It’ll soon be seven years since the first time I was asked about DNSSEC (DNS Security Extensions) and IPv6 within a commercial set-up. Those days, most people I spoke to seemed to think it would only be a matter of a year or two before the two standards would be rolled out to production. DNSSEC and IPv6 are just around the corner, they said.

While some of our most advanced service provider customers have been running dual-stack IPv4 & IPv6 production networks for several years now, these environments are still more or less a rarity. And when it comes to DNSSEC, the level of utilization is even lower – while BIND 9.4.0 release made in February does support DNSSEC related RFCs, it may take quite a while before BIND 9.4 series will have an installed base that’s extensive enough for a meaningful DNSSEC roll-out. And even then, it remains to be seen whether individual system and network admins will take an advantage of the feature – after all, relatively large percentage of public DNS servers are still running BIND 8 so DNS security really isn’t on top of everyone’s agenda.

At Nixu Software, we believe that organizations concerned about DNS security are better off by taking active measures that help them in securing their DNS servers today. For more info on how to accomplish that, please read our earlier post on DNS security.

Yesterday, NetworkWorld run an interesting article on BrainShare, Novell’s User Conference. According to the coverage, Novell and Microsoft had taken this opportunity to demonstrate the interoperability between SuSe Linux and Windows. Also, Novell had apparently announced the beta of Open Enterprise Server (OES) 2 at the event, which of course is also quite interesting as it provides us with some clues on where the networking world could potentially be heading going forward.

In November, I made a post on the legitimization of Linux in which I argued that in many cases, running a Linux + BIND combo instead of Microsoft DNS server makes perfect sense. Well, as it turns out, apparently Novell and Microsoft seem to agree with this point as they are doing exactly the same thing. As pointed out by NetworkWorld: “OES 2 also runs Domain Services for Windows”. That’s Linux + BIND based DNS for Windows.

Another interesting point made by NetworkWorld was that at BrainShare, Windows Longhorn (I wonder why NetworkWorld didn’t call it Vista – maybe there’s something I’m missing here?) had been used to run SuSe Linux as a virtual machine. Now, if you revisit my previous post on RHEL 5 and guest environments / virtualization, I think there’s a clear pattern that we’re seeing here. If Microsoft along with prominent Linux vendors such as Red Hat and Novell have plans to add virtualization as a standard feature in the server versions of the OSs they distribute, sooner or later practically all servers will become platforms for a number of virtual machines.

From Nixu Software’s point of view, we are really keen on seeing how the whole virtualization business plays out as the software appliance approach we have taken with Nixu SNS and our upcoming products is ideally suited for virtual servers. After all, once Windows supports virtualized Linux machines and vice versa, software appliances that self-install (the entire stack from OS to application) and automate maintenance routines can be implemented seamlessly in practially any network environment. Therefore, I also believe that virtualization will have a much larger impact on networking, computing and the ICT industry at large than most people currently give it credit for.

As an update to our “Make Life Difficult for Blackhat Hackers” campaign – a grassroots DNS security movement – we’re quickly approaching the 40.000 reader mark. If you would like to help us in breaking the 50.000 mark within the next 10 days, please forward a link to this blog to your friends and colleagues within the networking community.

We were really pleased to see the official release of Red Hat Enteprise Linux 5, as it brought XEN virtualization to the mainstream. Anyone running RHEL 5 on her server now has a built-in support for four virtualized servers, a.k.a. guest environments, on a single physical box. In our view, this along with the traction VMware has gained recently will have a huge impact on DNS security going forward.

As pointed our by e.g. SANS Institute, one of the major threats for DNS security is the fact that organizations tend to run DNS servers on the same physical with other network services. This practice makes DNS servers prone to hacking and other exploits, as vulnerability in any software component on a shared server platform may provide hackers with an access to the configurations of the DNS server. With RHEL 5, the DNS server can be run in one of the four (or more if RHEL advanced server is used) guest environments thereby making the DNS server inherently more secure. This approach is also compliant with SANS Institute’s security recommendations.

The only problem associated with running network services in different guest environments is the fact that by using traditional software, each guest environment will have to be built individually in order to harden and optimize it for a given service, which translates to more work. However, by adopting to a software appliance approach these problems go away, as a guest environment can be installed simply by booting a virtual server with a self-installing software appliance ISO image containing all software modules from the OS to the application.

Nixu Software has already released Nixu SNS, a secure DNS software appliance that installs automatically and seamlessly on virtual / guest environments whether based on XEN (RHEL 5), VMware or Parallels. Within the next few months, we will be launching also new products on our software appliance platform in order to make virtualization as easy as 1-2-3. Stay tuned for more.

