Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nominum Calls Open Source DNS "a Recipe For Problems"

Soulskill posted more than 4 years ago | from the dem's-fightin'-woids dept.

Networking 237

Raindeer writes "Commercial DNS software provider Nominum, in an effort to promote its new cloud-based DNS service, SKYE, has slandered all open source/freeware DNS packages. It said: 'Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse. ... So, whether it's Eircom in Ireland or a Brazilian ISP that was attacked earlier this year, all of them were using some variant of freeware. Freeware is not akin to malware, but is opening up those customers to problems.' This has the DNS community fuming. Especially when you consider that Nominum was one of the companies affected by the DNS cache poisoning problem of last year, something PowerDNS, MaraDNS and DJBDNS (all open source) weren't vulnerable to."

cancel ×

237 comments

Yeah, Like Closed Source is better. (1, Funny)

Anonymous Coward | more than 4 years ago | (#29518223)

Yeah, because the poster child of closed source - Windows - is *so* secure...

Re:Yeah, Like Closed Source is better. (5, Funny)

Spazztastic (814296) | more than 4 years ago | (#29518263)

Yeah, because the poster child of closed source - Windows - is *so* secure...

I resent that, Mr. Anonymous Coward. Windows is the most secure system in the entire world as long as you leave the system unplugged from the network and inside of a Faraday cage. With the USB ports disabled and no CD-ROM/Floppy drive. And armed guards at the door.

It's a feasible option for any business.

Re:Yeah, Like Closed Source is better. (4, Funny)

JohnBailey (1092697) | more than 4 years ago | (#29518299)

I resent that, Mr. Anonymous Coward. Windows is the most secure system in the entire world as long as you leave the system unplugged from the network and inside of a Faraday cage. With the USB ports disabled and no CD-ROM/Floppy drive. And armed guards at the door. It's a feasible option for any business.

Until you turn it on...

Re:Yeah, Like Closed Source is better. (5, Funny)

Spazztastic (814296) | more than 4 years ago | (#29518319)

I resent that, Mr. Anonymous Coward. Windows is the most secure system in the entire world as long as you leave the system unplugged from the network and inside of a Faraday cage. With the USB ports disabled and no CD-ROM/Floppy drive. And armed guards at the door.

It's a feasible option for any business.

Until you turn it on...

I NEVER TOLD YOU TO DO THAT! YOU'VE DOOMED US ALL!

Re:Yeah, Like Closed Source is better. (1)

K. S. Kyosuke (729550) | more than 4 years ago | (#29518879)

Windows Vista and Zune fanboys are more likely to Halo us all...

Re:Yeah, Like Closed Source is better. (1)

Chris Mattern (191822) | more than 4 years ago | (#29519189)

As long as they don't Daikatana us all.

Re:Yeah, Like Closed Source is better. (1)

gobbligook (465653) | more than 4 years ago | (#29518623)

do the same to a linux box, and guess what?! its more secure than the windows one!

Re:Yeah, Like Closed Source is better. (2, Funny)

Brian Gordon (987471) | more than 4 years ago | (#29518695)

Personally I never use any computer with a monitor output just in case there's a TEMPEST rig nearby..

Re:Yeah, Like Closed Source is better. (1)

OrangeTide (124937) | more than 4 years ago | (#29519071)

Not really true, the OEM could have put malware on the Windows machine you bought. Also common is viruses infecting machines while they are being loaded at the factory.

Nothing is safe, neither freeware or commercial software. The main difference between the two is if you paid real money for an insecure system.

Re:Yeah, Like Closed Source is better. (0, Troll)

schon (31600) | more than 4 years ago | (#29518541)

because the poster child of closed source - Windows - is *so* secure...

Nonono.. didn't you read the summary?

Freeware is not akin to malware, but is opening up those customers to problems.

He's obviously saying that "Freeware" is the only way that malware can attack your system, so therefore he thinks that Windows is "Freeware"!

Well (3, Informative)

Spazztastic (814296) | more than 4 years ago | (#29518229)

I hope he doesn't run any Linux distributions in his company, at all. That would make him a hypocrite.

Re:Well (2, Informative)

ichthus (72442) | more than 4 years ago | (#29518261)

Ah, but he does. [netcraft.com]

Re:Well (3, Informative)

Spazztastic (814296) | more than 4 years ago | (#29518283)

Ah, but he does. [netcraft.com]

The argument will be that since they run Redhat it's not considered open source or freeware, even though it is a Linux distribution that is proprietary.

Re:Well (5, Insightful)

the_womble (580291) | more than 4 years ago | (#29518423)

The argument will be that since they run Redhat it's not considered open source or freeware, even though it is a Linux distribution that is proprietary.

