Slashdot Mirror
Nominum Calls Open Source DNS "a Recipe For Problems"
Raindeer writes "Commercial DNS software provider Nominum, in an effort to promote its new cloud-based DNS service, SKYE, has slandered all open source/freeware DNS packages. It said: 'Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse. ... So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems.' This has the DNS community fuming. Especially when you consider that Nominum was one of the companies affected by the DNS cache poisoning problem of last year, something PowerDNS, MaraDNS and DJBDNS (all open source) weren't vulnerable to."
Yeah, because the poster child of closed source - Windows - is *so* secure...
I hope he doesn't run any Linux distributions in his company, at all. That would make him a hypocrite.
Posts not to be taken literally. Almost everything is sarcasm.
Linux seems to be fine for them to run their web server.
sig: sauer
I'll sum up their argument: We use security through obscurity, and that makes us better. You should pay us for that. Also, when we say "cloud-based," we really just mean "in our data centers." They're really abusing the definition of cloud computing, just because it's the current profit-generating buzzword.
SIG: HUP
I don't know about you, but any company that feels the only way they can sell their product is to basically slander their competitors isn't likely to get my attention. As it is, and as much of a pain in the ass as Bind can be, I have yet to encounter anything quite as powerful as Bind9. It's certainly not without flaws, but after having had to deal with the inadequacies of Microsoft's DNS, anyone who comes up to me and says "Oh yeah, those open source DNS servers are the lesser products" is either a liar or a moron.
The world's burning. Moped Jesus spotted on I50. Details at 11.
... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.
And, from TFA:
Reconcile THAT little gem with support for closed source software.
...proprietary software company says you should buy their product instead of using something else.
I'm shocked, I tell you. Just shocked.
"But it is opening up these customers to problems." Nice, textbook FUD/propaganda. Put the thought out there. Deflect attention from your own failings. Lump all 'freeware' DNS into the same basket. Call it 'freeware' instead of Open Source to link it to badly written DOS/Windows programs. Wow, this company is sleazy. It would be such poetic justice for some grey hat hackers to take these goons down.
Open source DNS is tried and true, everyone uses it. No one was ever fired for installing BIND. This new flash in the pan company has been hacked before, how long until they are hacked again? Why trust your DNS to some untested startup using inappropriate buzzwords like 'cloud computing?' Why pay for what you can get for free? Why outsource your DNS to someone who may or may not be here tomorrow? Heh. We can play at the FUD game, too.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
How can a monoculture be better than free software? At least different versions or different configurations provide a less universal attack vector. Though hosted services get all the security updates together, they don't seem to mention the problem of everyone using the same service.
A company has just promoted their own policies and products while at the same time demoting those of their competitors. People are in a state of shock, children are crying, students are demonstrating and the president is making an announcement later this evening. The UN has named this day the annual PR stunt day.
I am the lawn!
... That 'Nominum' actually used some version of ISC BIND in it's products and services ? Oh, well, guess I thought wrong...
90% of everything (you read) is horsepucky.
"The single biggest problem in communication is the illusion that it has taken place." George Bernard Shaw
I have some familiarity with SRD/IPRD and I have to say that I'm not very impressed with Nominum.
Single-user root admin in our deployment and a hideous java/windows front end for end-users... One which is so crappy we don't deploy.
Their training is USAstyle puppy mill powerpoint demos running on virtual machines.
Couple that with the fact that they were subject to the same DNS exploits as some of the "vendors" they are trashing in the article and I just think...
Man, what a bunch of ass hats spinning market droid fluff. Somehow, I'm not surprised.
(The views expressed in this post are mine alone and do not necessarily reflect the views of my employer.)
BIND, like Sendmail, is one of those legacy pieces of Berkeley software from the 1980s that should have been retired a long time ago.
A basic problem with both of those packages is that they're database applications without a database. Back in the 1980s, there were no good database programs available for UNIX, and some apps had to roll their own. We're way past that.
There are open-source database-based alternatives. Qmail is a database-based replacement for Sendmail, and it's generally considered to be much more stable and secure. (At this late date, nobody should be running Sendmail.) There's MyDNS, which is a MySQL-based DNS program, but that's never really caught on. The big commercial DNS systems are all database-based.
You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside.
He contradicts himself, he tells you to kick the tyres and look under the hood, and then touts his product which he explicitly states won't let you look under the hood...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I think its interesting that they are using the term freeware instead of open source or FOSS. In a lot of people's minds freeware is shit like bonzai buddy or comet cursor or whatever spyware-laden free software these execs always manager to get on their computers. They equate FOSS with badly written spyware and they keep using the term freeware in their quotes. Interesting. They must have Frank Lutz working for them.
Im sure a lot of execs find this message believable and are drafting up a 'no freeware' policy to only be diplomatically corrected by the IT dept later on.
