Feeds

Nominum on the back foot over open source attacks

DNS name-calling spat simmers on

Protecting users from Firesheep and other Sidejacking attacks with SSL

Commercial DNS software firm Nominum has responded to the backlash against its criticism of open source alternatives.

During interviews promoting its recently launched cloud-based DNS (Domain Name System) service, SKYE, Nominum slammed open source and freeware DNS packages as a recipe for security problems. During a question and answer session with ZDNet, for example, Jon Shalowitz, Skye general manager, was particularly strident in his criticism.

"Freeware legacy DNS is the internet's dirty little secret... Freeware is not akin to malware, but is opening up those [ISP] customers to problems," Shalowitz said.

The DNS community cried foul over this line of attack. Critics (here and here) were quick to point out that Nominum was one of the vendors affected by last year's DNS cache poisoning problem, while PowerDNS, MaraDNS and DJBDNS (all open source) were not. The cache poisoning problem, discovered by security researcher Dan Kaminsky, opened the door to web site impersonation and email interception attacks against organisations that relied on vulnerable DNS installations.

US-CERT's original advisory on the Kaminsky vulnerability backs up this criticism.

After repeated requests for a response to the cache poisoning barb (and a missed interview appointment), Nominum finally responded with a statement from Gopala Tumuluri, Nominum's VP of Marketing & Business Development. He disputes whether open source implementations were truly immune to the Kaminsky vulnerability. Tumuluri goes on to suggest that the DNS port randomisation changes Nominum implemented added a bolt to door that was already locked.

It is not accurate to state that servers that implement UDP Source Port Randomization (SPR) are not vulnerable to Kaminsky’s exploit or similar attacks. They are, and the entire industry is aware of it. UDP SPR only provides brute force probabilistic defences which bots and bandwidth can defeat.

Nominum has long had additional defences to defeat cache poisoning exploits like the one Kaminsky discovered. Prior to Kaminsky, Nominum had elected not to implement UDP SPR (a well known approach) because our servers relied on more effective protections at that time.

In light of Kaminsky, Nominum participated in the industry consensus and added UDP SPR to the many unique protections previously available and since have added other unique defences.

Reg reader Adam P was so inflamed with the ZDNet interview ("a hilarious FUDdy article, belittling open source as one would a small child trying to build a castle") that he was prompted to have a look around Nominum's web infrastructure, discovering to his "delight" that its web site ran on Apache, the well known open source web server package. Apache is hugely popular, but given Nominum's strident criticism of open source as applied to DNS, it's perhaps a little surprising to find it using a technology derived from open source elsewhere in its own infrastructure.

Tumuluri responded to queries about its web server running Apache by saying Nominum's server is hosted and, besides, Nominum isn't against open source per se, just its application to DNS.

Nominum’s web server, like most businesses', is hosted. As indicated in the trace, the hosting vendor relies on Apache. Nominum is not against open source. Our stance is that business critical networks benefit from commercial DNS solutions as this function is central to the network.

Adam P further suggested that nmap identified Nominum's name server as running off BIND (Berkeley Internet Name Domain) the most commonly used DNS server on the net, and one that's based on an open source licence.

Our correspondent further charged that Nominum's commercial Authoritative Name Server (ANS) software was built from a fork off "freeware" DNS software.

Not so, Nominum's Tumuluri replied.

Firstly, "nmap" can provide ambiguous results because fingerprinting has limitations and it can be difficult to characterize some applications. Secondly, your premise about the "source" of our software above is incorrect, ANS (or for that matter any Nominum DNS product) was not produced off a fork of BIND. Nominum does not rely on any BIND code in our caching and authoritative server implementations. Both were built in their entirety by Nominum engineers.

Finally, Nominum may from time to time use BIND in its environment for comparative purposes.

Other DNS experts, who wished to remain anonymous, told El Reg that Nominum's names servers have all been recently fingerprinted as running Nominum ANS, not BIND.

However the accusations that Nominum owes a debt to BIND are not so easily dismissed. Nominum's own web site plants its roots firmly in open source, as an extract for a September 2004 press release on a customer win with NTL demonstrates.

Nominum was founded in 1999 to develop BIND 9 and a new version of open source DHCP, under contract to the Internet Systems Consortium (ISC), and to provide commercial-grade support for these open source implementations.

"Guess they've turned their backs on that heritage," one DNS expert told El Reg.

The relationship between commercial security software developers and open source need not be so antagonistic. For example, Sourcefire develops network security technology based on Snort, an open-source intrusion detection engine. Sourcefire was founded by Martin Roesch, the creator of Snort, and maintains amicable ties with that community.

Nominum, was founded by Dr Paul Mockapetris, the inventor of DNS. Nominum's freeware DNS security attack means friendly ties with the comparable open source DNS community will take a long time to restore, if ever. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.