It is easy enough to prove that Red Hat is open source, the problem is that the "repeat the press release" standard of journalism of the article that accepts any assertion made by an interviewee or a press release as fact.

Re:Well (3, Insightful)

commodore64_love (1445365) | more than 4 years ago | (#29518525)

+5 insightful. That's what most journalists do today - just publish the press release word-for-word, minus a few edits to make it fit inside the available column space or 1-minute soundbite. It's reached the point where you assume the journalists are just mouthpieces for the corporate liars (aka marketers).

Re:Well (1)

fafaforza (248976) | more than 4 years ago | (#29518997)

But why is it the journalist's job to spell out that you're reading a press release from a commercial DNS provider denigrating competition. It should be in everyone's ability to take a press release as company's marketing drivel, and whatever assertions they make about competing products as attempts to promote their own products, unless proven otherwise.

Re:Well (5, Insightful)

whoever57 (658626) | more than 4 years ago | (#29519131)

But why is it the journalist's job to spell out that you're reading a press release from a commercial DNS provider denigrating competition.

Because that's the job of a reporter -- to investigate, analyse, interpret and explain the information. Otherwise, the reporter is adding no value and simple economic theory would suggest that his/her job should disappear.

And newspaper owners wonder why they are losing business?

Re:Well (4, Interesting)

secmartin (1336705) | more than 4 years ago | (#29519095)

That's why we have bloggers, right? Journalists are paid to copy-paste from press released, while bloggers derive their satisfaction from actually reading between the lines / further than the press release (that is, of course, generally speaking; there is at least some good investigative journalism left).

I just had a great example of this in my mailbox. A press release from a storage company announcing a new trade-in program; it's amazing how many websites just copy-pasted the cheerful announcement without mentioning they are facing a delisting from the NASDAQ [storage-news.com] or any other useful background info. Examples like this keep popping up, it makes you wonder about Murdoch's plans to charge for that "premium" content...

Re:Well (1)

noundi (1044080) | more than 4 years ago | (#29519145)

+5 insightful. That's what most journalists do today - just publish the press release word-for-word, minus a few edits to make it fit inside the available column space or 1-minute soundbite. It's reached the point where you assume the journalists are just mouthpieces for the corporate liars (aka marketers).

Don't forget the sensational headline that sells the nonsense. Journalism (or rather sensationalism) has become a real filthy profession, and it's a real shame if you ask me. But perhaps it's one of those occupations that are bound to die with the internet era. We no longer need anybody to report the news, the "news" is all around us, all the time -- everywhere, and I don't value hearsay from a journalist higher than hearsay from a peer on the net. Journalism is a method to bring the world closer to you, but so is internet, if you catch my drift.

Re:Well (2, Insightful)

EvilRyry (1025309) | more than 4 years ago | (#29518453)

You can download all the SRPMs for free. How do you get any more open source than that?

Re:Well (1)

idontgno (624372) | more than 4 years ago | (#29518915)

True. [centos.org]

Re:Well (1)

ianare (1132971) | more than 4 years ago | (#29519421)

Red hat is open source, but not free. They're talking trash about 'freeware'. Just sayin'

Re:Well (2, Informative)

mellon (7048) | more than 4 years ago | (#29518621)

We not only run Linux, we *support all our products* on various versions of Linux and FreeBSD (and Solaris, for that matter, which I guess is open source these days).

Sigh.

Linux seems to be fine... (4, Insightful)

ichthus (72442) | more than 4 years ago | (#29518241)

Linux seems to be fine for them to run their web server [netcraft.com] .

Re:Linux seems to be fine... (0)

Anonymous Coward | more than 4 years ago | (#29518339)

Now, what would be really funny is if:

1. They switched to Windows Server 20xx
2. They get their page owned by some cracker

Poetic justice, if you will.

Re:Linux seems to be fine... (1)

Spazztastic (814296) | more than 4 years ago | (#29518385)

Now, what would be really funny is if:

1. They switched to Windows Server 20xx
2. They get their page owned by some cracker

Poetic justice, if you will.

Like the Windows 95 nuke [slashdot.org] that has been reintroduced to SMB2? I almost thought about doing that as a prank to my coworker on his project box running 2k8.

Blow more smoke up our posteriors... (5, Insightful)

autocracy (192714) | more than 4 years ago | (#29518267)

I'll sum up their argument: We use security through obscurity, and that makes us better. You should pay us for that. Also, when we say "cloud-based," we really just mean "in our data centers." They're really abusing the definition of cloud computing, just because it's the current profit-generating buzzword.

Re:Blow more smoke up our posteriors... (0)

Anonymous Coward | more than 4 years ago | (#29518403)

I'll sum up their argument: We use security through obscurity, and that makes us better. You should pay us for that. Also, when we say "cloud-based," we really just mean "in our data centers." They're really abusing the definition of cloud computing, just because it's the current profit-generating buzzword.

