Nominum Calls Open Source DNS "a Recipe For Problems"

← Back to Stories (view on slashdot.org)

Nominum Calls Open Source DNS "a Recipe For Problems"

Posted by Soulskill on Wednesday September 23, 2009 @05:28AM from the dem's-fightin'-woids dept.

Raindeer writes "Commercial DNS software provider Nominum, in an effort to promote its new cloud-based DNS service, SKYE, has slandered all open source/freeware DNS packages. It said: 'Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse. ... So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems.' This has the DNS community fuming. Especially when you consider that Nominum was one of the companies affected by the DNS cache poisoning problem of last year, something PowerDNS, MaraDNS and DJBDNS (all open source) weren't vulnerable to."

41 of 237 comments (clear)

Min score:

Reason:

Sort:

Well by Spazztastic · 2009-09-23 05:34 · Score: 3, Informative

I hope he doesn't run any Linux distributions in his company, at all. That would make him a hypocrite.

--
Posts not to be taken literally. Almost everything is sarcasm.
1. Re:Well by Spazztastic · 2009-09-23 05:37 · Score: 3, Informative
  
  Ah, but he does.
  
  The argument will be that since they run Redhat it's not considered open source or freeware, even though it is a Linux distribution that is proprietary.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
2. Re:Well by the_womble · 2009-09-23 05:42 · Score: 5, Insightful
  
  The argument will be that since they run Redhat it's not considered open source or freeware, even though it is a Linux distribution that is proprietary.
  It is easy enough to prove that Red Hat is open source, the problem is that the "repeat the press release" standard of journalism of the article that accepts any assertion made by an interviewee or a press release as fact.
3. Re:Well by commodore64_love · 2009-09-23 05:48 · Score: 3, Insightful
  
  +5 insightful. That's what most journalists do today - just publish the press release word-for-word, minus a few edits to make it fit inside the available column space or 1-minute soundbite. It's reached the point where you assume the journalists are just mouthpieces for the corporate liars (aka marketers).
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
4. Re:Well by secmartin · 2009-09-23 06:21 · Score: 4, Interesting
  
  That's why we have bloggers, right? Journalists are paid to copy-paste from press released, while bloggers derive their satisfaction from actually reading between the lines / further than the press release (that is, of course, generally speaking; there is at least some good investigative journalism left).
  I just had a great example of this in my mailbox. A press release from a storage company announcing a new trade-in program; it's amazing how many websites just copy-pasted the cheerful announcement without mentioning they are facing a delisting from the NASDAQ or any other useful background info. Examples like this keep popping up, it makes you wonder about Murdoch's plans to charge for that "premium" content...
5. Re:Well by whoever57 · 2009-09-23 06:24 · Score: 5, Insightful
  
  But why is it the journalist's job to spell out that you're reading a press release from a commercial DNS provider denigrating competition.
  Because that's the job of a reporter -- to investigate, analyse, interpret and explain the information. Otherwise, the reporter is adding no value and simple economic theory would suggest that his/her job should disappear.
  
  And newspaper owners wonder why they are losing business?
  
  --
  The real "Libtards" are the Libertarians!
6. Re:Well by lorenlal · 2009-09-23 07:27 · Score: 4, Interesting
  
  That answer just pisses me off.
  
  If I have a secret way of blocking a hacker...
  Right. That sounds like an awesome idea. How useful is that "secret" if the customer knows about it? It needs to be documented in that case, which means everyone knows about it, which means it's another attack surface. Plus, there must be a way of turning that feature back off.
  If the customer doesn't know about it. It's only a matter of time before said hacker finds out about it, cause it will get out there. It also means that anyone who works (and worked for) said vendor can exploit that feature for their own purposes. The customer who paid for the software is just left out in the cold. Good job there. Sounds like an excellent reason to not use open code.
  Well done Nominum...
Linux seems to be fine... by ichthus · 2009-09-23 05:35 · Score: 4, Insightful

Linux seems to be fine for them to run their web server.

--
sig: sauer
1. Re:Linux seems to be fine... by Wodin · 2009-09-23 08:51 · Score: 4, Insightful
  
  What's worse is they use BIND!
  https://lists.dns-oarc.net/pipermail/dns-operations/2009-September/004481.html
  
  --
  -- Wodin
Re:Yeah, Like Closed Source is better. by Spazztastic · 2009-09-23 05:36 · Score: 5, Funny

Yeah, because the poster child of closed source - Windows - is *so* secure...
I resent that, Mr. Anonymous Coward. Windows is the most secure system in the entire world as long as you leave the system unplugged from the network and inside of a Faraday cage. With the USB ports disabled and no CD-ROM/Floppy drive. And armed guards at the door.
It's a feasible option for any business.

