Today, Infoblox announced a new hardware appliance platform – the Infoblox 2000 – which they claim to be the best performing DNS platform there is. With its name and a price tag of just under $50k per server, it seems like Infoblox is reliving the turn of the millennium.

While resolving 75,000 requests per second may sound kind of cool on a superficial level, it’s actually not quite that impressive once you start calculating the price-performance ratio. Mind you, when it comes to DNS, you don’t do anything with a single server as you have to build up the redundancy, so you’d have to buy at least two of these $50k beasts.

As virtualization gains ground, anyone can buy three or four servers equivalent to HP ProLiant DL580 and run VMware’s ESX Server and VMigrate on them. This creates a highly available, virtualized DNS server platform capable of resolving 100,000+ requests per second at a fraction of the cost. Better yet, with three or four VMware ESX servers running in a load-balancing mode, you don’t have to worry about potential server failure – there’s still plenty of redundancy left even if one physical server fails.

At Nixu Software, we have been working with a couple of Telco and Enterprise customers on a new 2^nd Generation DNS High-Availability Concept which we’ll be publishing in a new White Paper within the next few weeks. These implementations are based on the powerful yet inexpensive combination of standard x86 servers, VMware’s virtualization technology, and Nixu Software’s DNS software appliances.

Stay tuned for more.

As for our little “Make Life Difficult for Blackhat Hackers” campaign, we’ve been happy to notice that we’ve been able to sustain the great momentum we built up last week. Since my latest update on last Thursday, we’ve had more than 4,500 new readers at this blog setting our tally at 12,500 readers since kicking off this campaign a little over two weeks ago. Many thanks to everyone participating in our grassroots movement – let’s make DNS safe together!

As it happened, we were contacted by IDC with regard to their upcoming market study on the global DNS and IP address management market space. They have identified two vendor categories in our field and to fit into this framework, we would now have to decide whether Nixu Software is a software vendor or an appliance vendor. Let me tell you, that’s not the easiest task in the world.

You see, Nixu Software is a software appliance company so we’re neither a fish nor a fowl. This isn’t because we wanted to become a disruptive market force, but simply because self-installing software appliances based on open source software offer significantly better value to end-users than (traditional) software or hardware appliances. As we didn’t have to develop everything in-house, we were able to speed up the product development process as well as to develop our products with a smaller team of developers.

This is also why we can sell Nixu SNS subscriptions at $495 / server / year – we’ve simply passed on the savings we’ve realized using open source software modules to our customers. For more info on our approach, please have a look at my earlier post titled “YouTube, Open Source Software, and DNS”.

As an update to our “Make Life Difficult for Blackhat Hackers” campaign, the number of visits at this blog have exploded since the post I made on Monday: we’ve now had more than 4,700 new readers during the last three days. While this sets our total to around 7,700 after kicking off our little campaign just two weeks ago, I’m sure there are still networking pros out there who are not aware of the rather serious DNS security threats out there. You know what to do to change this!

Last Friday, InfoWorld published an interesting article by Roger A. Grimes on the recent DDoS attack aimed at the DNS root. As VeriSign hosts 10 of the 13 root servers, Roger took up this incident with VeriSign’s Chief Security Officer, Ken Silva. There were two points in this piece that I found particularly interesting.

First, according to Ken Silva, VeriSign’s biggest protection against DDoS attacks right now is over-capacity.

Second, VeriSign and Ken Silva are expecting 200 billion DNS requests per day by 2010. That’s a pretty high number considering that the figure today is only 26 billion requests per day – in other words, the number of requests is expected to increase by nearly 700% in just three years.

While VeriSign has decided to spend $100 million over the next three years to address this problem, I doubt most organizations are willing to go quite that far to protect themselves. And so, the next logical question is whether there are affordable solutions around that would allow organizations to protect their DNS against the network security threats AND allow them to cope with the increasing amount of DNS requests. Well, I’m happy to tell you that there is.

Nixu SNS implements Nixu Software’s patent-pending method for securing DNS servers against common network security threats. Our method doesn’t rely on building DNS over-capacity (a passive security measure) but rather, we have based Nixu SNS on an alternate approach that takes a proactive stand (active security measures) against DoS attackers and other security threats. Better yet, when installed on an inexpensive x86 servers such as HP ProLiant DL320, Nixu SNS is capable of answering approx. 17,000 legitimate requests per second. With a higher-spec DL580, we’ve been able to resolve up to 33,500 queries per second.

Now, we think that’s pretty impressive considering that Nixu SNS is sold as annual subscriptions at $495 / server / year including maintenance & support. Add in the cost of a HP ProLiant server, and the investment required for a secure, high-performance DNS server starts from around $1,500.00. If you’d like to give it a go, we offer free 30-day evaluations for anyone interested.

As for our “Make Life Difficult for Blackhat Hackers” campaign, we’ve now had a tad under 3,000 visitors in about 1,5 weeks. In other words, it’s begging to seem like we’re gaining some traction with this campaign. However, as I’m sure there is still a large number of networking professionals out there not aware of the immediate DNS security problems, I still urge everyone to tell their friends and colleagues about this blog. Let’s make 2007 the year of DNS security!

Ps. Happy New Year to all our Chinese readers!

