subscriber, your DNS supplier should support subscriber-based licensing instead of a pricing model that is based on traffic or instances. Your DNS costs also need to support whatever product innovations you will provide in the future. This is only possible if you have complete flexibility when it comes to deploying DNS software in whatever configuration and volume of instances you require. Increased traffic and additional software instances should not incur additional costs.

This is only a brief, high-level summary of the requirements of 5G on DNS, but emphasizes the importance of your DNS installation for your 5G success. Please reach out to us or your OX account manager if you want to discuss or learn more about OX PowerDNS for your 5G network.

About the author

Neil Cook

Neil Cook

PowerDNS Head of Product

Categories

Related Articles

Move your email from a cost center to a profit center

More than half of the world’s population – 4.2 billion people – now uses email, with this number predicted to increase to...

Errol Vanderhorst Jul 25, 2023

PowerDNS brings encrypted DNS capabilities onto routers for the...

Helps protect confidentiality and integrity of traffic in the first mile CPE (customer premise equipment) manufacturers,...

Chris Holder Jul 5, 2023

DNSdist as a router-ready solution

As you might have read, with the release of DNSdist 1.8, PowerDNS brings DNS encryption with DNS over TLS (DoT) and DNS over...

Bob Brandt Apr 12, 2023

Production-ready PowerDNS Cloud Control available

DNS is one of the vital components of the internet, invisibly making the internet work for everyone for almost four decades....

Alexander ter Haar Dec 5, 2022