Feeds

Nominum on the back foot over open source attacks

DNS name-calling spat simmers on

Providing a secure and efficient Helpdesk

Commercial DNS software firm Nominum has responded to the backlash against its criticism of open source alternatives.

During interviews promoting its recently launched cloud-based DNS (Domain Name System) service, SKYE, Nominum slammed open source and freeware DNS packages as a recipe for security problems. During a question and answer session with ZDNet, for example, Jon Shalowitz, Skye general manager, was particularly strident in his criticism.

"Freeware legacy DNS is the internet's dirty little secret... Freeware is not akin to malware, but is opening up those [ISP] customers to problems," Shalowitz said.

The DNS community cried foul over this line of attack. Critics (here and here) were quick to point out that Nominum was one of the vendors affected by last year's DNS cache poisoning problem, while PowerDNS, MaraDNS and DJBDNS (all open source) were not. The cache poisoning problem, discovered by security researcher Dan Kaminsky, opened the door to web site impersonation and email interception attacks against organisations that relied on vulnerable DNS installations.

US-CERT's original advisory on the Kaminsky vulnerability backs up this criticism.

After repeated requests for a response to the cache poisoning barb (and a missed interview appointment), Nominum finally responded with a statement from Gopala Tumuluri, Nominum's VP of Marketing & Business Development. He disputes whether open source implementations were truly immune to the Kaminsky vulnerability. Tumuluri goes on to suggest that the DNS port randomisation changes Nominum implemented added a bolt to door that was already locked.

It is not accurate to state that servers that implement UDP Source Port Randomization (SPR) are not vulnerable to Kaminsky’s exploit or similar attacks. They are, and the entire industry is aware of it. UDP SPR only provides brute force probabilistic defences which bots and bandwidth can defeat.

Nominum has long had additional defences to defeat cache poisoning exploits like the one Kaminsky discovered. Prior to Kaminsky, Nominum had elected not to implement UDP SPR (a well known approach) because our servers relied on more effective protections at that time.

In light of Kaminsky, Nominum participated in the industry consensus and added UDP SPR to the many unique protections previously available and since have added other unique defences.

Reg reader Adam P was so inflamed with the ZDNet interview ("a hilarious FUDdy article, belittling open source as one would a small child trying to build a castle") that he was prompted to have a look around Nominum's web infrastructure, discovering to his "delight" that its web site ran on Apache, the well known open source web server package. Apache is hugely popular, but given Nominum's strident criticism of open source as applied to DNS, it's perhaps a little surprising to find it using a technology derived from open source elsewhere in its own infrastructure.

Tumuluri responded to queries about its web server running Apache by saying Nominum's server is hosted and, besides, Nominum isn't against open source per se, just its application to DNS.

Nominum’s web server, like most businesses', is hosted. As indicated in the trace, the hosting vendor relies on Apache. Nominum is not against open source. Our stance is that business critical networks benefit from commercial DNS solutions as this function is central to the network.

Adam P further suggested that nmap identified Nominum's name server as running off BIND (Berkeley Internet Name Domain) the most commonly used DNS server on the net, and one that's based on an open source licence.

Our correspondent further charged that Nominum's commercial Authoritative Name Server (ANS) software was built from a fork off "freeware" DNS software.

Not so, Nominum's Tumuluri replied.

Firstly, "nmap" can provide ambiguous results because fingerprinting has limitations and it can be difficult to characterize some applications. Secondly, your premise about the "source" of our software above is incorrect, ANS (or for that matter any Nominum DNS product) was not produced off a fork of BIND. Nominum does not rely on any BIND code in our caching and authoritative server implementations. Both were built in their entirety by Nominum engineers.

Finally, Nominum may from time to time use BIND in its environment for comparative purposes.

Other DNS experts, who wished to remain anonymous, told El Reg that Nominum's names servers have all been recently fingerprinted as running Nominum ANS, not BIND.

However the accusations that Nominum owes a debt to BIND are not so easily dismissed. Nominum's own web site plants its roots firmly in open source, as an extract for a September 2004 press release on a customer win with NTL demonstrates.

Nominum was founded in 1999 to develop BIND 9 and a new version of open source DHCP, under contract to the Internet Systems Consortium (ISC), and to provide commercial-grade support for these open source implementations.

"Guess they've turned their backs on that heritage," one DNS expert told El Reg.

The relationship between commercial security software developers and open source need not be so antagonistic. For example, Sourcefire develops network security technology based on Snort, an open-source intrusion detection engine. Sourcefire was founded by Martin Roesch, the creator of Snort, and maintains amicable ties with that community.

Nominum, was founded by Dr Paul Mockapetris, the inventor of DNS. Nominum's freeware DNS security attack means friendly ties with the comparable open source DNS community will take a long time to restore, if ever. ®

Internet Security Threat Report 2014

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.