As some of you may already know, The Fedora Legacy Project has been shut down as of February 9 2007. As there’s a huge number of Fedora Linux boxes out there running BIND, this is most certainly something the networking community should address going forward. Organizations that continue running public DNS servers on Fedora Linux platform do not merely put their own service at risk, but rather the whole networking community.

While it’s sad to say goodbye to the good old Fedora Linux, in fairness we were not that suprised by this turn of events. After all, it seems like more and more organizations are moving from plain open source software (e.g. Fedora Linux, BIND) to open source software supported by a commercial entity (e.g. Red Hat Enterprise Linux, Nixu SNS). Much of this is related to new legal requirements such as SOX where in order to comply, organizations cannot continue running a piece of software over which no one assumes the responsibility. I’ve written more about this in my previous post titled “Is Your DNS Insured?”.

Regarding my previous blog entry “Make Life Difficult for Blackhat Hackers” and the statistics we’ve been collecting, it now seems we’ve been able to spread the word to about 1,900 network professionals out there. Considering that I made my plea six days ago, that’s a pretty good number. But on the other hand, considering that 176,000 DNS servers participated in an orchestrated DDoS attack without any concious involvement by their admins simply because the servers were misconfigured, I still think we have some serious ground to cover.

And so again, I urge you to spread the word. Fedora Linux DNS servers are OUT. Configuring DNS servers to accept recursive queries ONLY from clients within trusted domain(s) is IN.

According to information Nixu Software has received, the recent DDoS attack involved 176,000 name servers worldwide. Most DNS servers used in the DDoS attack were misconfigured to accept recursive queries from clients that were not local. Please configure your DNS servers so that they only provide DNS services to machines within trusted domains.

Advertisement:
If you do not feel comfortable with managing plain BIND manually, please download Nixu SNS. It has been designed for simple DNS protection and installs seamlessly on any clean x86 server or virtual servers such as VMware, Xen and Parallels.

As an update to the post I made on Friday (Make Life Difficult for Blachat Attackers), a little over 1,000 readers have now read that post. Considering that we’ve only had one full business day after posting the entry, I think we’ve done a pretty good job. However, as we’re talking about 176,000 misconfigured DNS servers that have been exploited in a DDoS attack, we still have some ground to cover before the networking community has been made aware of this security threat.

So again, please tell your colleagues and friends about this DNS vulnerability. Most admins whose DNS servers have been exploited do not even know about that!

February issue of CSO Magazine had a good article on DNS security, “DNS: Definitely Not Safe?”. I very much urge you all to read it as it was a well written, compact information package full of good insight.

As my frequent readers will find out, the insights in CSO’s article are very similar to those that I have been discussing in my posts for about four months now. By and large, there are three simple steps one can take to make sure that her DNS servers are secure:

1. Run your DNS server in a dedicated server without any additional services (virtual or hardware server)
2. Make sure the software you run on that server is always up-to-date and patched up to eliminate vulnerabilities
3. Configure your DNS server appropriately

This blog contains a lot of info on these topics so if you’re interested in further information and tools related to these items, please go through the earlier posts. But now, let’s cut to the chase.

While DNS security really isn’t rocket science, it seems that organizations are not taking DNS security seriously enough. This makes life way too easy for Blackhat Hackers who lurk in the dark and prey on the vulnerable. I think it’s about time we put an end to this together and make life more difficult for the Blackhats and the Blackhat wannabies out there. Here’s how.

The Reader Community around this blog consists of tens of thousands of networking professionals around the world, and I would imagine that most of you share my concerns on DNS security. If we all passed on the word to our colleagues and friends within the networking community, we could quickly make hundreds of thousands or even millions of professionals aware of this security threat.

And so, I plea you: if you think DNS security is a problem, please forward a link to this blog to a couple of colleagues and friends within the networking community.

We’ll keep an eye on the progress being made, and I’ll commit myself to posting fresh statistics on how many people have visited this blog every Monday and Thursday until the end of March. As Freud once said, thinking is rehearsing. I think the time has come to act on our thoughts.

Less than 12 hours ago, Domain Name System’s root servers were once again attacked. The Denial of Service attack was targeted at at least three root DNS servers, including one maintained by the US Department of Defence. While SANS Institute and others are still requesting for log files and other information that would provide further insight into the exact details and the origin of this malicious attempt to bring down DNS root, some experts say this was the worst DoS attack on DNS servers since 2002. There has reportedly been some widespread outages and general slowdowns affecting traffic on the Internet.

For more coverage, please click the following links for related articles:

• IDG News Service
• The Register

Today, I arranged a small poll at our office on what building identity-driven networks really means. One colleague I asked opinioned that it must have something to do with orchestrating integrated paradigms. Another person I talked to was pretty sure it’s all about redefining out-of-the-box convergence. A third one thought it may be related to reinventing innovative functionalities. They all got it wrong.

The humble engineers that we are, it never occurred to us that installing a simple DNS server appliance in one’s network would qualify as the first step towards building an identity-driven network. While we were initially struggling to see the logic in this groundbreaking concept one of the companies within the DNS appliance marketspace is building on, perhaps it means that domain name is indeed the very identity of an otherwise anonymous IP address. Without names, we are just numbers!

As Albert Einstein once said, things should be made as simple as possible but not more so. Being true to Al’s heritage, Nixu Software focuses on developing cost-efficient solutions that are secure by design as well as simple to install, to maintain and to manage.

In other words, we are here to make your life that much easier. Not to redefine out-of-the-box convergence.