Abstract

Security experts agree that layered security is the key to providing solid security, but where each layer is implemented can have an impact on users as well. Implementing DNS security in the wrong place might exact a significant performance penalty and, ultimately, degrade user experience.

Infoblox commissioned Tolly to benchmark the resource cost of implementing DNS threat protection on a next-gen firewall. Specifically, the study focused on the demands of DNS threat protection on the firewall CPU.

Tests showed that handling DNS threat protection placed a significant load on the firewall CPU pushing the system to over 75% utilization when just .08% of the Gigabit Ethernet network bandwidth consisted of DNS Threats. Thus, offloading DNS threat protection to the Infoblox solution, which provides DNS security on DNS architecture, would instantly free up CPU resource for filtering web traffic. Threat traffic was generated using Keysight CyPerf.