General

DNS Server Choices Broaden

As technology advances, equipment options proliferate, but so do security risks. ISPs now must choose between a variety of options when implementing DNS, one of the Web's basic services.

by Max Smetannikov [September 27, 2002]

Starting an ISP today is easier than five years ago: the gear is cheaper, most underserved markets are self-evident, and there is plenty of good advice. On the other hand, new ISPs face dangers unimaginable five years ago—and thus have to make different equipment choices.

An illustrative example of how today's operational environment is different from the previous decade is the situation in the market for DNS servers. Industry insiders estimate that 85 percent of ISPs use free BIND (Berkeley Internet Name Domain) software running over generic server architecture.

However, the latest hacker exploits may cause ISPs to rethink their buying habits. BIND has been rated the number one security risk on the Internet by The SANS Institute. Furthermore, in several high-profile incidents, a faulty DNS server took a major company off the Internet (Microsoft was the most noted of these cases). Additionally, some companies in the field indicate hackers now have tools that may make ISPs financially liable in case they don't forestall the DNS threat.

"These days, ISPs could be caching the data that causes server death," said Paul Mockapetris, chairman and chief scientist of Nominum, Inc., one of the commercial vendors aiming to provide an alternative to BIND.

That means, of course, that ISPs must "scrub" traffic of dangerous information that may have the same effect on a corporate server as a neutron bomb on human habitat: the server will stay up and connected, but all valuable information will be erased. (See CERT for more details on the new threat, described under CA-2002-19.)

Seeing these problems as providing an opportunity to companies with secure and manageable DNS products, vendors are making stand-alone DNS software and appliances. There are three main approaches to solving the problem: offering DNS server as a service, selling DNS software as a commercial product, and offering ISPs an easy to use DNS appliance. While each approach has its advantages and disadvantages, and each is viable for even small ISPs, the appliance approach is probably the most affordable for a small ISP.

In the DNS appliance department, InfoBlox is one of the oldest vendors with the most traction in the marketplace.

"We have been at 30 percent growth during each of the last four quarters, which is a good problem to have," said Stuart Bailey, InfoBlox founder and CTO. That's a total annual growth rate of 198 percent.

At $7,000 for its flagship product, InfoBlox is probably one of the most affordable DNS solutions on the market. DNS One is designed to be easy to use and maintain. All you need to do to set it up is to plug it in and turn it on. As InfoBlox has found over time, security is increasingly becoming one of the main reasons ISPs buy DNS One (which serves as a DNS and DHCP server). While the appliance runs BIND, it is also pro-actively managed. In other words, InfoBlox patches the DNS code running in its appliances just as quickly as patches become available—which saves time and money to operators.

Like most other vendors, InfoBlox is trying to expand its product line. The company has released two new products this year, LDAP One and Radius ONE, both aimed at making the process of user authentication easier for ISPs. Executives like Bailey believe ISPs can benefit greatly from being able to add and delete users of different services with a couple of keystrokes, especially when developing advanced billing plans. Disabling access to troubled accounts is a bonus feature.

ISPs that don't feel like buying any DNS software or dedicated hardware can always subscribe to a DNS service. Executives at UltraDNS, the flagship provider in this arena, say outsourcing is the only way to go.

"Hosting DNS on a stand alone server is a greater security threat, partially because of vulnerabilities in BIND," said Michael Gugliemi, UltraDNS vice president of sales and business development. (UltraDNS runs its own DNS server code.)

UltraDNS argues that a single company can't afford to erect a data center with man traps and dual fire suppression system, hire a staff of security technicians, and set up a 24-by-7 monitoring operation, just to make sure the DNS server is up. UltraDNS offers this and more to a variety of small and regional ISPs. UltraDNS also offers a reseller program—in case ISPs want to spread the word to their customers about the beauties of outsourcing their DNS server maintenance. UltraDNS declined to reveal prices for the service, indicating its quotes are based on the number of domains under management and expected volume of DNS resolutions.

UltraDNS's former competitor—another DNS hosting company that has just switched gears to focus more on sales of commercial DNS software—is Nominum. The company got its start when its founders decided that BIND was showing its age and was not meeting the expectations of very large customers, who were looking for exceptional performance out of their DNS servers. Starting at $15,000, Nominum products are probably overkill for many small ISPs. Indeed, Nominum targets Fortune 500 customers and large carriers.

However, Nominuim's DNS vision is helpful. It appears that besides a huge focus on security, Nominum succeeds in selling sheer processing power.

"Our caching name server is six times faster than BIND," said Paul Mockapetris, Nominum chairman and chief scientist. "One ISP we work with put in their own fiber network to get better performance—and their bottleneck moved to DNS, somewhat to their surprise. That's when we came in."

Nominum executives believe that while BIND still holds 85 percent of the market for DNS servers, its share will drop below 50 percent by 2005, driven out by software and hardware offering better security, increased network performance requirements and new services like ENUM (a technology matching IP addresses with telephone numbers) and IPv6.

If this prediction holds up, ISPs making an extra investment today may find themselves in the vanguard of service providers offering the services of tomorrow, services that will require a reliable DNS server. But it all depends on whether such services become available in two, five, or twenty years.

—End