Feeds

Nominum on the back foot over open source attacks

DNS name-calling spat simmers on

Build a business case: developing custom apps

Commercial DNS software firm Nominum has responded to the backlash against its criticism of open source alternatives.

During interviews promoting its recently launched cloud-based DNS (Domain Name System) service, SKYE, Nominum slammed open source and freeware DNS packages as a recipe for security problems. During a question and answer session with ZDNet, for example, Jon Shalowitz, Skye general manager, was particularly strident in his criticism.

"Freeware legacy DNS is the internet's dirty little secret... Freeware is not akin to malware, but is opening up those [ISP] customers to problems," Shalowitz said.

The DNS community cried foul over this line of attack. Critics (here and here) were quick to point out that Nominum was one of the vendors affected by last year's DNS cache poisoning problem, while PowerDNS, MaraDNS and DJBDNS (all open source) were not. The cache poisoning problem, discovered by security researcher Dan Kaminsky, opened the door to web site impersonation and email interception attacks against organisations that relied on vulnerable DNS installations.

US-CERT's original advisory on the Kaminsky vulnerability backs up this criticism.

After repeated requests for a response to the cache poisoning barb (and a missed interview appointment), Nominum finally responded with a statement from Gopala Tumuluri, Nominum's VP of Marketing & Business Development. He disputes whether open source implementations were truly immune to the Kaminsky vulnerability. Tumuluri goes on to suggest that the DNS port randomisation changes Nominum implemented added a bolt to door that was already locked.

It is not accurate to state that servers that implement UDP Source Port Randomization (SPR) are not vulnerable to Kaminsky’s exploit or similar attacks. They are, and the entire industry is aware of it. UDP SPR only provides brute force probabilistic defences which bots and bandwidth can defeat.

Nominum has long had additional defences to defeat cache poisoning exploits like the one Kaminsky discovered. Prior to Kaminsky, Nominum had elected not to implement UDP SPR (a well known approach) because our servers relied on more effective protections at that time.

In light of Kaminsky, Nominum participated in the industry consensus and added UDP SPR to the many unique protections previously available and since have added other unique defences.

Reg reader Adam P was so inflamed with the ZDNet interview ("a hilarious FUDdy article, belittling open source as one would a small child trying to build a castle") that he was prompted to have a look around Nominum's web infrastructure, discovering to his "delight" that its web site ran on Apache, the well known open source web server package. Apache is hugely popular, but given Nominum's strident criticism of open source as applied to DNS, it's perhaps a little surprising to find it using a technology derived from open source elsewhere in its own infrastructure.

Tumuluri responded to queries about its web server running Apache by saying Nominum's server is hosted and, besides, Nominum isn't against open source per se, just its application to DNS.

Nominum’s web server, like most businesses', is hosted. As indicated in the trace, the hosting vendor relies on Apache. Nominum is not against open source. Our stance is that business critical networks benefit from commercial DNS solutions as this function is central to the network.

Adam P further suggested that nmap identified Nominum's name server as running off BIND (Berkeley Internet Name Domain) the most commonly used DNS server on the net, and one that's based on an open source licence.

Our correspondent further charged that Nominum's commercial Authoritative Name Server (ANS) software was built from a fork off "freeware" DNS software.

Not so, Nominum's Tumuluri replied.

Firstly, "nmap" can provide ambiguous results because fingerprinting has limitations and it can be difficult to characterize some applications. Secondly, your premise about the "source" of our software above is incorrect, ANS (or for that matter any Nominum DNS product) was not produced off a fork of BIND. Nominum does not rely on any BIND code in our caching and authoritative server implementations. Both were built in their entirety by Nominum engineers.

Finally, Nominum may from time to time use BIND in its environment for comparative purposes.

Other DNS experts, who wished to remain anonymous, told El Reg that Nominum's names servers have all been recently fingerprinted as running Nominum ANS, not BIND.

However the accusations that Nominum owes a debt to BIND are not so easily dismissed. Nominum's own web site plants its roots firmly in open source, as an extract for a September 2004 press release on a customer win with NTL demonstrates.

Nominum was founded in 1999 to develop BIND 9 and a new version of open source DHCP, under contract to the Internet Systems Consortium (ISC), and to provide commercial-grade support for these open source implementations.

"Guess they've turned their backs on that heritage," one DNS expert told El Reg.

The relationship between commercial security software developers and open source need not be so antagonistic. For example, Sourcefire develops network security technology based on Snort, an open-source intrusion detection engine. Sourcefire was founded by Martin Roesch, the creator of Snort, and maintains amicable ties with that community.

Nominum, was founded by Dr Paul Mockapetris, the inventor of DNS. Nominum's freeware DNS security attack means friendly ties with the comparable open source DNS community will take a long time to restore, if ever. ®

Boost IT visibility and business value

More from The Register

next story
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Sin COS to tan Windows? Chinese operating system to debut in autumn – report
Development alliance working on desktop, mobe software
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.