Feeds

Nominum on the back foot over open source attacks

DNS name-calling spat simmers on

High performance access to file storage

Commercial DNS software firm Nominum has responded to the backlash against its criticism of open source alternatives.

During interviews promoting its recently launched cloud-based DNS (Domain Name System) service, SKYE, Nominum slammed open source and freeware DNS packages as a recipe for security problems. During a question and answer session with ZDNet, for example, Jon Shalowitz, Skye general manager, was particularly strident in his criticism.

"Freeware legacy DNS is the internet's dirty little secret... Freeware is not akin to malware, but is opening up those [ISP] customers to problems," Shalowitz said.

The DNS community cried foul over this line of attack. Critics (here and here) were quick to point out that Nominum was one of the vendors affected by last year's DNS cache poisoning problem, while PowerDNS, MaraDNS and DJBDNS (all open source) were not. The cache poisoning problem, discovered by security researcher Dan Kaminsky, opened the door to web site impersonation and email interception attacks against organisations that relied on vulnerable DNS installations.

US-CERT's original advisory on the Kaminsky vulnerability backs up this criticism.

After repeated requests for a response to the cache poisoning barb (and a missed interview appointment), Nominum finally responded with a statement from Gopala Tumuluri, Nominum's VP of Marketing & Business Development. He disputes whether open source implementations were truly immune to the Kaminsky vulnerability. Tumuluri goes on to suggest that the DNS port randomisation changes Nominum implemented added a bolt to door that was already locked.

It is not accurate to state that servers that implement UDP Source Port Randomization (SPR) are not vulnerable to Kaminsky’s exploit or similar attacks. They are, and the entire industry is aware of it. UDP SPR only provides brute force probabilistic defences which bots and bandwidth can defeat.

Nominum has long had additional defences to defeat cache poisoning exploits like the one Kaminsky discovered. Prior to Kaminsky, Nominum had elected not to implement UDP SPR (a well known approach) because our servers relied on more effective protections at that time.

In light of Kaminsky, Nominum participated in the industry consensus and added UDP SPR to the many unique protections previously available and since have added other unique defences.

Reg reader Adam P was so inflamed with the ZDNet interview ("a hilarious FUDdy article, belittling open source as one would a small child trying to build a castle") that he was prompted to have a look around Nominum's web infrastructure, discovering to his "delight" that its web site ran on Apache, the well known open source web server package. Apache is hugely popular, but given Nominum's strident criticism of open source as applied to DNS, it's perhaps a little surprising to find it using a technology derived from open source elsewhere in its own infrastructure.

Tumuluri responded to queries about its web server running Apache by saying Nominum's server is hosted and, besides, Nominum isn't against open source per se, just its application to DNS.

Nominum’s web server, like most businesses', is hosted. As indicated in the trace, the hosting vendor relies on Apache. Nominum is not against open source. Our stance is that business critical networks benefit from commercial DNS solutions as this function is central to the network.

Adam P further suggested that nmap identified Nominum's name server as running off BIND (Berkeley Internet Name Domain) the most commonly used DNS server on the net, and one that's based on an open source licence.

Our correspondent further charged that Nominum's commercial Authoritative Name Server (ANS) software was built from a fork off "freeware" DNS software.

Not so, Nominum's Tumuluri replied.

Firstly, "nmap" can provide ambiguous results because fingerprinting has limitations and it can be difficult to characterize some applications. Secondly, your premise about the "source" of our software above is incorrect, ANS (or for that matter any Nominum DNS product) was not produced off a fork of BIND. Nominum does not rely on any BIND code in our caching and authoritative server implementations. Both were built in their entirety by Nominum engineers.

Finally, Nominum may from time to time use BIND in its environment for comparative purposes.

Other DNS experts, who wished to remain anonymous, told El Reg that Nominum's names servers have all been recently fingerprinted as running Nominum ANS, not BIND.

However the accusations that Nominum owes a debt to BIND are not so easily dismissed. Nominum's own web site plants its roots firmly in open source, as an extract for a September 2004 press release on a customer win with NTL demonstrates.

Nominum was founded in 1999 to develop BIND 9 and a new version of open source DHCP, under contract to the Internet Systems Consortium (ISC), and to provide commercial-grade support for these open source implementations.

"Guess they've turned their backs on that heritage," one DNS expert told El Reg.

The relationship between commercial security software developers and open source need not be so antagonistic. For example, Sourcefire develops network security technology based on Snort, an open-source intrusion detection engine. Sourcefire was founded by Martin Roesch, the creator of Snort, and maintains amicable ties with that community.

Nominum, was founded by Dr Paul Mockapetris, the inventor of DNS. Nominum's freeware DNS security attack means friendly ties with the comparable open source DNS community will take a long time to restore, if ever. ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.