Meanwhile, if you’re interested in trying out how easy setting up guest environments on RHEL 5 and/or Vmware can be, please download Nixu SNS (Secure Name Server) for free evaluation. We’re sure you’ll be impressed.

Yesterday, McAfee published a study on online safety risks titled “Mapping the Mal Web”. The published results had been obtained using global data from SiteAdvisor, which tests websites for spyware, spam, viruses and scams. There were some pretty interesting results so please do take a look at the report – if nothing else, it makes for an entertaining read.

From Nixu Software’s and Nixu Group’s (our corporate parent) point of view, we were pleased to see the results. As you may already know, Nixu Group is headquartered in Finland and as it turned out, Finland’s TLD (.fi) was the most secure there is. While the outcome was attributed to certain regulations related to the registration of domain names, these rules were abolished already a couple of years ago so it is probably not the only reason for the result.

You see, Finland is a very information security concious nation. SSH protocol was initially written by a Finn, mr. Tatu Ylönen, who also happens to be a large shareholder of Nixu Group. A little later on, Nixu participated in developing the IPSec protocol. And of course, Finland is also the home of several IT companies offering award-winning network security products such as Stonesoft and F-Secure.

Bearing this in mind it is no wonder then that Nixu SNS, the most secure DNS software appliance on the planet, also comes from Finland. After all, we cannot afford to market insecure solutions as that could lead to a deportation!

As an update to our DNS Security campaign (Make Life Difficult for Blachat Hackers), we broke the 30,000 reader mark during last weekend and are now aiming towards 50,000+ readers by the end of this month. Here’s hoping we’ll get there!

Last week, I had an interesting discussion with a certain journalist covering topics related to information security. He told me that some of his sources had speculated on whether or not the recent DDoS attack on DNS root could have been caused by rootkits, and asked what our take on this topic was. At that point, we really didn’t have one.
Having read Dan Kaminsky’s article “Explorations in Namespace: White-Hack Hacking Across The Domain Name System” (the download may take a while but the paper is well worth the wait) published by ACM back in June 2006, we have been well aware that malware such as Sony’s infamous rootkit could potentially cause trouble for DNS. But could a rootkit actually generate enough traffic to bog down three DNS root servers?

As the investigations pertaining to the root cause of the recent DDoS attack are still on-going, it’s impossible to tell. Yet at the same time, considering Dan’s findings I would have hard time dismissing that possibility entirely. After all, not all hackers are quite as well-tempered and forthcoming as Dan is.

As an update to our on-going grassroots campaign on DNS security (Make Life Difficult for Blackhat Hackers), we’ve had more than 8,000 new readers at this blog since this Monday and are quickly approaching the 30,000 mark in the number of readers. I was initially hoping to reach 50,000 professionals by the end of this month (that’s also when I thought I’d stop providing updates on reader statistics) but perhaps we now have a chance of approaching six figures if we manage to become exponential in attracting new readers. And so, if you think DNS security is a worthy topic for a blog, please do send a link to your friends and colleagues within the networking community.

In my post yesterday, I asked readers to share experiences on running a network with a large number of Vista clients and the way in which it affects network traffic and number of queries. Well, as it turned out, our reader community seems to have extended to Redmond, WA as we received the following feedback from Sean Siler, IPv6 Program Manager for Microsoft:

“The statement “Microsoft went on record by saying that the number of DNS queries would not double on the Internet, as Vista clients only send IPv6 queries to name servers that have already resolved them the IPv4 address” isn’t an accurate representation of the DNS resolver behavior on Windows Vista. It actually works like this:

If the client has only a v4 address (even if it has a link-local v6 address) the DNS resolver will NOT ask for AAAA records. There is no way to get the resolver to query for a AAAA record unless one manually drops to the command prompt and uses NSLOOKUP or DIG and specifies an AAAA query.

On the other hand, if the client has been assigned a globally routable IPv6 address, along with its IPv4 address, then it will perform AAAA and A record queries. Again, though, this requires Globally addressable v6 addresses, not Teredo or link local addresses.

Finally, if the client has only a v6 address, it will only query for AAAA records.

This behavior is the same whether we are discussing caching name servers or authoritative ones; the scenario doesn’t change.

This behavior is as expected, has the least amount of impact on DNS utilization, and has been tested and reported on by third parties. Since most organizations have not yet chosen to deploy v6 addresses to their clients, there has not been (nor do we expect to be) any great spike in DNS utilization in the next several years.

