Why open-source DNS is 'internet's dirty little secret'

Why open-source DNS is 'internet's dirty little secret'

Summary: Jon Shalowitz, general manager at Nominum's new Skye cloud-computing division, says legacy open-source DNS software poses a huge problem for the internet

TOPICS: Cloud, Servers

Internet infrastructure company Nominum launched a set of cloud-based services on Tuesday. Its new hosted Domain Name System division, Skye, is offering DNS caching, an authoritative DNS service, DNS-based navigation assistance and threat-management.

Nominum is targeting these new services at enterprises and tier-two ISPs, the traditional heartland of open-source DNS in the form of Bind, or Berkeley Internet Name Domain software, widely considered to be the most commonly used DNS server on the internet.

ZDNet UK spoke to Jon Shalowitz, Skye general manager, about how Nominum will convince enterprises and smaller ISPs to make the switch from open-source software to proprietary cloud services.

Q: In the announcement for Nominum's new Skye cloud DNS services, you say Skye 'closes a key weakness in the internet'. What is that weakness?
A: Freeware legacy DNS is the internet's dirty little secret — and it's not even little, it's probably a big secret. Because if you think of all the places outside of where Nominum is today — whether it's the majority of enterprise accounts or some of the smaller ISPs — they all have essentially been running freeware up until now.

Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse.

Are you talking about open-source software?
Correct. So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems. So we've seen the majority of the world's top ISPs migrating away from freeware to a solution that is carrier-grade, commercial-grade and secure.

What characterises that open-source, freeware legacy DNS that you think makes it weaker?
Number one is in terms of security controls. If I have a secret way of blocking a hacker from attacking my software, if it's freeware or open source, the hacker can look at the code.

By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker.

By its very nature, something that is freeware or open source [is open]. There are vendors that take a freeware product and make a slight variant of it, but they are never going to be ever able to change every component to lock it down.

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.

People's reaction to that may be: 'He would say that, wouldn't he, because he's just trying to sell his product'. How would you answer them?
I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.

It's easy to say you've not had a single vulnerability if you're not widely deployed. But we run over half the internet. We are out in the most challenging, the most heavily trafficked networks in the world.

And you think your cloud products will address this issue?
Yes. In the US when I was growing up, various towns and cities put fluoride in the water. It was the only way to ensure every child was going to get healthy teeth. That's akin to extending the reach of intelligent DNS.

By delivering a cloud model that allows essentially any enterprise or any ISP to have the wherewithal to take advantage of a Nominum solution is like putting fluoride in the water.

You don't have to have a DNS expert internally, and you don't have to have a certain level of customer base to amortise the cost of deploying the software.

When you talk about Skye you refer to the 'network effect'. What does that mean?
The network effect means that Skye is the only cloud DNS service that has as its foundation half the broadband internet already using the same software. Nominum has 170 million broadband households worldwide that already go through our software.

If you use as an example NTT, one of our customers in Asia — we can quickly detect a worm outbreak or a botnet outbreak, because of what we see in the DNS. Then we can use that information to shut down a lot of those communication lines that that command centre, that botnet, may use. We can apply that worldwide across our entire installed base.

But just because something is in the cloud doesn't mean that it's good. What's really in the cloud is what matters.

You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside. The software being run and the network itself are very critical. And that's one point the customer really needs to be wary of.

Topics: Cloud, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oh dear ...

    ... the man's an idiot
  • Uhm...

    "Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure."

    No, nope, nada, not, nye nee
  • Pity...

    So "Nominum has not had a single known vulnerability in its software" - it's a bit of a pity they had to publish http://www.nominum.com/asset_upload_file741_2661.pdf for example.
  • Nope?

    Of course the argument "closed source is better, because the bad guys can't see how we protect our code" is why Microsoft's products (both applications and operating systems) have had such a great history of security and invulnerabilty.
  • No, he's right (in the end)

    I agree with this idiot - "You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside." That's what's so great about Open Source - you *can* check what's on the inside.
  • The lady is showing her slip :)

    Well caught sir!
  • do people like this actually exist?

    ..... time check ..... 2009?
  • I think

    this guy's degree might be in, um, marketing.

    I feel sorry for the engineers
  • Ridiculous

    Quote: "by having software with source code that is not open for everybody to look at, it is inherently more secure"

    If they do not know that "Security Through Obscurity" is viewed by the security profession as a contradiction in terms then I'd be very worried about relying on anything from this company!
  • yes, well...

    It's a pity in a way that he doesn't even know the difference between Freeware and Open Source. After all, when he doesn't even *appear* to know what it is he's citicising, it's not a good basis for the rest of his disinformation about the software that's been running the Internet ever since its inception.
  • Never had a vulnerability?

    What about "Nominum Software Security Advisory NOM-20080708 8-July-2008"?
  • Substitute the name Microsoft for Nominum...

    and you have a match. We've seen the same thing for 20+ years. How well did that work out?
  • We don't have a problem but......

    I notice that they blame other DNS software, not their own BUT they still put in a fix to eliminate an issue they don't have!

    Attitudes displayed as in his interview almost beg to be "answered" by crackers all over. Have they actually sold enough DNS servers to have any impact on the market? I have never heard of them before.

    If they're publicly traded I wonder how long it will take to kill their stock price?
  • Why is this guy given webspace....

    oh dear i dont know where to start.

    Not only is he seemingly deliberately confusing freeware and opensource, but this company helped with "original responsibility of developing BIND9". http://en.wikipedia.org/wiki/Nominum

    the poisoning attacks predicted by dan kaminisky and DJB are protocol attacks, not individual server vulnerabilities.

    So to summerise, flame a project you were involved with and then present information in an incorrect manner.

  • Not to mention...

    ... one of their own DNS servers is running Bind 9.
  • Nail in the coffin

    Matthew McKenzie makes an excellent demolition job of the points raised in this interview.

    See http://www.bmighty.com/blog/main/archives/2009/09/secrecy_is_a_lo.html

    Jon Shalowitz can't be the most popular bloke around the Nominum office right now.
  • Security through obscurity

    He's just selling his service, nothing more.
    The theory of information security proves that no "closed source" software is more secure than OSS. Both are equally insecure. He even does not understand that he steps on his own shoelaces, claiming his commercial software is more secure: having the same risks he will be forced to spend a lot of resources if (when) his software fail to provide the claimed security.
    Both OSS and commercial software are written by programmers and no one can claim that programmer always produce better code when he is paid for it. No one can claim that paid testers are perform better than world-wide crowd of freeware users.
    The good side of commercial SW is that customer relays the responsibility to the vendor. Nothing more.
  • Hmmmm...

    Security through obscurity? That's an interesting idea! But then again, isn't that what Microsoft do? And how many hacks do they get.
  • Bingo! You're right.

    "Security through obscurity? That's an interesting idea! But then again, isn't that what Microsoft do?"
    Exactly the same.
  • microsoft

    microsoft has been initiating dns and giving freeware out since bill new there were flaws, why do it then ? TO MAKE MORE MONEY thats what its all about, MONEY GIVE SOME FREEWARE DON,T WORK SELL SOMETHING TO REPAIR IT ,JOE PUBLICS THICK THEY WON,T KNOW, ask bush he kiddid the USofA for 8 years and most of the world the guys a f...... genius W,ELL appears so