DNS has always (or should have been, or else talk to your admin) been a perfect example of a service that should be run on the cloud. Multiple redundant locations outside your own network. We use DNS Max [dnsmax.com] for our "cloud" dns provider, and have always been happy. I believe the dns-operators arguments were more against the bashing the open source DNS implementations, not that it is "in the cloud".

Re:Blow more smoke up our posteriors... (4, Interesting)

MightyMartian (840721) | more than 4 years ago | (#29518503)

Does the word "cloud" have any particular meaning? Of course you should have multiple geographically and network diverse DNS servers. I run my master DNS on my own server, but my pay like $10 a year for my secondaries, which slave to the master. Under no circumstances will I ever give up control of my DNS, or use some shitty web app to manage my DNS records, and that's why I insist that the master (even if invisible) sit squarely on my end.

But then again, this has been the general recommendation for a couple of decades now, so I have no idea what "cloud computing" has to do with it. Offsite mirrors of critical data, DNS or otherwise, is simply sound practices.

Re:Blow more smoke up our posteriors... (1)

value_added (719364) | more than 4 years ago | (#29519115)

I run my master DNS on my own server, but my pay like $10 a year for my secondaries, which slave to the master. Under no circumstances will I ever give up control of my DNS, or use some shitty web app to manage my DNS records, and that's why I insist that the master (even if invisible) sit squarely on my end.

I do the same, but I'm lucky in that ATT provides free secondaries.

Out of curiosity, though, whose service do use that will allow you to be master? The few companies I looked at offered nothing other than a "shitty web app" approach, and required that I slave from them.

Re:Blow more smoke up our posteriors... (1)

Jah-Wren Ryel (80510) | more than 4 years ago | (#29519143)

Does the word "cloud" have any particular meaning?

Yes. The speaker wants to customers to make it rain. [urbandictionary.com]

Re:Blow more smoke up our posteriors... (5, Funny)

Chris Mattern (191822) | more than 4 years ago | (#29519163)

Does the word "cloud" have any particular meaning?

"Cloud" means "in our data centers", so that you're paying us money. If you're still using your own servers, you're not in the "cloud", and you're not paying us money.

Obviously, it is absolutely imperative that you migrate all your services to the cloud.

Re:Blow more smoke up our posteriors... (1)

hardburn (141468) | more than 4 years ago | (#29519279)

Does the word "cloud" have any particular meaning?

Not really. It's one of those buzzwords that can mean whatever your press release wants it to mean.

If you're going to demand a definition, I'd say that it refers to distributive application hosting, as opposed to hosting apps on an individual desktop. Something like what Sun wanted Java Applets to do back in the '90s. DNS is more infrastructure than application, but in a sense, it's always been in the "cloud".

As for this company, they're guilty of both abusing buzzwords and excreting more security-through-obscurity nonsense.

Re:Blow more smoke up our posteriors... (1)

omnichad (1198475) | more than 4 years ago | (#29518443)

Yeah - you need to get that off your server in the data center, and into our "cloud."

Re:Blow more smoke up our posteriors... (0)

Anonymous Coward | more than 4 years ago | (#29518537)

when we say "cloud-based," we really just mean "in our data centers."

Pardon my ignorance, but I believe that is what everybody means when they say cloud-based.

Re:Blow more smoke up our posteriors... (1)

Timothy Brownawell (627747) | more than 4 years ago | (#29518773)

when we say "cloud-based," we really just mean "in our data centers."

Pardon my ignorance, but I believe that is what everybody means when they say cloud-based.

I thought "cloud" also required other things, like "this API lets you dynamically add/remove/reimage servers".

Re:Blow more smoke up our posteriors... (-1, Troll)

mellon (7048) | more than 4 years ago | (#29518681)

"Cloud based" *is* a marketing profit-generating buzzword. What you said is all it *ever* means. That said, the big deal about "cloud based" as opposed to "in your local data center" is that you have a wider geographic spread, so you have rapid DNS response from anywhere in the world (roughly speaking). In reality, our cloud is in many ways quite a bit better than some competing clouds, which are really just one or two data centers located in the U.S. I'm as allergic to marketing jargon as you are, but they are talking about something that actually adds value.

EVERYTHING is better in the cloud (0)

InsertWittyNameHere (1438813) | more than 4 years ago | (#29518727)

I just switched to a cloud-based bank! You don't even know what you're missing. They keep my money in a cloud and I can access my money from any of the millions of these little machines that are stuck to walls of various buildings around the world. You guys with your traditional banks are falling behind.

Re:EVERYTHING is better in the cloud (0)

Anonymous Coward | more than 4 years ago | (#29519203)

Luddite!

