Having talked quite a bit about enterprise DNS, Microsoft AD and their integration in the past, we decided to publish a new white paper “Integrating Nixu Products with Microsoft AD”. While the title may suggest otherwise, the document isn’t really Nixu Product specific. Rather, it outlines a general enterprise DNS architecture that adheres to DNS Best Practices, and describes a recommended strategy for integrating standard based DNS and subnets running Microsoft AD. Hope you’ll find the document useful!

I’m not sure if we have many readers who read my first blog entry at Nixu Software Web Journal published on September 26 2006. After nearly eight months and hundreds of thousands of visits later, I decided that it’s time to re-run my first post “On DNS Security” simply because the situation hasn’t really changed much since then. Although the networking community has experienced one major recursive DoS attack on DNS root (that made the headlines) and discovered several vulnerabilities in different DNS servers (BIND 9.4.0; Windows DNS), the points brought up are still as valid as ever.

And so, let’s go down the memory lane: “On DNS Security” brought to you by Nixu Software

“When DNS was invented back in 1983, it must have been rather difficult to envision the world we have later found ourselves in. Denial of service attacks, DNS poisonings, and vulnerabilities of operating systems and commonly used DNS servers are being used regularly to put one of the most critical network services to halt.”

“Traditionally, DNS servers have been rather open to attacks. They are all too often outdated machines in the back corner of the server room running old versions of various operating systems, as well as outdated and insecure versions of BIND. If anyone has come to view this as a problem, the solution has been simple – it is called resiliency and involves setting up yet another vulnerable DNS server in the network. The more you have them, the less likely it becomes that all of them would break down or be attacked at once. Or so the theory goes.”

“For some reason, the networking community has not done much to address this problem. Sure, the IETF has come up with solutions such as DNSSEC which has been the talk of the town since the late 90s. But bearing in mind the complexities associated with the standard, it is questionable whether most organizations running DNS servers will have the required know-how and resources in place to implement DNSSEC in the near future. After all, there are more than nine million public DNS servers out there, and it is not very likely that all the administrators involved in the global rollout would have the skills, resources or the dedication of your average IETF engineer.”

“In real world, the most immediate problems associated with DNS security can be solved by rather simple measures: making sure that DNS servers run on hardened operating systems that are free of known vulnerabilities; that the BIND version and/or other software run on public DNS servers is up to date and free of known vulnerabilities; that their firewalls are configured appropriately; that the DNS service is run on a dedicated server; and that the four previous points are verified on regular basis against advisories issued by organizations such as CERT and SANS Institute. Additional measures such as Intrusion Detection/Prevention System can be used to quarantine IP addresses that send an abnormally high number of queries to DNS servers, indicating a potential Denial-of-Service attack.”

There is obviously a large number of people and organizations out there who “get it” as we’ve been more than doubling the number of Nixu SNS (Secure Name Server) downloads quarter on quarter since the product was released. Then again, as Nixu SNS automates the DNS security process cited above at $495 (US) per server per year, we really have not been that suprised by the traction our proposition has gained. And neither will you after you’ve given Nixu SNS a go.

After Fortune run their “Microsoft takes on the free world” article last Sunday, there’s been a lot of controversy on whether or not Microsoft’s claims hold any thruth to them and whether or not the open source community should be threatened by Microsoft’s new position. I’m not planning on dwelling any deeper into this, as I’m sure there is an infinite number of people out there who are better equipped to debate these questions than we are. “Acknowledging the facts is the beginning of wisdom” as the late President of Finland, J.K. Paasikivi, once said.

Even so, the passionate discussion around Open Source Software did bring up the topic that I have been discussing here in the past; namely, the definition of the term “open source” and what constitutes an open source company. You see, according to most definitions of “open source”, Nixu Software isn’t an open source company. Yet we have (at least partially) adopted an open source business model selling Nixu SNS as annual subscriptions including maintenance and support (just like Red Hat), effectively charging nothing for the product itself but rather making our revenues from providing maintenance and support. And while our developers have committed code to certain pieces of open source software that we use in our products and although they participate quite actively in some OSS communities, we do not claim any open source project to be our own.

There are a couple of reasons for our approach. First, as there is a large number of existing, viable open source projects out there, I don’t think it’s necessarily in the industry’s best interest to start off a new open source community whenever you start something new – rather, the industry benefits more if the scarce resources are allocated to an existing OSS project (I guess that’s why they’re called communities). Second, considering the solution area Nixu Software operates in (DNS and IP addressing), I’m not sure there are any pragmatic reasons as to why not to use BIND on public DNS servers – it’s the industry standard, after all. And third, while there is a large number of open source projects out there, there are not many open source SOLUTIONS, i.e. pieces of software that wouldn’t require a fair amount of manual labour to be installed and integrated into other pieces of open source software.

And so, applying this logic, we decided to merge several pieces of existing open source software (CentOS, BIND, Bastille, PHP, Apache, SSH, PSAD) into one powerful open source solution. Nixu SNS is the world’s first DNS software appliance that auto-installs from an ISO image at the system boot (on x86 boxes as well as virtual machines) and includes a large number of features and functionalities that provide clear advantages over running plain BIND. It is more secure thanks to purpose-built design, hardened OS platform, local IDS/IPS, error-checking utility, and statistics on DNS traffic. It is easier to run thanks to automated installation process, user-friendly WebUI (there is of course a CLI too), and automated software upgrade mechanism. It’s much more cost efficient than plain BIND thanks to all these automations. And yes, we assume the responsibility of supporting the product for you, which is not the case with plain BIND (no one supports it).

