Lauren Malhoit
Improving Performance in DNSSEC-enabled VMs
You don't have to live with performance issues caused by building in DNS security. Use random number generators to achieve full entropy.
Aug 25th, 2022
Relying on good random data can be resource intensive. DNSSEC enabled DNS Servers often see performance hits, especially when they're VMs (Virtual Machines). You shouldn't have to sacrifice performance for security.
With VMware Explore 2022 coming up it's a good time to get back to basics and talk about where it all started – the Virtual Machine (VM). Is it possible that we're still seeing performance issues in a VM in 2022? According to our support team, the answer is yes for VMs that rely on good random data for cryptographic functions. Of course, an example of such a server would be DNS servers which use DNSSEC for secure DNS.
What is DNSSEC?
DNSEC stands for DNS Security Extensions and is a collection of protocols that provide a protective layer into the domain name system (DNS) scanning and sharing processes that are integrated into the Internet web access. Essentially DNSSEC adds authentication and integrity protection to DNS through the use of public/private key pairs. For more detailed information, see our glossary page on DNSSEC here.
Why Care About Randomness?
The creation of the DNSSEC keys mentioned above actually requires the use of random data generated by the DNS server. The attempt to generate completely random data can often be what causes, especially VMs, to slow down or freeze. Essentially the server is waiting on "full entropy" before it can move on to the next task.
Entropy - The measure of diversity of a data-generating function. Data with full entropy is completely random and has no meaningful patterns.
On a Linux machine, the Linux random device, /dev/random, will "block" a process if there is not enough randomness (entropy). A blocked process is one that is waiting for something to happen before it goes back to a "running" state. DNSSEC enabled DNS servers and their tools use /dev/random as a source of randomness for the cryptographic key-generating operations. At times /dev/urandom may be used, which will not block a process, but also may not deliver the randomness required to guarantee full entropy and should not be used to generate keys with a long lifespan.
This effects DNSSEC tools like dnssec-keygen and dnssec-signzone, but it may also create a performance issue on DNSSEC enables DNS servers that are re-signing a dynamic zone or DNS resolver validating DNSSEC data for a client.
What's the Solution?
We obviously can't just stop building security into our systems, so how do we continue to use DNSSEC and stop living with the performance hits? There are actually a few solutions you can try.
Some CPUs and motherboards (VIA, Intel, and AMD) have built-in random number generators. These can be used to fill the pool of random bits. So, be sure to consider this and you refresh your ESXi hardware according to VMware's Hardware Compatibility guide.
Additional hardware may also be added to an ESXi server to supply random bits. This hardware must then be linked to the VM. This hardware is often referred to as a Hardware Random Number Generator (HRNG) or True Random Number Generator (TRNG) and as with everything compatibility will be important because if your VM can't see it, it's useless.
Other software-based solutions exist as well and try to find entropy in different ways. For Windows based VMs, it's worth reading this whitepaper from Microsoft: https://download.microsoft.com/download/1/c/9/1c9813b8-089c-4fef-b2ad-ad80e79403ba/Whitepaper - The Windows 10 random number generation infrastructure.pdf
- "haveged" - "A simple entropy daemon" which will work for Linux VMs, based on the HAVEGE algorithm. http://www.issihosts.com/haveged/
- KVM tweaks for Linux-based VMs (which also uses haveged) https://roessner-network-solutions.com/kvm-tweaks/
- EGD - The Entropy Gathering Daemon for Linux and certain BSD kernels. http://egd.sourceforge.net/
- PRNGD - Pseudo Random Number Generator for Linux Based VMs. http://prngd.sourceforge.net/
Come See us at VMware Explore!
If you're going to be at VMware Explore, we'd love to chat more about how we can help you manage your entire DDI environment from one centralized location with our non-disruptive DDI overlay, Micetro.
Come see us at the booth or schedule a personalized demo any time, from the comfort of your desk.