Ironically, I have a hard time trusting non-FOSS freeware. I always wonder if Im getting a virus or a trojan and wondering why I havent been able to find an OSS alternative to closed source windows freeware/nagware programs. Paid for proprietary Im less worried about, but Im not paying for what I consider basic functionality like DNS.
The summary says " Nominum was one of the companies affected by the DNS cache poisoning problem of last year".
But in the interview, I just read this:
See? The summary can't be right.
Liberal? Conservative? Compare perspectives at Left-Right
is really getting old. If the code is really useful and has a huge following, vulnerabilities get patched up faster than one can probably find exploits. Not only that, more eyes means more to detect and fix vulnerabilities before having a stable release.
Powerdns was vulnerable to the Kaminsky attack, but in a different way. It was actually easier to spoof the server due to its more actively dropping certain DNS packets. So while it did perform source port randomization, it was not totally immune to the attack either.
http://doc.powerdns.com/security-policy.html itself states:
All versions of PowerDNS before 2.9.21.1 do not respond to certain queries. This in itself is not a problem, but since the discovery by Dan Kaminsky of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances to feed *other* resolvers bad data.
Though it is phrased as "someone elses problem", in the DNS word of course nothing is "someone elses problem". DNS servers are chained in hierachies and one problem somewhere leads to problems elsewhere. DNS is all about protocol compliance to ensure interoperability. With the "someone elses problem" approach, we would have had no "reflection attack" and "amplification attack" problems either, it being "someone elses problem". Despite the nice phrasing, powerdns caused cache poisoning problems as a result of the Kaminsky attack that needed to be addressed.
In general, I have a problem with bug reports and changelogs writing things as "improved error handling", "made more robust" or "add security to" which are too often used to hide the real security impact of certain bugs. DJB's policy of "it is not my bug to fix, because it is an operating system bug" is also completely bogus from a system administrator point of view who still ends up with a security problem.
1970 called: they want their "Security Thru Obscurity" argument back.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I don't know about you, but there are certain indications you can pick up on when people are talking about something that gives them away as being total idiots. One of these is conflating the terms "freeware" and "open source." When this is done you can feel free to turn your brain off for the rest of the statement because the person obviously doesn't know what they are talking about. Try listening to someone in the MSM talk about open source and you'll pick up on similar idiotic statements.
I have the same problem with using local butchers. They buy their meat on the open market, and it is possible to track that meat down to the farm where the cow came from. Those cows are kept outdoors, where anyone can see them. Lord knows what toxins people might be injecting into those cows.
That's why I only eat meat from MeatCorp. All of MeatCorp's meat is made behind closed doors, in a giant, guarded metal building. Nobody knows what happens inside, and that makes me feel safe when I eat MeatCorp brand Meat Circles.
I just switched to a cloud-based bank! You don't even know what you're missing. They keep my money in a cloud and I can access my money from any of the millions of these little machines that are stuck to walls of various buildings around the world. You guys with your traditional banks are falling behind.
Biased much?
I'm sure that we can take seriously the word of a company pushing their own closed-source, commercial DNS server solution, when they say that software you don't have to pay anything for is bad.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
A lot of root- and toplevel-nameservers run on open source software too. NSD, Bind if I'm not mistaken. Ohh, scary ! Not really, works really well actually. 'Even worse' I think the database-system that runs .org is PostgreSQL.
New things are always on the horizon
Another lying, self-serving corporation. Is anyone else surprised?
There is a war going on for your mind.
I have a feeling there is going to be a lot of attacks on their DNS infrastructure in the near future.
That said, they will probably get to prove (if possible) that they are a more secure system. ...or not.
Buy our service or the ManBearPig will catch you. We are more secure because you don't know how much insecure are us, but there was an specific case where the dns used by the vast majority of internet had a (fixed) vulnerability under special circunstances in certain moment.
Way, way back when, Nominum employees successfully performed a denial of service attack on PowerDNS.
Does anyone know what this refers to?
Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD and Unbound. For the moment, have a look specifically at Wouter's presentation from RIPE a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.
BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools, which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.
Yo Nominum, im really happy for you, and imma let you finish, but microsoft is one of the best trolls of all time!
IranAir Flight 655 never forget!
Isn't Nominum that company that was formed about ten years ago for the purpose of developing the open source BIND and DHCP for ISC?
Yeah, these guys.
And now they're turning around and saying "Don't use that open source BIND because it's crap. We should know, we wrote it!"
