Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
DNS Cloud Security Services Arrive
- From: Howell, Paul
- Date: Tue Sep 15 10:32:51 2009
At
http://www.darkreading.com/story/showArticle.jhtml?articleID=220000275
DNS Cloud Security Services Arrive
OpenDNS offers new subscription-based secure DNS service; other vendors'
DNS services to follow
By Kelly Jackson Higgins, DarkReading
Sept. 14, 2009
One of the first cloud-based secure DNS services was launched today amid
intensified concerns about locking down vulnerable Domain Name Service
servers.
OpenDNS, which provides a free DNS service for consumers and schools, is
offering a subscription-based commercial service for enterprises. Other
vendors, such as Nominum, are considering offering secure DNS cloud
services, as well.
DNS security has received more attention than ever in the wake of the
discovery of a major DNS hole that was revealed by researcher Dan
Kaminsky, and was later patched by several vendors. The so-called
cache-poisoning flaw could allow an attacker to guess the transaction ID
of a Web query and let the attacker hijack queries. Meanwhile, the
Internet community has stepped up efforts to adopt the DNSSEC standard
for protecting the DNS translation process from being compromised.
"One of the more troubling experiences from the DNS patching effort was
realizing how many organizations didn't even know what DNS servers they
were using internally. Recursive name servers tend to just 'run
themselves,' only getting noticed when they either have to be patched,
or when load exceeds some magic query per second level, at which point
random things start breaking everywhere," says Kaminsky, who is director
of penetration testing for IOActive. "Running DNS out of the cloud isn't
a bad way around this -- the data is effectively public anyway, patching
is guaranteed, and you know there's capacity to burn."
OpenDNS founder and CTO David Ulevitch says his company's new enterprise
DNS services are currently in trial, and will be generally available in
the fourth quarter. "We expect others to copy us" with similar services,
he says, adding that they will compete somewhat with Web filtering
products, he says, is that the OpenDNS services don't require
implementation and hardware costs. "We don't do all the things [Websense
and BlueCoat] do, but some are using us now and not renewing" with them,
he says. "We do about 80 percent of what they do, but we are still
focused on a DNS security solution."
Jon Shalowitz, vice president and general manager of Nominum, which
sells DNS products, says a secure cloud-based DNS service helps
organizations keep up with the security of their DNS. "This provides the
advantage of real-time knowledge. If you were managing it yourself
internally, you would have to do the heavy-lifting and wait for a patch
or new signature," Shalowitz says.
"Enterprises do need to know what's under the hood," he adds. "What is
the actual DNS solution being used by the provider? You need to make
sure the [cloud] solution you are signing up for is something tried and
true in networks around the world."
OpenDNS's new offerings include OpenDNS Deluxe for consumers and SMBs,
and OpenDNS Enterprise for large enterprises. Pricing for the Deluxe
service will be less than $20 per user per year; pricing for the
Enterprise service depends on the size and scope of the installation,
but will "cost a fraction of what competing products charge," according
to OpenDNS.
The services don't include DNSSEC, and Ulevitch argues that there's more
to securing DNS than DNSSEC: "We've done more to secure the DNS than the
DNSSEC guys have done in the last 15 years. But DNSSEC is getting more
traction," he says. "We believe [DNSSEC] is tragically flawed. Even if
it's widely deployed, it will never be successful."
DNSSEC, for example, can't block malware from "phoning home" like
OpenDNS's services can, he says.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
