Server platforms Toolkit

Why open-source DNS is 'internet's dirty little secret'

Toby Wolpe ZDNet.co.uk

Published: 22 Sep 2009 14:35 BST

Why open-source DNS is 'internet's dirty little secret'

Internet infrastructure company Nominum launched a set of cloud-based services on Tuesday. Its new hosted Domain Name System division, Skye, is offering DNS caching, an authoritative DNS service, DNS-based navigation assistance and threat-management.

Nominum is targeting these new services at enterprises and tier-two ISPs, the traditional heartland of open-source DNS in the form of Bind, or Berkeley Internet Name Domain software, widely considered to be the most commonly used DNS server on the internet.

ZDNet UK spoke to Jon Shalowitz, Skye general manager, about how Nominum will convince enterprises and smaller ISPs to make the switch from open-source software to proprietary cloud services.

Q: In the announcement for Nominum's new Skye cloud DNS services, you say Skye 'closes a key weakness in the internet'. What is that weakness?
A: Freeware legacy DNS is the internet's dirty little secret — and it's not even little, it's probably a big secret. Because if you think of all the places outside of where Nominum is today — whether it's the majority of enterprise accounts or some of the smaller ISPs — they all have essentially been running freeware up until now.

Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse.

Are you talking about open-source software?
Correct. So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems. So we've seen the majority of the world's top ISPs migrating away from freeware to a solution that is carrier-grade, commercial-grade and secure.

What characterises that open-source, freeware legacy DNS that you think makes it weaker?
Number one is in terms of security controls. If I have a secret way of blocking a hacker from attacking my software, if it's freeware or open source, the hacker can look at the code.

By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker.

By its very nature, something that is freeware or open source [is open]. There are vendors that take a freeware product and make a slight variant of it, but they are never going to be ever able to change every component to lock it down.

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.

People's reaction to that may be: 'He would say that, wouldn't he, because he's just trying to sell his product'. How would you answer them?
I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.

It's easy to say you've not had a single vulnerability if you're not widely deployed. But we run over half the internet. We are out in the most challenging, the most heavily trafficked networks in the world.

And you think your cloud products will address this issue?
Yes. In the US when I was growing up, various towns and cities put fluoride in the water. It was the only way to ensure every child was going to get healthy teeth. That's akin to extending the reach of intelligent DNS.

By delivering a cloud model that allows essentially any enterprise or any ISP to have the wherewithal to take advantage of a Nominum solution is like putting fluoride in the water.

You don't have to have a DNS expert internally, and you don't have to have a certain level of customer base to amortise the cost of deploying the software.

When you talk about Skye you refer to the 'network effect'. What does that mean?
The network effect means that Skye is the only cloud DNS service that has as its foundation half the broadband internet already using the same software. Nominum has 170 million broadband households worldwide that already go through our software.

If you use as an example NTT, one of our customers in Asia — we can quickly detect a worm outbreak or a botnet outbreak, because of what we see in the DNS. Then we can use that information to shut down a lot of those communication lines that that command centre, that botnet, may use. We can apply that worldwide across our entire installed base.

But just because something is in the cloud doesn't mean that it's good. What's really in the cloud is what matters.

You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside. The software being run and the network itself are very critical. And that's one point the customer really needs to be wary of.