DNS 'blacklist' unveiled

Nominum plans to announce on Tuesday a novel DNS security capability that functions like a spam blacklist, providing automated, real-time checking of DNS queries against a list of Web sites that are known to be malicious.

How DNS cache poisoning works 

Nominum's Trusted Response and Universal Enforcement (TRUE) architecture is already in use by several ISPs supporting a combined 100 million broadband households. Nominum wouldn't identify these ISPs, but its Web site says its carrier customers include Verizon, Sprint, NTT Communications and many other major industry players.  

Now Nominum is making its third-generation DNS software that features the TRUE architecture available to corporations and other enterprise customers.

"We see a clear trend in the service provider market, a distinct shift towards intelligent DNS solutions. Thus far, the majority of our customer base has already made this move," says Bruce Van Nice, marketing director for Nominum. "There's no reason why enterprises aren't ultimately going to do the same thing. We're quite convinced that this is the wave of the future."

Nominum's latest offering is not DNSSEC, the DNS Security Extensions that prevent a specific type of attack known as cache poisoning, where a user is unknowingly redirected to a fake Web site. DNSSEC adds a layer of encryption to the DNS so that Web sites can verify that their IP addresses and domain names match. DNSSEC has been much hyped in the past year since the Kaminsky DNS bug was discovered.  

While promising, DNSSEC won't offer complete protection against cache poisoning attacks until it is deployed across the entire DNS hierarchy, from the DNS root servers to domains such as .com and .net to individual domain names. The U.S. federal government has announced plans to have DNSSEC deployed across the root servers and its .gov domain by year-end, and VeriSign says it will deploy DNSSEC across .com and .net by 2011.  

Nominum says its TRUE architecture is an interim step towards enhancing DNS security that can be adopted immediately. Nominum says its blacklist approach is complementary to DNSSEC because it addresses all types of known DNS threats, not just cache poisoning attacks.

"Our intelligent DNS reduces the time window that attackers have enjoyed in the past to run their exploits," Van Nice says. "The idea is to get ahead of the attackers. The moment a threat is identified, it can be propagated across a very large network automatically with no operator intervention required."

Nominum's TRUE architecture helps organizations steer their users away from Web sites that control botnets, engage in phishing or provide other types of illegal content. If a user tries to access one of these sites, Nominum's software automatically brings up a warning Web page.

Nominum says its dynamic, intelligent, policy-based DNS system overcomes many shortcomings of legacy DNS systems such as the popular BIND 9.0 open source software or DNS appliances offered by its competitors. For example, a major flaw in BIND 9.0 was announced in July that required an immediate patch to prevent denial-of-service attacks.