Don't you know the song "Every time it rains, it rains pennies from heaven" is decades old?

Re:Blow more smoke up our posteriors... (3, Insightful)

stevey (64018) | more than 4 years ago | (#29518757)

Also "freeware" and "open source" mean the same thing, and we'll try to make you associate them with "malware".

Re:Blow more smoke up our posteriors... (3, Informative)

fafaforza (248976) | more than 4 years ago | (#29519089)

But it's such a good business. I know of one colo client that has DNS for a domain with UltraDNS. We're talking about a single domain with maybe a dozen records. The bill? It was over $2K per month. And we aren't talking about a Fortune500 company here. All those techie sounding terms, trademarked labels, and slick marketing comeons work well with IT "managers".

Come on... (0)

Anonymous Coward | more than 4 years ago | (#29519269)

When we are talking about open sourse DNS software, you can split hairs with all the fringe packages... but everyone knows we are REALLY talking about BIND.

Anyone care to step up to the plate to defend BIND's security credentials? Anyone? Is this thing on?

Good Grief (5, Insightful)

MightyMartian (840721) | more than 4 years ago | (#29518321)

I don't know about you, but any company that feels the only way they can sell their product is to basically slander their competitors isn't likely to get my attention. As it is, and as much of a pain in the ass as Bind can be, I have yet to encounter anything quite as powerful as Bind9. It's certainly not without flaws, but after having had to deal with the inadequacies of Microsoft's DNS, anyone who comes up to me and says "Oh yeah, those open source DNS servers are the lesser products" is either a liar or a moron.

Re:Good Grief (4, Insightful)

Monkeedude1212 (1560403) | more than 4 years ago | (#29518415)

I don't know about you, but any company that feels the only way they can sell their product is to basically slander their competitors isn't likely to get my attention.

And from the blog thats linked:

Way, way back when, Nominum employees successfully performed a denial of service attack on PowerDNS. I thought they had grown over this kind of behavior, but it appears they didn't.

I hope no one goes to Nominum, they play dirty. I don't think the internet needs to be more dirty, what with all the scammers out there, both hackers and ISP's alike.

Re:Good Grief (2, Interesting)

flyingfsck (986395) | more than 4 years ago | (#29519067)

In Win2003, the Microsoft DNS is a slightly modified version of BIND8 with a BSD licence. It is hidden in there somewhere under the wizards.

Even if what they say is true... (4, Interesting)

Aim Here (765712) | more than 4 years ago | (#29518347)

... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.

And, from TFA:

You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside.

Reconcile THAT little gem with support for closed source software.

Re:Even if what they say is true... (4, Insightful)

Spazztastic (814296) | more than 4 years ago | (#29518421)

... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.

The other question is if they are now using elements of the Bind9 source in their closed source system and are not properly disclosing it.

Re:Even if what they say is true... (2, Interesting)

sexconker (1179573) | more than 4 years ago | (#29518683)

No, the other question is whether or not they are using the same exact code that they claim is shit, while maintaining that their product is somehow more secure.

I bet they are.

Licensing issues are low on the scale of "what matters here".

Re:Even if what they say is true... (1)

gad_zuki! (70830) | more than 4 years ago | (#29518943)

BIND isnt GPLd. Its BSD or similar. So you could do what these guys are doing:

Compile BIND, perhaps add a little something, give it a cool name, and slag it in public.

Profit? Probably not.

Re:Even if what they say is true... (1)

hardburn (141468) | more than 4 years ago | (#29519335)

BSD still has certain attribution requirements. It's not public domain.

Re:Even if what they say is true... (4, Informative)

jggimi (1279324) | more than 4 years ago | (#29518741)

Bind is ISC licensed, which is similar to a BSD license. Disclosure is not required. See this example template [wikipedia.org] .

Re:Even if what they say is true... (2, Insightful)

ajs (35943) | more than 4 years ago | (#29519293)

... how can you trust these guys to write your DNS software? They're the very guys who were contracted to write Bind9, the foremost open source domain name server, which they're now complaining about.

The other question is if they are now using elements of the Bind9 source in their closed source system and are not properly disclosing it.

There's no disclosure requirement. Welcome to the joys of BSD licensing.

(personally, I respect people who want to give away all control of their work, but you can't then complain that someone lied about where they got it)

Re:Even if what they say is true... (2, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#29518571)

When someone on /. Reads TFA and links a Car analogy - does that cancel each other out?

Re:Even if what they say is true... (1)

Stumbles (602007) | more than 4 years ago | (#29519353)

Which leads me to wonder if they wrote crappy code so they can, or could later on, like now; claim there hidden uber closed (therefore more secure) code is better. Just be on the watch for that Wookie behind the curtain.

