DNS 'blacklist' unveiled

Nominum offers real-time, policy-based system that steers users away from botnets, phishing sites

Nominum plans to announce on Tuesday a novel DNS security capability that functions like a spam blacklist, providing automated, real-time checking of DNS queries against a list of Web sites that are known to be malicious.

How DNS cache poisoning works 

Nominum's Trusted Response and Universal Enforcement (TRUE) architecture is already in use by several ISPs supporting a combined 100 million broadband households. Nominum wouldn't identify these ISPs, but its Web site says its carrier customers include Verizon, Sprint, NTT Communications and many other major industry players.  

Now Nominum is making its third-generation DNS software that features the TRUE architecture available to corporations and other enterprise customers.

"We see a clear trend in the service provider market, a distinct shift towards intelligent DNS solutions. Thus far, the majority of our customer base has already made this move," says Bruce Van Nice, marketing director for Nominum. "There's no reason why enterprises aren't ultimately going to do the same thing. We're quite convinced that this is the wave of the future."

Nominum's latest offering is not DNSSEC, the DNS Security Extensions that prevent a specific type of attack known as cache poisoning, where a user is unknowingly redirected to a fake Web site. DNSSEC adds a layer of encryption to the DNS so that Web sites can verify that their IP addresses and domain names match. DNSSEC has been much hyped in the past year since the Kaminsky DNS bug was discovered.  

While promising, DNSSEC won't offer complete protection against cache poisoning attacks until it is deployed across the entire DNS hierarchy, from the DNS root servers to domains such as .com and .net to individual domain names. The U.S. federal government has announced plans to have DNSSEC deployed across the root servers and its .gov domain by year-end, and VeriSign says it will deploy DNSSEC across .com and .net by 2011.  

Nominum says its TRUE architecture is an interim step towards enhancing DNS security that can be adopted immediately. Nominum says its blacklist approach is complementary to DNSSEC because it addresses all types of known DNS threats, not just cache poisoning attacks.

"Our intelligent DNS reduces the time window that attackers have enjoyed in the past to run their exploits," Van Nice says. "The idea is to get ahead of the attackers. The moment a threat is identified, it can be propagated across a very large network automatically with no operator intervention required."

Nominum's TRUE architecture helps organizations steer their users away from Web sites that control botnets, engage in phishing or provide other types of illegal content. If a user tries to access one of these sites, Nominum's software automatically brings up a warning Web page.

Nominum says its dynamic, intelligent, policy-based DNS system overcomes many shortcomings of legacy DNS systems such as the popular BIND 9.0 open source software or DNS appliances offered by its competitors. For example, a major flaw in BIND 9.0 was announced in July that required an immediate patch to prevent denial-of-service attacks.

"Legacy DNS is becoming obsolete," Van Nice says. "With legacy DNS, a subscriber clicks on a link and the browser sends off a DNS query and the DNS looks at the query and goes off and talks to the authoritative DNS servers and the answer is transmitted back to the users…The DNS doesn't know if the destination is malicious. With our system, you can take advantage of other databases and directories of malicious sites and use that knowledge to ultimately protect the end user."

Nominum's software provides automated and immediate response to new DNS threats as well as a real-time analysis and reporting tool that allows network managers to spot DNS usage trends that might indicate malicious code installed on user systems.

Nominum says its TRUE architecture tracks 160 million sites that are known to be malicious. "That's a large number of bad sites," Van Nice says. "As more are discovered, they are immediately reflected in the network for enforcement."

Nominum offers its TRUE architecture as a traditional software package that runs on dedicated servers that enterprises must own and operate, but company officials hinted that they may introduce a hosted offering.

"Our solution is only available as special-purpose software," says Gopala Tumuluri, vice president of marketing and business development at Nominum. "Some of the very large enterprises with highly distributed networks want to do DNS on their own, but many mid- to small enterprises want it as a hosted service and to outsource it. Stay tuned on that front."

Learn more about this topic

DNS remains vulnerable one year after Kaminsky bug

Security researcher Kaminsky pushes DNS patching

VeriSign: We will support DNS security in 2011

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies