As some of you may already know, a new serious cache poisoning vulnerability has been discovered in BIND 9 series. For a quick recap of the vulnerability, please visit SANS Internet Storm Center’s update on the situation. For Amit Klein’s original paper on this vulnerability, please visit Trusteer’s website.

Customers running Nixu Secure Name Server (SNS) as their DNS server do not have to take any action so long as the automated software updates have been enabled in their SNS server: your DNS server has already been patched up against this vulnerability.

Customers running Nixu NameSurfer Suite are not affected by this problem.

Organizations running plain BIND in their network should update their BIND 9 versions immediately. For further details on the software update, please visit ISC’s website.

If you are running DNS server products that are delivered by other vendors than Nixu Software, please contact your own vendor for assistance.

Before the dawn of DNS and IP addressing software appliances, the world was a grim place. Organizations were forced to choose between traditional DNS and IP address management software whose implementation took a long time and that was expensive to run, plain open source software that was difficult to install and to configure securely, or hardware appliances that were easy to deploy yet had hard time offering a TCO that would have justified their deployment over a standard x86 server running Linux and plain BIND.

Nixu Software was spun off from Nixu Group in 2006 to change all this. After having spent a decade developing DNS and IP addressing solutions, it dawned on us that to accommodate the long tail of DNS and IP addressing marketspace – that is to say the organizations that continue to run home-grown DNS or DHCP servers consisting of ISC’s software (BIND, DHCPD) running on UNIX/Linux platform – customers would have to be offered new kind of flexibility and freedom of choice that would allow them to choose the deployment strategy that best met their unique situation. But even more importantly, this would have to be done at price points that allowed any organization to run our software appliances without having to give the investment a second thought.

After 18 months or so, I think we can already claim to have succeeded in changing the marketspace. Selling our software appliances such as Nixu SNS at $495 (US) per server per year including maintenance and support, we’ve already managed to make a difference in the distribution and pricing dynamics of this market. Better yet, the more traditional hardware appliance vendors such as Infoblox and Bluecat have indirectly admitted this by launching new, discounted offerings in an effort to compete in price with Nixu Software’s unique product proposition. Gotta love the competition!

Seriously, though, what these guys have missed entirely in their reactive effort to compete in price is that while we do sell software appliance subscriptions that are affordable, Nixu Software as an organization is essentially not about price. Or margins for that matter. No, our sole mission in this world is to provide our customers with freedom of choice and value for money.

As you can see from the above graph, you can use e.g. a Nixu SNS software appliance to build a traditional hardware appliance by booting a clean, generic x86 box (either new or existing; with the specs you like) with our ISO image. Or, if you preferred, you may create a virtual appliance by using our ISO images to boot up new virtual machines. Or even combine these two approaches – that’s up to you to decide.

The point I really wanted to make here is that either way you slice it, only the customers themselves can make the best platform decision based on their own unique situation. And that in many cases, proceeding with a hardware appliance doesn’t make sense as you do not need, or want to buy, the overpriced hardware that is bundled in with the software part of the appliance that you really are after. What you really need, then, is freedom of choice. At an affordable price. In other words, a software appliance.

To taste the freedom, please download Nixu SNS for free evaluation today.

During the recent weeks, we have been discussing DNS Best Practices with many universities, service providers and other organizations around the world. Based on the feedback we have received, it seems that for many organizations, DNS Best Practices continue to be somewhat unclear. In our view, part of this problem stems from the fact that the terminology used when describing DNS Best Practices seems to vary depending on the author.

Therefore, I thought that perhaps it would be of interest to our readers to nail down the most important aspects of DNS Best Practices. For your convenience, I’ve split this down to two pieces, DNS Architecture and Other Considerations.

DNS Architecture

• DNS deployment / solution architecture should consist of:
  - Hidden primary/master DNS server that is not visible to the network and is used to manage the data
  - Two or more secondary / authoritative slave DNS servers interfacing the network
  - Two or more recursive / caching DNS servers serving recursive queries

• Also the following architectural considerations should be addressed:
  - All individual DNS servers that are visible to the network should be run on dedicated servers that don’t include any other services
  - DNS servers interfacing the network should be located in different network segments so that an outage in any one segment doesn’t cause the DNS service to go down
  - DNS servers should create a hierarchical chain, i.e. all DNS servers should use standard mechanisms such as zone transfers to propagate DNS data to the next server in the chain

Other Considerations

• Make sure that your DNS server runs the latest stable versions of different pieces of software (O/S, DNS server software, etc.) and that you verify this on regular basis
• Make sure that your DNS servers is configured securely; e.g. that it allows recursive requests only from; has proper authentication mechanism in place to eliminate unauthorized access; that it allows zone transfers only from / to authenticated servers (using TSIGs); etc.

I think this pretty much wraps it up.

Lastly, if I may advertise a little, Nixu Software is specialized in providing solutions that adhere to these practices by design and are inexpensive enough for any organization to deploy. Please visit www.nixusoftware.com for further details.

On June 29, we announced Nixu Products’ official support for different VMware virtualization platforms. From now on, organizations may choose between traditional hardware platforms and VMware virtualization infrastructure without having to make any compromises: we’ve taken every measure necessary to ensure that Nixu Products run as well on VMware virtualization platforms as they do on traditional hardware platforms. Further, we are committed to providing the same level of technical support for virtualized environments as we provide for hardware-based installations.

The reason why we entered into a technology alliance with VMware is that after launching Nixu Secure Name Server (SNS), the world’s first DNS software appliance, in October 2006, we have received a large number of inquiries from organizations all over the world who are planning on migrating their core network services such as DNS, DHCP, and IP address management on VMware Virtual Infrastructure 3. As we have already made the first deliveries of Nixu Products on VMware Virtual Infrastructure 3 platform and as we have a large number of projects such as this in the pipeline, we thought partnering with VMware and making our commitment to virtualization public would benefit everyone.

At Nixu Software, we are confident that in the future, our approach will become the norm rather than an exception. However, for the time being, we are proud to pioneer the industry in this technology domain and look forward to working with like-minded organizations.

Once again, welcome to the dawn of DNS virtualization!