Feeds

Nominum on the back foot over open source attacks

DNS name-calling spat simmers on

Top 5 reasons to deploy VMware with Tegile

Commercial DNS software firm Nominum has responded to the backlash against its criticism of open source alternatives.

During interviews promoting its recently launched cloud-based DNS (Domain Name System) service, SKYE, Nominum slammed open source and freeware DNS packages as a recipe for security problems. During a question and answer session with ZDNet, for example, Jon Shalowitz, Skye general manager, was particularly strident in his criticism.

"Freeware legacy DNS is the internet's dirty little secret... Freeware is not akin to malware, but is opening up those [ISP] customers to problems," Shalowitz said.

The DNS community cried foul over this line of attack. Critics (here and here) were quick to point out that Nominum was one of the vendors affected by last year's DNS cache poisoning problem, while PowerDNS, MaraDNS and DJBDNS (all open source) were not. The cache poisoning problem, discovered by security researcher Dan Kaminsky, opened the door to web site impersonation and email interception attacks against organisations that relied on vulnerable DNS installations.

US-CERT's original advisory on the Kaminsky vulnerability backs up this criticism.

After repeated requests for a response to the cache poisoning barb (and a missed interview appointment), Nominum finally responded with a statement from Gopala Tumuluri, Nominum's VP of Marketing & Business Development. He disputes whether open source implementations were truly immune to the Kaminsky vulnerability. Tumuluri goes on to suggest that the DNS port randomisation changes Nominum implemented added a bolt to door that was already locked.

It is not accurate to state that servers that implement UDP Source Port Randomization (SPR) are not vulnerable to Kaminsky’s exploit or similar attacks. They are, and the entire industry is aware of it. UDP SPR only provides brute force probabilistic defences which bots and bandwidth can defeat.

Nominum has long had additional defences to defeat cache poisoning exploits like the one Kaminsky discovered. Prior to Kaminsky, Nominum had elected not to implement UDP SPR (a well known approach) because our servers relied on more effective protections at that time.

In light of Kaminsky, Nominum participated in the industry consensus and added UDP SPR to the many unique protections previously available and since have added other unique defences.

Reg reader Adam P was so inflamed with the ZDNet interview ("a hilarious FUDdy article, belittling open source as one would a small child trying to build a castle") that he was prompted to have a look around Nominum's web infrastructure, discovering to his "delight" that its web site ran on Apache, the well known open source web server package. Apache is hugely popular, but given Nominum's strident criticism of open source as applied to DNS, it's perhaps a little surprising to find it using a technology derived from open source elsewhere in its own infrastructure.

Tumuluri responded to queries about its web server running Apache by saying Nominum's server is hosted and, besides, Nominum isn't against open source per se, just its application to DNS.

Nominum’s web server, like most businesses', is hosted. As indicated in the trace, the hosting vendor relies on Apache. Nominum is not against open source. Our stance is that business critical networks benefit from commercial DNS solutions as this function is central to the network.

Adam P further suggested that nmap identified Nominum's name server as running off BIND (Berkeley Internet Name Domain) the most commonly used DNS server on the net, and one that's based on an open source licence.

Our correspondent further charged that Nominum's commercial Authoritative Name Server (ANS) software was built from a fork off "freeware" DNS software.

Not so, Nominum's Tumuluri replied.

Firstly, "nmap" can provide ambiguous results because fingerprinting has limitations and it can be difficult to characterize some applications. Secondly, your premise about the "source" of our software above is incorrect, ANS (or for that matter any Nominum DNS product) was not produced off a fork of BIND. Nominum does not rely on any BIND code in our caching and authoritative server implementations. Both were built in their entirety by Nominum engineers.

Finally, Nominum may from time to time use BIND in its environment for comparative purposes.

Other DNS experts, who wished to remain anonymous, told El Reg that Nominum's names servers have all been recently fingerprinted as running Nominum ANS, not BIND.

However the accusations that Nominum owes a debt to BIND are not so easily dismissed. Nominum's own web site plants its roots firmly in open source, as an extract for a September 2004 press release on a customer win with NTL demonstrates.

Nominum was founded in 1999 to develop BIND 9 and a new version of open source DHCP, under contract to the Internet Systems Consortium (ISC), and to provide commercial-grade support for these open source implementations.

"Guess they've turned their backs on that heritage," one DNS expert told El Reg.

The relationship between commercial security software developers and open source need not be so antagonistic. For example, Sourcefire develops network security technology based on Snort, an open-source intrusion detection engine. Sourcefire was founded by Martin Roesch, the creator of Snort, and maintains amicable ties with that community.

Nominum, was founded by Dr Paul Mockapetris, the inventor of DNS. Nominum's freeware DNS security attack means friendly ties with the comparable open source DNS community will take a long time to restore, if ever. ®

Intelligent flash storage arrays

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.