Hi,
having evaluated and supported a lot of DNS software in the last years, i have to concede some truth to those statement (for other reasons than mentioned), especially concerning the still heavily used BIND. E.g. BIND 9 is a software, i would not encorurage to use in certain environments (>100K zones for authorative, more than 5K queries per second for caching nameservers). The code of BIND isn't something, i want to debug (been there, done that). The weirdest thing (last checked with BIND 9.6.0): With about 100K zones, config and zone files on a RAM disk, it still needed about 40 minutes for startup. Importing the same configuration into another nameserver took only about 90 seconds.
With the Nominum products, i appreciated performance (10-20 times better than BIND, about 7 times better than PowerDNS [better meaning: number of requests serviced per CPU minute]), the complete re-configurability at runtime and the PERL/Java/C-API. Implementing a solid provisioning was always easy.
Each software has its advantages and disadvantages. If only technical aspects matter, i would currently prefer the Nominum products to all OSS products i have tested. Other criterias may lead to different decision.
CU, Martin
P.S. My statement concerns the use of DNS in a provider environment. If you setup a DNS service for your enterprise, OSS will probably your software of choice. I have only one strong recommendation even there: Separate the caching nameserver from your authorative nameserver. Even if you use BIND and only one machine: Implement those services in separate instances and on separate IP adresses. It will give you a lot more choices, if you want to replace the software later or if you need to scale up a service.
P.P.S. This is my personal opinion and may not be untainted by selfinterest. I consider myself OSS-friendly, but it isn't a religious belief. While i'm really grateful for the existence of BIND (and was even more a decade ago), the decision to start BIND 10 came at least 2 years late.
When we are talking about open sourse DNS software, you can split hairs with all the fringe packages... but everyone knows we are REALLY talking about BIND.
Anyone care to step up to the plate to defend BIND's security credentials? Anyone? Is this thing on?
They aren't confused. They're intentionally using freeware as a pejorative.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
We have heard that tired, old argument before, a few idiot CIOs will swallow it, happy to pay top dollar for something that the free s/ware does better. Let them, as long as Nominum sticks to the RFCs and doesn't fork the spec - we don't care.
First, it's an interview. A lot of interviews tend to be one-sided. Especially on non-controversial issues, but the interviewer is obviously not aware of any potential controversy.
Second, it would be a good idea to post a comment there, and mail the interviewer and CC the editor. Let them know that they have essentially printed an advertisement, and that some alternative viewpoint would be in order, or at least questioning the claims.
Third, and most important, ZDNet is not known for investigative journalism. They will thank you for your message and that's about it. So the only good you can really do here is leave a comment, maybe pointing back to this discussion to see what knowledgeable people in the field think about the interview.
Do not fume about it. Do not rage on a forum about it. Do not send you buddy and e-mail pointing out the stupidity of their comments. Make a press release containing the facts and release it.
The cancel button is your friend. Do not hesitate to use it.
The original article refers to products employing security through obscurity as "commercial grade". He says that like it's a good thing, but I don't think he knows what it means. Running msWindows -- *that* is commercial grade.
If you've ever had the pleasure of actually seeing a quote from Nominum, you'll see why they're so down on 'freeware'.
Nominum's DNS software is extremely (and I mean VERY) expensive. For anyone. And I don't just mean it's hundreds or thousands of dollars. It's HUNDREDS _OF_ THOUSANDS of dollars for even a few licenses.
I suspect sales are down (in these uncertain economic times *cough*) so slandering the competition (errrmmm... how do you compete with free?) is apparently the current marketing strategy.
Happily, this interview/article makes me dislike them and their products even more than I already did.
http://www.youtube.com/watch?v=ynjIoymWHvU&feature=fvw
Doing business with Nominum is not akin to doing business with grifters and thieves. But people who do so are opening themselves up to problems.
I am impossible to hack. Come get me!
Support my political activism on Patreon.
dig nominum.com ns +short
ns3.nominum.com.
ns1.nominum.com.
ns2.nominum.net.
dig @ns2.nominum.net version.bind txt chaos +short
"9.3.5-P2"
Is it me, or does that not look like a bind version number (an old one, at that)
Nominum can say whatever dumb thing they want. I'm running djbdns and have been for years with zero incident.
*blink*
Such a thing exists? And some people actually pay for it?
I had no idea.
From TFA:
The network effect means that Skye is the only cloud DNS service that has as its foundation half the broadband internet already using the same software. Nominum has 170 million broadband households worldwide that already go through our software.
In other words, software monoculture is the basis of Nominum's business plan. Even though it is very much a hotly-debated topic in recent years whether software monoculture is actually better or worse than diversity, for security, e.g. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci991178,00.html
... are giving lectures about security but can't even configure properly their own webserver (notice the Notice). What a bunch of losers...
Lando Calrissian approves.
Paranoia for hire.
Yes. In the US when I was growing up, various towns and cities put fluoride in the water. It was the only way to ensure every child was going to get healthy teeth. That's akin to extending the reach of intelligent DNS.
