Vulnerabilities / Threats
9/14/2009
04:58 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DNS Cloud Security Services Arrive

OpenDNS offers new subscription-based secure DNS service; other vendors' DNS services to follow

One of the first cloud-based secure DNS services was launched today amid intensified concerns about locking down vulnerable Domain Name Service servers.

OpenDNS, which provides a free DNS service for consumers and schools, is offering a subscription-based commercial service for enterprises. Other vendors, such as Nominum, are considering offering secure DNS cloud services, as well.

DNS security has received more attention than ever in the wake of the discovery of a major DNS hole that was revealed by researcher Dan Kaminsky, and was later patched by several vendors. The so-called cache-poisoning flaw could allow an attacker to guess the transaction ID of a Web query and let the attacker hijack queries. Meanwhile, the Internet community has stepped up efforts to adopt the DNSSEC standard for protecting the DNS translation process from being compromised.

"One of the more troubling experiences from the DNS patching effort was realizing how many organizations didn't even know what DNS servers they were using internally. Recursive name servers tend to just 'run themselves,' only getting noticed when they either have to be patched, or when load exceeds some magic query per second level, at which point random things start breaking everywhere," says Kaminsky, who is director of penetration testing for IOActive. "Running DNS out of the cloud isn't a bad way around this -- the data is effectively public anyway, patching is guaranteed, and you know there's capacity to burn."

OpenDNS founder and CTO David Ulevitch says his company's new enterprise DNS services are currently in trial, and will be generally available in the fourth quarter. "We expect others to copy us" with similar services, he says, adding that they will compete somewhat with Web filtering products, he says, is that the OpenDNS services don't require implementation and hardware costs. "We don't do all the things [Websense and BlueCoat] do, but some are using us now and not renewing" with them, he says. "We do about 80 percent of what they do, but we are still focused on a DNS security solution."

Jon Shalowitz, vice president and general manager of Nominum, which sells DNS products, says a secure cloud-based DNS service helps organizations keep up with the security of their DNS. "This provides the advantage of real-time knowledge. If you were managing it yourself internally, you would have to do the heavy-lifting and wait for a patch or new signature," Shalowitz says.

"Enterprises do need to know what's under the hood," he adds. "What is the actual DNS solution being used by the provider? You need to make sure the [cloud] solution you are signing up for is something tried and true in networks around the world."

OpenDNS's new offerings include OpenDNS Deluxe for consumers and SMBs, and OpenDNS Enterprise for large enterprises. Pricing for the Deluxe service will be less than $20 per user per year; pricing for the Enterprise service depends on the size and scope of the installation, but will "cost a fraction of what competing products charge," according to OpenDNS.

The services don't include DNSSEC, and Ulevitch argues that there's more to securing DNS than DNSSEC: "We've done more to secure the DNS than the DNSSEC guys have done in the last 15 years. But DNSSEC is getting more traction," he says. "We believe [DNSSEC] is tragically flawed. Even if it's widely deployed, it will never be successful."

DNSSEC, for example, can't block malware from "phoning home" like OpenDNS's services can, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.