--
Posts not to be taken literally. Almost everything is sarcasm.
Blow more smoke up our posteriors... by autocracy · 2009-09-23 05:36 · Score: 5, Insightful

I'll sum up their argument: We use security through obscurity, and that makes us better. You should pay us for that. Also, when we say "cloud-based," we really just mean "in our data centers." They're really abusing the definition of cloud computing, just because it's the current profit-generating buzzword.

--
SIG: HUP
1. Re:Blow more smoke up our posteriors... by MightyMartian · 2009-09-23 05:47 · Score: 4, Interesting
  
  Does the word "cloud" have any particular meaning? Of course you should have multiple geographically and network diverse DNS servers. I run my master DNS on my own server, but my pay like $10 a year for my secondaries, which slave to the master. Under no circumstances will I ever give up control of my DNS, or use some shitty web app to manage my DNS records, and that's why I insist that the master (even if invisible) sit squarely on my end.
  But then again, this has been the general recommendation for a couple of decades now, so I have no idea what "cloud computing" has to do with it. Offsite mirrors of critical data, DNS or otherwise, is simply sound practices.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
2. Re:Blow more smoke up our posteriors... by stevey · 2009-09-23 06:01 · Score: 3, Insightful
  
  Also "freeware" and "open source" mean the same thing, and we'll try to make you associate them with "malware".
3. Re:Blow more smoke up our posteriors... by fafaforza · 2009-09-23 06:21 · Score: 3, Informative
  
  But it's such a good business. I know of one colo client that has DNS for a domain with UltraDNS. We're talking about a single domain with maybe a dozen records. The bill? It was over $2K per month. And we aren't talking about a Fortune500 company here. All those techie sounding terms, trademarked labels, and slick marketing comeons work well with IT "managers".
4. Re:Blow more smoke up our posteriors... by Chris+Mattern · 2009-09-23 06:25 · Score: 5, Funny
  
  Does the word "cloud" have any particular meaning?
  "Cloud" means "in our data centers", so that you're paying us money. If you're still using your own servers, you're not in the "cloud", and you're not paying us money.
  Obviously, it is absolutely imperative that you migrate all your services to the cloud.
5. Re:Blow more smoke up our posteriors... by TooMuchToDo · 2009-09-23 09:35 · Score: 3, Interesting
  
  I had a client who wanted to use either DynDNS Enterprise or UltraDNS, and priced both out for them. When the UltraDNS sales dude called me to find out why they didn't win the business, I told them because DynDNS was $250/month (thousands of A records) and they wanted $3500/month. He said "Oh, I thought you were looking for enterprise-grade DNS services." I responded with an email, "What do you provide that they don't?". Never heard back. UltraDNS can go DIAF. Gougers like that belong with lawyers, at the bottom of the ocean.
Re:Yeah, Like Closed Source is better. by JohnBailey · 2009-09-23 05:38 · Score: 4, Funny

I resent that, Mr. Anonymous Coward. Windows is the most secure system in the entire world as long as you leave the system unplugged from the network and inside of a Faraday cage. With the USB ports disabled and no CD-ROM/Floppy drive. And armed guards at the door. It's a feasible option for any business.
Until you turn it on...

--
It is difficult to get a man to understand something when his job depends on not understanding it.
Re:Yeah, Like Closed Source is better. by Spazztastic · 2009-09-23 05:39 · Score: 5, Funny

I resent that, Mr. Anonymous Coward. Windows is the most secure system in the entire world as long as you leave the system unplugged from the network and inside of a Faraday cage. With the USB ports disabled and no CD-ROM/Floppy drive. And armed guards at the door.
It's a feasible option for any business.
Until you turn it on...
I NEVER TOLD YOU TO DO THAT! YOU'VE DOOMED US ALL!

--
Posts not to be taken literally. Almost everything is sarcasm.
Good Grief by MightyMartian · 2009-09-23 05:39 · Score: 5, Insightful

I don't know about you, but any company that feels the only way they can sell their product is to basically slander their competitors isn't likely to get my attention. As it is, and as much of a pain in the ass as Bind can be, I have yet to encounter anything quite as powerful as Bind9. It's certainly not without flaws, but after having had to deal with the inadequacies of Microsoft's DNS, anyone who comes up to me and says "Oh yeah, those open source DNS servers are the lesser products" is either a liar or a moron.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
1. Re:Good Grief by Monkeedude1212 · 2009-09-23 05:42 · Score: 4, Insightful
  
  I don't know about you, but any company that feels the only way they can sell their product is to basically slander their competitors isn't likely to get my attention.
  
