IBM service uses DNS to deliver multicloud connectivity

IBM is rolling out a new DNS-based service that will let customers securely control connectivity between distributed multicloud environments.

NS1 Connect is one of the first fruits from IBM’s acquisition of DNS specialist NS1 earlier this year. The service is aimed at helping organizations set up the best connection between clouds and end users to deliver applications optimized for performance, cost, security and availability.

Core to the NS1 Connect package, which will be available Oct. 17, is traffic-steering technology that intelligently distributes DNS traffic across the network. DNS is often described as the Internet’s phone book, working in the background to match the names of web sites that users type into a search box with the corresponding IP address.

NS1 Connect’s advanced DNS services can make dynamic decisions about where to send an internet request, based on availability, performance, time-of-day and many other calculations, according to Andrew Coward, general manager of software defined networking with IBM, who wrote a blog about the news.

The most common traffic-steering rules include avoiding unavailable, overloaded, or under-performing endpoints, IBM wrote in a brief about the NS1 service.

“NS1 offers a set of basic monitors you can use to track its up/down status of an endpoint. Alternatively, you can use one of the supporting monitoring service integrations to pull data collected by third-party monitors to the NS1 platform to inform traffic steering,” IBM stated.

“If included in your NS1 account, you can configure [real user monitoring] RUM-based applications and jobs to pull real-time availability and performance metrics from shared or private data sources back to the NS1 platform to optimize load balancing across complex, global networks,” IBM stated.

Customers can configure the system to input data from a variety of third-party management systems, such as Cisco ThousandEyes and AppDynamics, Datadog, Amazon Web Services (AWS), Rackspace, CloudWatch and Catchpoint.

“Independent of where your customer traffic originates around the world – Boston, San Paulo, Tokyo, Nairobi, Paris – the DNS answer for where to route that traffic may be different and may vary depending on which content delivery networks (CDN) is busy, how much you’re paying for transit, and what level of traffic balance you’re trying to achieve,” Coward wrote.

NS1 Connect customers also get DNS reports, such as queries per second (QPS) and global traffic distribution, that can be used to detect sudden drops or upticks in DNS traffic and compare domain traffic across networks. 

A feature called NS1 DNS Insights uses what IBM calls lightweight data feeds to provide a granular view of performance, trends, and anomalies. This gives customers the insight necessary to improve system performance and security while reducing operational costs, IBM stated.

The system supports DNS Security Extensions (DNSSEC), which authenticates domain name lookups and helps protect against DNS hijacking.

Enterprise Management Associates (EMA) recently found that DNS hijacking, also known as DNS redirection, is the DNS security challenge that causes enterprise IT the most pain. DNS hijacking involves intercepting DNS queries from client devices so that connection attempts go to the wrong IP address. Hackers often achieve this by infecting clients with malware so that queries go to a rogue DNS server, or they hack a legitimate DNS server and hijack queries at a more massive scale. The latter method can have a large blast radius, making it critical for enterprises to protect DNS infrastructure from hackers, according to EMA.

Beyond DNS management, account administrators can manage users, teams, and API keys to ensure appropriate access levels based on the user role or function, IBM stated.

In addition to NS1 Connect, IBM is developing a SaaS package to help enterprises securely network heterogenous environments, including edge, on-prem and multicloud resources.

The IBM Hybrid Cloud Mesh is a SaaS service that implements a virtualized Layer 3-7 environment to rapidly enable secure connectivity between users, applications, and data distributed across multiple locations and environments, according Coward.

Hybrid Cloud Mesh deploys gateways within the clouds – including on-premises, AWS or other providers’ clouds, and transit points, if needed – to support the infrastructure, and then it builds a secure Layer 3-7 mesh overlay to deliver applications, Coward said. At the application level, the exposure to developers occurs at Layer 7, and the networking teams see Layer 3 and 4 activities, Coward said.

The Hybrid Cloud Mesh offering is available to early test organizations and is expected to be generally available by the end of the year.