Now, as we sell Nixu SNS subscriptions at $495 (US) per server per year including maintenance & support, we are effectively giving out the product for free: the annual subscription fee we charge isn’t more than Red Hat would charge you for their subscription of RHEL. And this, my dear readers, is what we at Nixu Software think open source business is all about: not charging for the code which has been written by the community, but for the services that have been built around the open source solution.

To experience the edge that the open source business model can provide you with, please download Nixu SNS (Secure Name Server) for free evaluation from this link.

As I was going through some virtualization blogs today, I bumped into an interesting weblog “Virtrix – Virtual Tricks” by Vincent Vlieghe. In one of his blog entries, Vincent points out that High-Availability in VMware VirtualCenter relies heavily on well-functioning DNS. And so, as you kick off virtualization projects in your organization, one of the first things you should do is to make sure that your DNS is up-to-par with the rest of your network infrastructure. Please visit this link for further details.

At Nixu Software, we have been rather active on the virtualization front during the last six months or so. After we started looking into this rapidly growing technology domain, we’ve found an increasing number of organizations all over the world looking to virtualize parts of their core network services (our forte, DNS, is just one of them). To facilitate this development, we have developed and launched a virtualization-ready product family to meet the DNS and IP addressing needs of the 21st century.

Today’s x86 servers often exceed the DNS performance requirements of organizations when the service is run on dedicated servers. In cases such as this, DNS virtualization makes perfect sense. Better yet, there are also other benefits to virtualization. Following, please find a couple of excerpts from VMware’s materials on the benefits of virtualization (over traditional hardware-based computing appliances):

“While the computing appliance approach makes the initial experience with a specific solution easier, the approach does have some downsides. The major problem with this approach is that it requires a specific piece of physical hardware. The specific hardware is selected by the solution vendor and may not be manufactured by a customer’s preferred hardware vendor. Additionally, while the appliance is sold by the company developing the solution, very often the hardware is serviced and supported by a third party that may or may not be certified on the appliance. If there is a hard drive failure on an appliance that is physically maintained by a company other than the appliance vendor, the repair process may require multiple parties to coordinate their efforts in order to bring that appliance back up.”

“The virtual appliance approach takes the best of both the traditional software approach and the computing appliance approach and combines them in a way that delivers both convenience and flexibility. By targeting a virtualization layer like the one provided by VMware, solution vendors can pre-install and pre-configure their solutions in a similar fashion to a traditional computing appliance. However, with a virtual appliance, the solution vendor no longer needs to procure and distribute a physical device.”

“Demonstrations, proof-of-concept projects, and evaluations can be done with virtual appliances with very little cost…”

We couldn’t have put it better ourselves. And so, if you are looking to virtualize the network services in your organization or expect to implement DNS servers, please do have a look at Nixu NameSurfer Suite and Nixu SNS. All you have to do is to download an ISO image from our website (free for 30-day trial) and boot up a virtual machine (or a clean x86 server) with the package: it auto-installs the entire software stack from a hardened OS (CentOS) to application layer in just 10 minutes creating you a secure, dedicated DNS appliance.

Christopher Budd of Microsoft announced yesterday that Microsoft is likely to include a patch for the Windows DNS server vulnerability in Microsoft’s May Bulletin Release. Please note that the availability of the patch will subject to successful testing process which is currently on-going. For further details on the topic, please read Christopher Budd’s Blog Entry on the topic.

ISC has released a new version of the BIND 9.4 series, BIND 9.4.1. The new version includes a fix to a vulnerability found from BIND versions 9.4.0, 9.5.0a1, 9.5.0a2, and 9.5.0a3, which allows DNS servers running these BIND versions to be exploited in recursive DoS attacks if the DNS server has been configured to allow recursive queries. To download the latest version of BIND 9.4 and for more information on the topic, please visit the following links:

• Release Notes for BIND 9.4.1 by Internet Systems Consortium
• Common Vulnerabilities and Exposures; CVE-2007-2441 by MITRE

Luckily, not many organizations have upgraded to BIND 9.4 series yet and so this will hopefully remain as a fairly isolated incident. As BIND 9.4 series remains fairly immature, Nixu Software advices organizations to run more mature and thoroughly tested BIND versions 9.2.x and 9.3.x in their DNS.

We were informed by CERT-FI a few hours ago that the commentary on UltraDNS’s plans was somewhat misguiding. Rather than querying for a PTR resource record from every IP globally, UltraDNS is planning on querying for a specific kind of A record in an effort to find out how many DNS servers will resolve a recursive name query originating from outside their trusted domain(s). This effort is aimed at quantifying the number of DNS servers that are vulnerable to be exploited in a recursive DoS attack. We apologize for any inconvenience caused by this mistake.

Although this sounds much better, there are already similar, ongoing surveys out there on the exact same topic. Please visit The Measurement Factory’s website for further details.