  And from the blog thats linked:
  
  Way, way back when, Nominum employees successfully performed a denial of service attack on PowerDNS. I thought they had grown over this kind of behavior, but it appears they didn't.
  I hope no one goes to Nominum, they play dirty. I don't think the internet needs to be more dirty, what with all the scammers out there, both hackers and ISP's alike.
2. Re:Good Grief by MightyMartian · 2009-09-23 08:39 · Score: 5, Informative
  
  Well, I haven't seen a product that is as powerful as Bind9, paid or unpaid. The pain in the ass bit is simply the configuration, which when you start talking about various views based on ACLs, can get a bit eye-splitting (but then again, that applies to lots of things with ACLs, like Cisco IOS, Squid, etc).
  The guy is a liar. You know it. I know it. I think anybody who actually works with DNS infrastructure knows it.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
Even if what they say is true... by Aim+Here · 2009-09-23 05:39 · Score: 4, Interesting

... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.
And, from TFA:

You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside.
Reconcile THAT little gem with support for closed source software.
1. Re:Even if what they say is true... by Spazztastic · 2009-09-23 05:42 · Score: 4, Insightful
  
  ... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.
  The other question is if they are now using elements of the Bind9 source in their closed source system and are not properly disclosing it.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
2. Re:Even if what they say is true... by jggimi · 2009-09-23 06:00 · Score: 4, Informative
  
  Bind is ISC licensed, which is similar to a BSD license. Disclosure is not required. See this example template.
So, then, to sum up... by Chris+Mattern · 2009-09-23 05:40 · Score: 3, Funny

...proprietary software company says you should buy their product instead of using something else.
I'm shocked, I tell you. Just shocked.
Freeware will not eat your children by spun · 2009-09-23 05:42 · Score: 5, Insightful

"But it is opening up these customers to problems." Nice, textbook FUD/propaganda. Put the thought out there. Deflect attention from your own failings. Lump all 'freeware' DNS into the same basket. Call it 'freeware' instead of Open Source to link it to badly written DOS/Windows programs. Wow, this company is sleazy. It would be such poetic justice for some grey hat hackers to take these goons down.
Open source DNS is tried and true, everyone uses it. No one was ever fired for installing BIND. This new flash in the pan company has been hacked before, how long until they are hacked again? Why trust your DNS to some untested startup using inappropriate buzzwords like 'cloud computing?' Why pay for what you can get for free? Why outsource your DNS to someone who may or may not be here tomorrow? Heh. We can play at the FUD game, too.

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
1. Re:Freeware will not eat your children by Zan+Lynx · 2009-09-23 06:54 · Score: 3, Interesting
  
  In what universe is chroot not a security measure?
  It is not perfect security all by itself, but it is *a* security measure. It prevents several classes of local escalation attacks.
  You may as well claim that BSD's jail, alternate namespaces and virtual machines are not a security measure. None of those are perfect, but every little bit helps.
not impressed by screeble · 2009-09-23 05:45 · Score: 3, Informative

I have some familiarity with SRD/IPRD and I have to say that I'm not very impressed with Nominum.
Single-user root admin in our deployment and a hideous java/windows front end for end-users... One which is so crappy we don't deploy.
Their training is USAstyle puppy mill powerpoint demos running on virtual machines.
Couple that with the fact that they were subject to the same DNS exploits as some of the "vendors" they are trashing in the article and I just think...
Man, what a bunch of ass hats spinning market droid fluff. Somehow, I'm not surprised.
(The views expressed in this post are mine alone and do not necessarily reflect the views of my employer.)
Contradictions by Bert64 · 2009-09-23 05:46 · Score: 5, Insightful

You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside.
He contradicts himself, he tells you to kick the tyres and look under the hood, and then touts his product which he explicitly states won't let you look under the hood...

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Summary can't be right. by Anonymusing · 2009-09-23 05:50 · Score: 3, Funny

The summary says " Nominum was one of the companies affected by the DNS cache poisoning problem of last year".
But in the interview, I just read this:

Q: People's reaction to that may be: 'He would say that, wouldn't he, because he's just trying to sell his product'. How would you answer them?

A: I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.

See? The summary can't be right.

--
Liberal? Conservative? Compare perspectives at Left-Right
1970 Called by Prototerm · 2009-09-23 05:56 · Score: 3, Funny

1970 called: they want their "Security Thru Obscurity" argument back.