So, then, to sum up... (3, Funny)

Chris Mattern (191822) | more than 4 years ago | (#29518353)

...proprietary software company says you should buy their product instead of using something else.

I'm shocked, I tell you. Just shocked.

Freeware will not eat your children (5, Insightful)

spun (1352) | more than 4 years ago | (#29518407)

"But it is opening up these customers to problems." Nice, textbook FUD/propaganda. Put the thought out there. Deflect attention from your own failings. Lump all 'freeware' DNS into the same basket. Call it 'freeware' instead of Open Source to link it to badly written DOS/Windows programs. Wow, this company is sleazy. It would be such poetic justice for some grey hat hackers to take these goons down.

Open source DNS is tried and true, everyone uses it. No one was ever fired for installing BIND. This new flash in the pan company has been hacked before, how long until they are hacked again? Why trust your DNS to some untested startup using inappropriate buzzwords like 'cloud computing?' Why pay for what you can get for free? Why outsource your DNS to someone who may or may not be here tomorrow? Heh. We can play at the FUD game, too.

Re:Freeware will not eat your children (1)

TheRaven64 (641858) | more than 4 years ago | (#29518775)

No one was ever fired for installing BIND

Maybe some should have been, given BIND's abysmal security record. At least recent versions run chrooted, so you only lose control of DNS (and, therefore, potentially get your customers redirected to a malware site and your mail redirected to a scammer), and don't get the whole machine rooted, but it's not a huge benefit. BIND 9 has a much better security record than the previous versions (most security holes have 'just' been DoS vulnerabilities), but BIND 8 was a joke.

Re:Freeware will not eat your children (2, Insightful)

spun (1352) | more than 4 years ago | (#29518913)

First, chroot is not a security measure. It was not designed as such, and it will not protect you from knowledgeable intruders.

Sure, BIND has had problems, but as you mentioned, the newest version is pretty tight. What's the take-away from this? Keep your servers patched. Duh.

Re:Freeware will not eat your children (2, Interesting)

Chandon Seldon (43083) | more than 4 years ago | (#29519385)

Remember: Payware isn't exactly the same as malware, but if they're asking for your credit card it's probably a scam.

Monoculture?? (1)

omnichad (1198475) | more than 4 years ago | (#29518413)

How can a monoculture be better than free software? At least different versions or different configurations provide a less universal attack vector. Though hosted services get all the security updates together, they don't seem to mention the problem of everyone using the same service.

Re:Monoculture?? (1)

mellon (7048) | more than 4 years ago | (#29518821)

Monoculture and "free" are orthogonal. If the only thing being run for DNS were Bind 9, that would be a monoculture, even though BIND 9 is open source. I'm guessing you probably didn't mean "monoculture." Certainly given the vigorous competition in the DNS market, the notion that there is a monoculture there doesn't hold up.

Re:Monoculture?? (1)

omnichad (1198475) | more than 4 years ago | (#29518949)

I'm talking about their claim that a huge NUMBER of open implementations are bad, while saying that users of all should go right over to them. That would consolidate a bunch of users under one piece of software, whose only additional security is the obscurity of not having their source code open for perusal.

I'm not claiming that there IS a monoculture, I'm claiming that they recommend it as better to the evil "free" alternative.

Re:Monoculture?? (1)

hardburn (141468) | more than 4 years ago | (#29519387)

That's just marketing doing what it's supposed to be doing, really. Every company wishes they were the one and only company in their field. It's up to their competitors to make sure that doesn't happen.

The problem here is that they degenerated into slander and faulty logic.

Breaking news (2, Informative)

noundi (1044080) | more than 4 years ago | (#29518429)

A company has just promoted their own policies and products while at the same time demoting those of their competitors. People are in a state of shock, children are crying, students are demonstrating and the president is making an announcement later this evening. The UN has named this day the annual PR stunt day.

And I was always under the impression... (0)

Anonymous Coward | more than 4 years ago | (#29518445)

... That 'Nominum' actually used some version of ISC BIND in it's products and services ? Oh, well, guess I thought wrong...

Re:And I was always under the impression... (2, Insightful)

mellon (7048) | more than 4 years ago | (#29518929)

We used to do commercial support for ISC products, but that didn't work out very well. The company's been reinvented a couple of times since then, and at this point all of our products are homegrown. But many of the original BIND 9 developers work at Nominum, and the author of the ISC DHCP server (me) works there too. That was then, this is now.

Sturgeon General's warning: (2, Funny)

DiscountBorg(TM) (1262102) | more than 4 years ago | (#29518451)

90% of everything (you read) is horsepucky.

Re:Sturgeon General's warning: (1)

rohan972 (880586) | more than 4 years ago | (#29519403)

90% of everything (you read) is horsepucky.