By delivering a cloud model that allows essentially any enterprise or any ISP to have the wherewithal to take advantage of a Nominum solution is like putting fluoride in the water.
You don't have to have a DNS expert internally, and you don't have to have a certain level of customer base to amortise the cost of deploying the software.
He is using Fluoride in the water for marketing analogy?
These guys are too stupid to stay in biz for much longer. Everyone relax.
Living in Chile
Said by a company that sells software. No conflict of interest there.
---- Booth was a patriot ----
I predict some pacing up and down the halls and maybe a bit of hand waving in the near future.
http://www.nominum.com/company/advisory_board_vixie.php
"Today, Paul is considered the primary modern author and technical architect of BINDv8 the Berkeley Internet Name Domain Version 8, the open source reference implementation of the Domain Name System (DNS). He formed the Internet Software Consortium (ISC) in 1994, and now acts as Chairman of its Board of Directors. The ISC reflects Paul's commitment to developing and maintaining production quality open source reference implementations of core Internet protocols."
https://www.isc.org/about/leadership
President Paul Vixie
"Internet Systems Consortium, Inc. (ISC) is proud to be the producer and distributor of commercial quality Open Source software for the Internet Community" (read: BIND, among other things.)
While I disagree with the idea that open-source DNS servers are insecure (having written one myself), I can see why he wants to say bad things about Open-source DNS servers.
The bottom line is this: There is no money to be made with DNS. While DNS is something that is essential for the Internet, it's something that is completely free. Bert Hubert tried making money with DNS a few years ago with PowerDNS, but sales were so bad he threw in the towel and GPLd the code around 2002. BIND 9 was, as it turns out, funded with a combination of contributions from UNIX corporations and military funding (for DNSSEC) who wanted to update DNS, but the funding has dried up and the code is BSD-licensed. NSD and Unbound's development were funded with government grants.
DjbDNS was done as an independent project by Bernstein; he stopped working on it in 2001 and the code is really out of date (three unpatched security holes, outdated root servers list, etc). My own MaraDNS is still being actively developed, but at a glacial pace; between my girlfriend, my job, and my other interests, I often have to put it on the back burner.
So, yes, DNS is essential, but it's free and it's really hard to make money with it. Heck, it's hard to get enough goodwill and net-reputation from making a DNS server for me to get a well-paying job in the US working with computers again in today's depression-level tech economy (if you want to hire someone with the expertise to write a DNS server, my resume is online).
So, yeah, I can see why this person resorts to FUD and BS to try and get people to pay more money for DNS. But, the truth is that there are a lot of really good free and open-source DNS servers out there an no need to buy a commercial DNS server.
MaraDNS is an open-source DNS server.
security by obscurity = automatic EPIC FAIL.
I won't be using nominum services, even if there's a free version. That's a confession of incompetence.
Tech Public Policy stuff
then they keep conflating the definition of freeware and open source. Freeware is not open source simply by its exclusion from the definitioni of open source. Open Source would be more trustworthy than freeware sense you can see the code and notice when they put the line that makes a back door to all the machines its running on so they can remote in and steel you data. (one of my work places had a bad experience with a spam filter that was sending email addresses back to the vender)
That's the sound of my enormous amount of respect for Nominum exploding and vaporized, due to one exclamation of sheer foolishness on their port.
It's ashame too... until this moment, they were overwhelmingly one of the most competent DNS service providers.
You know Microsoft's proprietary DNS implementations in Windows had just as many problems as the open source ones.
And the open source implementations can be patched and fixed much more easily.
Which still defeats any amount of credibility they may have hoped to maintain. Malice and stupidity are fairly interchangeable, especially when the end result is a vendor spewing a shit shower.
Bind DNS is full of security problems, is bloated and the configuration is overly complicated.
Has anyone ever tried TinyDNS? It's creator isnt the most cooperative guy when it comes to Debian standards in terms of binary locations and therefore Debian refuses to add it to their repository.
But, one can compile and use it yourself. It has never been DNS cache poisoned, it has never been hacked at all. In fact there is a reward for anyone that can.
I've taken a few calls from "senior" sales people at Nominum pimping their software and in all my time in the industry never dealt with such idiotic and childish patter exactly along the lines olf this article - in fact they used the same examples of Eircom etc. I had no interest in using Nominum before but now I'd definately never consider them for anything other than subtle mocking now.
He obviously ran out of arguments for his software so he has to claim that all existing software (and most DNS-Server right now are open source) is bad and _therefore_ his software must be great.
It's a train of arguments used by many people in the past: "Witches are bad, therefore we are good when we burn them." "The terrorists are evil, therefore we are good whatever we do."
Now this is paired with an idiot who doesn't even know the difference between free software and freeware.