Some of you may be familiar with a presentation titled “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority” held by David Dagon, Chris Lee and Wenke Lee from Georgia Institute of Technology and Niels Provos of Google, Inc at Network and IT Security Conference: NDSS 2008. To provide you with a quick summary, their research suggests that there are tens of thousands of rogue DNS servers on the Internet used for various kinds of malicious activities, leading to a rise of “second secret authority” that should scare the living daylights of all of us. For Associated Press’s coverage on the topic, please click here .

Now, it may be just me, but I find it rather interesting that while security professionals all over the world are worried by the “second secret authority” on the Internet revealed by this study, the mainstream media is simultaneously embracing a service called OpenDNS. According to respected publications such as Computerworld, The New York Times, and PC World, OpenDNS is a great “speedup tweak” for anyone who wants to have a quicker name to IP resolution than what one’s own ISP provides. OpenDNS claims that their service makes Internet more reliable, networks more secure, and provides insight into DNS activity. Better yet, the service is offered free of charge so what could possibly be wrong here?

Well, my answer to this would be: several things.

First, as everyone who knows their DNS can tell you, running open recursive DNS servers (i.e. DNS servers that allow anyone, anywhere to perform recursive queries) is one of the most basic DNS security mistakes one can make. It makes the DNS server more prone to cache poisonings and, perhaps even more importantly, can be exploited to amplify Denial of Service (DoS) attacks targeted at other DNS servers. Bearing this in mind, I find it somewhat ironic that OpenDNS advertises the IPs of their open recursive DNS servers (208.67.222.222 and 208.67.220.220) and improved network security on their website.

Second, OpenDNS openly admits that their service manipulates DNS data. Now, although I’m willing to give OpenDNS the benefit of the doubt and trust that their intentions are entirely benevolent, I think this is something that can be likened to the “second secret authority” on the Internet: no matter how good the intentions behind OpenDNS, the DNS data provided by the service has been manipulated in order to generate ad revenue. Paul Vixie has apparently labelled this approach as “typosquatting” and according to Wikipedia, OpenDNS has allegedly intercepted some requests for valid servers by landing a request for google.com on OpenDNS’s own page.

Third, although one can use OpenDNS to block name requests for sites that contain inappropriate content – for example schools using this service could block name resolution to adult entertainment and other websites unsuitable to minors – it does absolutely nothing to prevent an access to an inappropriate website should the user be smart enough to type in the IP address rather than the domain name of the site in his/her browser. Essentially, this service does not actually filter any content or block access to suspect websites as advertised (this should be done on web proxy / caching level) but simply relies on the assumption that people are not smart enough to use IPs as opposed to domain names. If they are, OpenDNS will not be able to do anything about it, as DNS is used only for name to IP resolution (and vice versa).

And so, although it probably is true that OpenDNS may provide a nice “speedup tweak” for someone situated relatively close to their recursive DNS servers, in most cases I would recommend against OpenDNS and sticking to the recursive DNS service provided by one’s own ISP, or to recursive DNS service maintained in-house. After all, using DNS for something it has not been designed for doesn’t come without downsides.

Over the last 10 years or so, a rather substantial number of customers and prospects have asked us about our support for new networking standards such as IPv6 and DNSSEC. In the majority of these cases, we’ve got the impression these questions have been raised because of a low-priority tick-box in the requirement specifications rather than an immediate plan to take these new standards into production. We have of course seen some of our customers starting to operate dual-stack (IPv4 & IPv6) networks – the most advanced as early as 2002 – and use Nixu NameSurfer Suite for the management of DNS and IP address space in these deployments, but I think it would be fair to say it hasn’t been an approach adopted by the mainstream. Things do change, though.

As some of you may have already noticed, ICANN announced about two weeks ago that IPv6 address has been added for root servers in the root zone. As David Conrad from ICANN states in the related announcement, this really is a major step forward for IPv6-only connectivity and the global migration to IPv6. But before we get there, though, there are a couple of other hurdles that we have to pass. After all, as our experience shows, it’s not like everyone has been rushing to build an IPv6 compliant network.

And on this note, it just occurred to me that perhaps virtualization of network infrastructure will play an important part in the IPv6 migration. After all, I’d be willing to bet good money that although the high-end of the enterprise market is likely to proceed with enterprise-class virtualization platforms such as VMware Infrastructure, it will most likely be RHEL 5.1 (and upcoming 5.2) and Windows 2008 Server that are going to take server virtualization mainstream.

Bearing the above in mind, my point is this: while both RHEL 5 Series and Windows 2008 Server support IPv6, I doubt IPv6 support alone will compel organizations to deploy these new platforms. However, the built-in support for virtualization included in both RHEL 5 Series and Windows 2008 Server could just be enough to do the trick – especially as they can be used as virtual server platforms for Nixu NameSurfer Suite and Nixu SNS as well as other innovative software appliances designed to simplify the running of a dual-stack (IPv4 & IPv6) network.

I’m sure this hypothesis will be tested soon enough!

On a somewhat unrelated note, and as some of you may have already noticed, we released a new 1.1 version of Nixu DHCP Server last week. This version includes a support for intelligent DHCP failover pairs where the configurations of both servers are managed from a single WebUI. If you’re interested in further details or a free 30-day evaluation of the product, please click here.

As some of you may have already noticed, RedHat has announced their intention to enter the software appliance arena. Basically, what they expect to do is to introduce a software development kit and Appliance Operating System designed for ISVs (Independent Software Vendors) looking to take their products to market as software appliances.

This is actually something rPath has been up to for already quite some time, and is a nut we at Nixu Software cracked already some 24 months ago: our software appliance has CentOS inside which is automatically hardened during the system install, creating a JeOS (Just-enough Operating System) on which the appropriate applications are auto-installed. Because of this approach, our software appliances can be installed and run on pretty much any x86 platform – whether native hardware or virtualization platform such as VMware, Citrix Xen, RHEL, upcoming Microsoft Viridian / Hyper-V etc. – rather than being restricted to any specific piece of hardware or virtualization gear. Effectively, this makes Nixu Products more versatile than most other software / virtual appliances that require a specific virtualization platform to run on, such as virtual appliances built and certified for VMware.

Anyhow, we were really pleased to see that also RedHat is now entering the software appliance arena, as I’m sure that will help us in educating the market on the software appliance benefits. Having talked quite a bit about them myself, I thought I’d point you all to a new direction for a fresh angle: a blog entry on virtualization and branch-office-in-a-box by Robert Whiteley, an analyst at Forrester.

If Robert’s take sounds interesting, you can try out the branch-office-in-a-box concept already today. To have the basic network services up and running, all you have to do is to install Nixu Secure Name Server (SNS), Nixu DHCP Server, and Vyatta OFR (router, firewall, VPN) as separate virtual machines on a x86 box running VMware Server.