Bold characters in that post worth reading, the rest is horsepucky. DiscountBorg(TM) told me.

not impressed (3, Informative)

screeble (664005) | more than 4 years ago | (#29518467)

I have some familiarity with SRD/IPRD and I have to say that I'm not very impressed with Nominum.

Single-user root admin in our deployment and a hideous java/windows front end for end-users... One which is so crappy we don't deploy.

Their training is USAstyle puppy mill powerpoint demos running on virtual machines.

Couple that with the fact that they were subject to the same DNS exploits as some of the "vendors" they are trashing in the article and I just think...

Man, what a bunch of ass hats spinning market droid fluff. Somehow, I'm not surprised.

(The views expressed in this post are mine alone and do not necessarily reflect the views of my employer.)

BIND is past it's sell-by date. (1, Troll)

Animats (122034) | more than 4 years ago | (#29518491)

BIND, like Sendmail, is one of those legacy pieces of Berkeley software from the 1980s that should have been retired a long time ago.

A basic problem with both of those packages is that they're database applications without a database. Back in the 1980s, there were no good database programs available for UNIX, and some apps had to roll their own. We're way past that.

There are open-source database-based alternatives. Qmail is a database-based replacement for Sendmail, and it's generally considered to be much more stable and secure. (At this late date, nobody should be running Sendmail.) There's MyDNS [mydns-ng.com] , which is a MySQL-based DNS program, but that's never really caught on. The big commercial DNS systems are all database-based.

Re:BIND is past it's sell-by date. (3, Insightful)

MightyMartian (840721) | more than 4 years ago | (#29518701)

Have you ever even used Bind9? Yes, it's got a few hangovers from the olden days, but it is was damned powerful piece of software. Bind9 views are pretty much the most powerful networking server software component I've ever used. When I was the network admin for a small ISP, we had three separate WiFi networks that, because of the idiosyncrasies of the proprietary technology, each needed customized zones, as well as a Server 2000 AD network, and I was able to run all of them on a single set of Bind9 servers, as well as our public DNS servers for the domains we hosted. It took a bit of work to get it there (though not that much, like anything, it's more just getting used to the nomenclature).

As I recall, you can even plug an RDBMS like MySQL into it if that's how you want to manage your zones, though to be honest, I never much saw the point.

Re:BIND is past it's sell-by date. (2, Informative)

Sir Homer (549339) | more than 4 years ago | (#29518755)

You must be talking of an older version of Bind. Bind9 can use a wide variety of database backends. It's also a complete rewrite.

Re:BIND is past it's sell-by date. (1)

whois (27479) | more than 4 years ago | (#29518767)

For provisioning, yes a database would probably be better than text files, but I'd still want a DNS server to do what bind does now with the information.

Read it into memory and serve it out from there.

To that, I'd say what it needs is more logical separation. One process reading the data in (via flat files or database or whatever) and another process that accepts data on port whatever via a secure manner, serves it out on port 53 in whatever manner is standard.

Most of the pieces are already there (with rndc and nsupdate), they would just need to ground up refactor everything. This may be the route their actually going with bind, just slowly so it doesn't break anything.

Of course they'd probably rewrite it in Java so it'd be ultra-portable and crappy.

Re:BIND is past it's sell-by date. (1)

Ant P. (974313) | more than 4 years ago | (#29519019)

The biggest problem with BIND is the problem between the keyboard and chair, if your false statements there about its database support are any indication.

Contradictions (5, Insightful)

Bert64 (520050) | more than 4 years ago | (#29518493)

You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside.

He contradicts himself, he tells you to kick the tyres and look under the hood, and then touts his product which he explicitly states won't let you look under the hood...

Freeware? (2, Interesting)

gad_zuki! (70830) | more than 4 years ago | (#29518543)

I think its interesting that they are using the term freeware instead of open source or FOSS. In a lot of people's minds freeware is shit like bonzai buddy or comet cursor or whatever spyware-laden free software these execs always manager to get on their computers. They equate FOSS with badly written spyware and they keep using the term freeware in their quotes. Interesting. They must have Frank Lutz working for them.

Im sure a lot of execs find this message believable and are drafting up a 'no freeware' policy to only be diplomatically corrected by the IT dept later on.

Ironically, I have a hard time trusting non-FOSS freeware. I always wonder if Im getting a virus or a trojan and wondering why I havent been able to find an OSS alternative to closed source windows freeware/nagware programs. Paid for proprietary Im less worried about, but Im not paying for what I consider basic functionality like DNS.

Summary can't be right. (3, Funny)

Anonymusing (1450747) | more than 4 years ago | (#29518557)

The summary says " Nominum was one of the companies affected by the DNS cache poisoning problem of last year".

But in the interview, I just read this:

Q: People's reaction to that may be: 'He would say that, wouldn't he, because he's just trying to sell his product'. How would you answer them?