Best Regards,
Sean Siler”

Based on Sean’s informative note on the topic, it seems that Microsoft has done what they can to cap the number of queries generated by Vista. Of course, it goes without saying that as organizations begin migration from IPv4 to IPv6 and end up running a dual-stack network during the transition period, the number of queries from clients that are assigned both IPv4 and globally routable IPv6 addresses will double. But in fairness, this is not a Microsoft Vista specific issue as any client – whether Microsoft Vista, Mac OS, or Linux based – with two IPs (A & AAAA) will make twice the number of DNS queries in comparison to a client with only single IP.

And so, I think we can safely conclude that organizations planning on migrating to dual-stack networks, and assigning both IPv4 and globally routable IPv6 addresses to clients, will have to be prepared for an increased number of DNS queries in their network. This is not a client specific issue, so you’ll have to make sure that DNS servers have enough spare capacity to cope with the increased number of DNS queries – that is, of course, if you want to assign both v4 and v6 addresses to clients.

While Microsoft’s new Vista OS was still in beta, there was quite a bit of discussion on how it will affect the number of DNS queries in the Internet going forward. This stemmed from the fact that as Vista clients query for both A (IPv4 address) and AAAA (IPv6 address) records, Vista should have theoretically doubled the number of queries. However, after Microsoft Vista was released, the networking community has gone silent on this topic.

In their own statement, Microsoft went on record by saying that the number of DNS queries would not double on the Internet, as Vista clients only send IPv6 queries to name servers that have already resolved them the IPv4 address. In practice, this would mean that the number of queries would only be doubled for caching DNS servers that answer queries originating from trusted domains. Or in other words, that service providers offering caching DNS service to small businesses and private users along with larger organizations with their own caching DNS servers would be affected – not so much the authorative DNS servers.

Now, as a relatively low percentage of name servers actually service IPv6 queries at this point in time, Microsoft is right in that for the time being, the Vista effect will mostly be isolated to local networks. However, going forward, I would assume that the situation will change: as the percentage of caching name servers servicing IPv6 queries increases, the number of queries generated by caching DNS servers themselves will also pick up sooner or later. I guess we’ll find out soon enough.

Meanwhile, if you have experience on running a network with a large number of Vista clients and the ways in which affects network traffic, please add your comment to this post – I’m sure we all would love to hear from you.

In my next post on Thursday, we’ll look into how malware such as rootkits affect the amount of DNS traffic. Some pundits have speculated that this could have been the cause of the recent recursive DoS attack on DNS root, so the topic is certainly interesting.

Lastly, as an update to our “Make Life Difficult for Blackhat Hackers” campaign: after the first full three weeks, we’ve had 20,000+ visitors at this blog reading about the immediate DNS security problems haunting the Internet. And for that, I’m very thankful to you all. But while this is certainly a good start, we still have a lot of ground to cover. And so, again, I urge you all to send a link to this post to your friends and colleagues within the networking community – this is the only way (I can think of) to easily keep track of the number of pros aware of the immediate problems associated with DNS security.

As some of you may have noticed, bloggers at InfoWorld have been recently discussing what constitutes an open source company. Matt Asay argues in his post today that in order to be an open source company, the entity must release code as a part of its core business. Otherwise, the organization is nothing but a non-disruptive member of the history.

The problem with this kind of thinking is the fact that it’s fixated on the idea that the openness of software code – or the lack thereof – would be the determinant attribute when organizations decide which software to run. While I do appreciate coding as an expression of art, I’m having hard time seeing a piece of software as an end in itself. After all, most people and organizations do not run software because they want to see beautifully written code in action.

Rather, most organizations making decisions on software base them on three simple factors: ability to perform given tasks, quality and cost. Within this context, the benefits of open source software are obvious, as it allows vendors to offer solutions that are more cost-effective without having to forego quality. After all, while one may offshore software development to developing nations, developing entirely proprietary solutions still requires a lot of work that will translate to costs, regardless of where the coding is being done.

By utilizing and building on open source software modules instead, software firms can continue to push down the price points without having to compromise the quality of their products or services, or the financial soundness of their operation. And so, I think the ability to offer quality products at low price points is the real driver behind the usage of open source and the success of companies working within this field, not so much whether or not these companies actually release source code.

As an update to our “Make Life Difficult for Blackhat Hackers” campaign, we’ve had 4,750 new readers since Monday setting our total to a little over 17,000 readers. However, as CERT-FI announced today that there has been a new on-going DDoS attack on DNS (our other sources are yet to confirm this), please do make sure that your DNS servers are safe and secured.

Advertisement
If you’re yet to find an easy and a cost-efficient way of protecting your DNS servers, please try out Nixu SNS today. It installs on any clean x86 server as well as most virtual servers, and costs only $495 per server per year.