--
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Re:BIND is past it's sell-by date. by MightyMartian · 2009-09-23 05:58 · Score: 3, Insightful

Have you ever even used Bind9? Yes, it's got a few hangovers from the olden days, but it is was damned powerful piece of software. Bind9 views are pretty much the most powerful networking server software component I've ever used. When I was the network admin for a small ISP, we had three separate WiFi networks that, because of the idiosyncrasies of the proprietary technology, each needed customized zones, as well as a Server 2000 AD network, and I was able to run all of them on a single set of Bind9 servers, as well as our public DNS servers for the domains we hosted. It took a bit of work to get it there (though not that much, like anything, it's more just getting used to the nomenclature).
As I recall, you can even plug an RDBMS like MySQL into it if that's how you want to manage your zones, though to be honest, I never much saw the point.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
It's like meat by CopaceticOpus · 2009-09-23 05:59 · Score: 5, Funny

I have the same problem with using local butchers. They buy their meat on the open market, and it is possible to track that meat down to the farm where the cow came from. Those cows are kept outdoors, where anyone can see them. Lord knows what toxins people might be injecting into those cows.
That's why I only eat meat from MeatCorp. All of MeatCorp's meat is made behind closed doors, in a giant, guarded metal building. Nobody knows what happens inside, and that makes me feel safe when I eat MeatCorp brand Meat Circles.
I'll let you finish by RiotingPacifist · 2009-09-23 06:16 · Score: 4, Funny

Yo Nominum, im really happy for you, and imma let you finish, but microsoft is one of the best trolls of all time!

--
IranAir Flight 655 never forget!
Is this the same Nominum? by Minwee · 2009-09-23 06:17 · Score: 4, Funny

Isn't Nominum that company that was formed about ten years ago for the purpose of developing the open source BIND and DHCP for ISC?
Yeah, these guys.
And now they're turning around and saying "Don't use that open source BIND because it's crap. We should know, we wrote it!"
1. Re:Is this the same Nominum? by CTachyon · 2009-09-23 07:48 · Score: 4, Informative
  
  Isn't Nominum that company that was formed about ten years ago for the purpose of developing the open source BIND and DHCP for ISC?
  Yeah, these guys.
  And now they're turning around and saying "Don't use that open source BIND because it's crap. We should know, we wrote it!"
  Even more beautifully, try digging the version numbers from their nameservers:
  $ dig +short @ns1.nominum.net CH TXT version.bind.
  "Nominum ANS 3.0.1.0"
  $ dig +short @ns2.nominum.net CH TXT version.bind.
  "9.3.5-P2"
  $ dig +short @ns3.nominum.net CH TXT version.bind.
  "Nominum ANSPremier 4.1.0.0"
  One of the 3 nameservers for their own domain is running BIND, and a fairly old version of it at that!
  
  --
  Range Voting: preference intensity matters
Bind9 has not been compromised recently ... by Alain+Williams · 2009-09-23 06:35 · Score: 3, Insightful

because few people use it so it just isn't a worth while target. Oh, ... wait ....
We have heard that tired, old argument before, a few idiot CIOs will swallow it, happy to pay top dollar for something that the free s/ware does better. Let them, as long as Nominum sticks to the RFCs and doesn't fork the spec - we don't care.
Do something about it by DrWho520 · 2009-09-23 06:51 · Score: 3, Insightful

Do not fume about it. Do not rage on a forum about it. Do not send you buddy and e-mail pointing out the stupidity of their comments. Make a press release containing the facts and release it.

--
The cancel button is your friend. Do not hesitate to use it.
Nominum = $$$$ by golden.radish · 2009-09-23 06:55 · Score: 3, Interesting

If you've ever had the pleasure of actually seeing a quote from Nominum, you'll see why they're so down on 'freeware'.
Nominum's DNS software is extremely (and I mean VERY) expensive. For anyone. And I don't just mean it's hundreds or thousands of dollars. It's HUNDREDS _OF_ THOUSANDS of dollars for even a few licenses.
I suspect sales are down (in these uncertain economic times *cough*) so slandering the competition (errrmmm... how do you compete with free?) is apparently the current marketing strategy.
Happily, this interview/article makes me dislike them and their products even more than I already did.
Re:DoS on PowerDNS? by ahu · 2009-09-23 07:43 · Score: 3, Informative

Nothing too serious, probably a prank from some bored employees at the time. We asked some of the Nominum people what they were up to, since we'd been receiving packets that caused PowerDNS to crash from Nominum IP space.
I seem to recall one of their (ex-)employees eventually even told us which bug they had been triggering.
I don't for a moment believe this was a Nominum-sanctioned activity.
But this is all way back in the mists of time, the beginning of 2002.
Bert
(PowerDNS)
"a secret way of blocking a hacker" by alizard · 2009-09-23 13:10 · Score: 4, Interesting

security by obscurity = automatic EPIC FAIL.

I won't be using nominum services, even if there's a free version. That's a confession of incompetence.

--
Tech Public Policy stuff