A: I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.

See? The summary can't be right.

Re:Summary can't be right. (1)

Anonymusing (1450747) | more than 4 years ago | (#29518829)

Oh, silly me. He said SIX MONTHS and the summary said LAST YEAR.

Re:Summary can't be right. (0)

Anonymous Coward | more than 4 years ago | (#29518889)

You trolling or just bad at math?

DNS cache poisoning problem of last year

over the past six months

(Hint -- the current month number is 9, so you have to look further back than six months to get to "last year").

Re:Summary can't be right. (1)

Anonymusing (1450747) | more than 4 years ago | (#29519321)

See my admission of idiocy, above.

Nonetheless, he's choosing an arbitrary time period to illustrate a point, when obviously his product has suffered from other problems in longer time periods (ones that many open source DNSs were not susceptible to).

Re:Summary can't be right. (1)

bcmm (768152) | more than 4 years ago | (#29519175)

Gah, I thought people stopped spreading crap about patching five years ago..

"They're PATCHING the open-source competitor. That means it was BROKEN! We never patch OUR software, therefore you know it isn't broken!"

Argument vs open source being more vulnerable (1)

Decollete (1637235) | more than 4 years ago | (#29518579)

is really getting old. If the code is really useful and has a huge following, vulnerabilities get patched up faster than one can probably find exploits. Not only that, more eyes means more to detect and fix vulnerabilities before having a stable release.

powerdns was vulnerable, but differently (2, Insightful)

leto (8058) | more than 4 years ago | (#29518643)

Powerdns was vulnerable to the Kaminsky attack, but in a different way. It was actually easier to spoof the server due to its more actively dropping certain DNS packets. So while it did perform source port randomization, it was not totally immune to the attack either.

http://doc.powerdns.com/security-policy.html itself states:

All versions of PowerDNS before 2.9.21.1 do not respond to certain queries. This in itself is not a problem, but since the discovery by Dan Kaminsky of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances to feed *other* resolvers bad data.

Though it is phrased as "someone elses problem", in the DNS word of course nothing is "someone elses problem". DNS servers are chained in hierachies and one problem somewhere leads to problems elsewhere. DNS is all about protocol compliance to ensure interoperability. With the "someone elses problem" approach, we would have had no "reflection attack" and "amplification attack" problems either, it being "someone elses problem". Despite the nice phrasing, powerdns caused cache poisoning problems as a result of the Kaminsky attack that needed to be addressed.

In general, I have a problem with bug reports and changelogs writing things as "improved error handling", "made more robust" or "add security to" which are too often used to hide the real security impact of certain bugs. DJB's policy of "it is not my bug to fix, because it is an operating system bug" is also completely bogus from a system administrator point of view who still ends up with a security problem.

1970 Called (3, Funny)

Prototerm (762512) | more than 4 years ago | (#29518661)

1970 called: they want their "Security Thru Obscurity" argument back.

when someone confuses "freeware" and open source (1)

MickyTheIdiot (1032226) | more than 4 years ago | (#29518705)

I don't know about you, but there are certain indications you can pick up on when people are talking about something that gives them away as being total idiots. One of these is conflating the terms "freeware" and "open source." When this is done you can feel free to turn your brain off for the rest of the statement because the person obviously doesn't know what they are talking about. Try listening to someone in the MSM talk about open source and you'll pick up on similar idiotic statements.

Re:when someone confuses "freeware" and open sourc (1)

base3 (539820) | more than 4 years ago | (#29519289)

They aren't confused. They're intentionally using freeware as a pejorative.

It's like meat (5, Funny)

CopaceticOpus (965603) | more than 4 years ago | (#29518707)

I have the same problem with using local butchers. They buy their meat on the open market, and it is possible to track that meat down to the farm where the cow came from. Those cows are kept outdoors, where anyone can see them. Lord knows what toxins people might be injecting into those cows.

That's why I only eat meat from MeatCorp. All of MeatCorp's meat is made behind closed doors, in a giant, guarded metal building. Nobody knows what happens inside, and that makes me feel safe when I eat MeatCorp brand Meat Circles.

Hey Nominum! (1)

kheldan (1460303) | more than 4 years ago | (#29518761)

Biased much?
I'm sure that we can take seriously the word of a company pushing their own closed-source, commercial DNS server solution, when they say that software you don't have to pay anything for is bad.

rootnameservers (1)

Lennie (16154) | more than 4 years ago | (#29518795)

A lot of root- and toplevel-nameservers run on open source software too. NSD, Bind if I'm not mistaken. Ohh, scary ! Not really, works really well actually. 'Even worse' I think the database-system that runs .org is PostgreSQL.

Well, well... (0, Redundant)

Jaysyn (203771) | more than 4 years ago | (#29518807)

Another lying, self-serving corporation.  Is anyone else surprised?

Re:Well, well... (1)

fearlezz (594718) | more than 4 years ago | (#29518955)

Lying... but it works very well. They even got slashdot to mention their name. And remember: even bad publicity is good publicity.

I have a feeling (1)

C_Kode (102755) | more than 4 years ago | (#29518823)

I have a feeling there is going to be a lot of attacks on their DNS infrastructure in the near future.

That said, they will probably get to prove (if possible) that they are a more secure system. ...or not.

Translation (2, Interesting)

gmuslera (3436) | more than 4 years ago | (#29518851)

Buy our service or the ManBearPig will catch you. We are more secure because you don't know how much insecure are us, but there was an specific case where the dns used by the vast majority of internet had a (fixed) vulnerability under special circunstances in certain moment.

DoS on PowerDNS? (1)

klapaucjusz (1167407) | more than 4 years ago | (#29518901)

Way, way back when, Nominum employees successfully performed a denial of service attack on PowerDNS.

Does anyone know what this refers to?

Re:DoS on PowerDNS? (0)

Anonymous Coward | more than 4 years ago | (#29519413)

Way, way back when, Nominum employees successfully performed a denial of service attack on PowerDNS.

Does anyone know what this refers to?

From what I recall, it was discovered (dunno by whom) that certain crafted packets could crash powerdns. Several powerdns production sites have seen such packets arrive from Nominum IP addresses. There was some fuss and 2x4's have been applied to the people responsible. It then stopped. Of course, the bug was fixed since long. Probably around 2000 or 2001. Could not find any links. Sorry.

I may post more details non-anonymously when I find them ;-)

NLnet Labs software (0, Troll)

funkboy (71672) | more than 4 years ago | (#29518911)

Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD [nlnetlabs.nl] and Unbound [unbound.net] . For the moment, have a look specifically at Wouter's presentation from RIPE [unbound.net] a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.

BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools [nominum.com] , which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.

I'll let you finish (4, Funny)

RiotingPacifist (1228016) | more than 4 years ago | (#29519005)

Yo Nominum, im really happy for you, and imma let you finish, but microsoft [microsoft.com] is one of the best trolls of all time!

Is this the same Nominum? (4, Funny)

Minwee (522556) | more than 4 years ago | (#29519027)

Isn't Nominum that company that was formed about ten years ago for the purpose of developing the open source BIND and DHCP for ISC?

Yeah, these guys [nominum.org] .

And now they're turning around and saying "Don't use that open source BIND because it's crap. We should know, we wrote it!"

My evaluation (1)

mseeger (40923) | more than 4 years ago | (#29519259)

Hi,

having evaluated and supported a lot of DNS software in the last years, i have to concede some truth to those statement (for other reasons than mentioned), especially concerning the still heavily used BIND. E.g. BIND 9 is a software, i would not encorurage to use in certain environments (>100K zones for authorative, more than 5K queries per second for caching nameservers). The code of BIND isn't something, i want to debug (been there, done that). The weirdest thing (last checked with BIND 9.6.0): With about 100K zones, config and zone files on a RAM disk, it still needed about 40 minutes for startup. Importing the same configuration into another nameserver took only about 90 seconds.

With the Nominum products, i appreciated performance (10-20 times better than BIND, about 7 times better than PowerDNS [better meaning: number of requests serviced per CPU minute]), the complete re-configurability at runtime and the PERL/Java/C-API. Implementing a solid provisioning was always easy.

Each software has its advantages and disadvantages. If only technical aspects matter, i would currently prefer the Nominum products to all OSS products i have tested. Other criterias may lead to different decision.

CU, Martin

P.S. My statement concerns the use of DNS in a provider environment. If you setup a DNS service for your enterprise, OSS will probably your software of choice. I have only one strong recommendation even there: Separate the caching nameserver from your authorative nameserver. Even if you use BIND and only one machine: Implement those services in separate instances and on separate IP adresses. It will give you a lot more choices, if you want to replace the software later or if you need to scale up a service.

P.P.S. This is my personal opinion and may not be untainted by selfinterest. I consider myself OSS-friendly, but it isn't a religious belief. While i'm really grateful for the existence of BIND (and was even more a decade ago), the decision to start BIND 10 came at least 2 years late.

Bind9 has not been compromised recently ... (3, Insightful)

Alain Williams (2972) | more than 4 years ago | (#29519299)

because few people use it so it just isn't a worth while target [v3.co.uk] . Oh, ... wait [serverwatch.com] ....

We have heard that tired, old argument before, a few idiot CIOs will swallow it, happy to pay top dollar for something that the free s/ware does better. Let them, as long as Nominum sticks to the RFCs and doesn't fork the spec - we don't care.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...