If you need a battle-ready DNS system, take a look at the latest offering from start-up Secure64 Software.
Secure64 in March announced the general availability of a super-fast and secure DNS server software that it says has built-in protection against denial-of-service attacks, rootkits and malware.
Secure64 officials say their DNS server software provides the fastest performance in the world, with more than 100,000 queries per second.
Secure64 is targeting its DNS server at service providers and enterprises that operate carrier-class networks.
The Secure64 DNS server gets its security advantages from two aspects of its design:
* It uses a special-purpose micro-operating system called SourceT that was built from the ground up for security. Because SourceT is new and less popular than Windows, Linux or Unix, it has fewer known security holes for hackers to exploit.
* It runs exclusively on HP servers that use Intel’s Itanium 2 processors. These servers provide very high performance, which helps withstand denial-of-service and other network flooding attacks because they can handle so many queries per second.
"SourceT is a secure architecture that is immune from malware including Trojans, viruses and worms because we’ve designed them out of the architecture," says Mark Beckett, vice president of marketing for Secure64. "It’s our high-performance I/O stack that self-protects the system against denial-of-service attacks."
Secure64 says its SourceT micro operating system is built to be secure so it doesn’t need to be hardened like competitive products running on Windows or Linux. It allows minimal configuration to limit possible attacks. It has an authenticated boot process to eliminate rootkits, and it has a secured runtime environment to prohibit malware. It also doesn’t need to be patched.
In terms of performance, Secure64 says it outperforms the most common DNS server software, which is Berkeley Internet Name Domain (BIND), by three times.
"It responds to legitimate traffic while under attack," Beckett says. "We’ve seen no degradation while our system is under attack. Other DNS servers are unavailable when hit by a denial-of-service attack."
Secure64 officials say their DNS software complies with pertinent IETF standards and interoperates with BIND and Microsoft’s DNS software.
Beta tester Daniel Massey, an assistant professor of computer science at Colorado State University, says Secure64’s DNS server has performed well in his network security lab during the last year.
"We do a lot of work on DNS security and DNS security problems," says Massey, a co-author and editor on several IETF documents related to DNS security. "We’ve been assessing the overall security of the box, and it’s been a really great product."
Massey says the most important thing for network managers to consider with DNS is the availability of their DNS servers. He says too many network managers ignore their DNS servers and don’t realize how vulnerable they are to attack.
"DNS can be really an Achilles heel; if I can take out your DNS servers, I can take you off the 'Net," Massey says. "The coolest thing about the Secure64 system is that it processes DNS queries so fast. That means that DNS is no longer the weak point for a distributed denial-of-service attack. Now you have to take down my whole network, not just my DNS."
Massey says the scarcity of the Itanium chip and SourceT micro operating system also help protect customers from security breaches.
"Nobody knows what this thing is, and that gives you an immediate security advantage," Massey says. "It’s not a BIND box. It’s not even Linux. That may be a short-term benefit, but the whole operating system is designed from the ground up for security. We cannot break this thing."
"The DNS space is in sore need of some IT TLC. It's an often neglected, yet critical infrastructure service," says Robert Whiteley, senior analyst, enterprise networking at Forrester Research. "Most companies don’t invest in underlying components like DNS and DHCP. Without them, IP will never be the digital dial tone that companies require."
Whiteley says new applications like IP telephony, network access control and Web front-ends for enterprise resource planning software are causing DNS to become mission critical.
"Most companies use outdated - often free - software, aging servers, and non-enterprise-grade management technology to support DNS. At best, it simply doesn’t perform well. At worst, it doesn’t perform well and is a security threat. And now we’re even seeing plenty of high profile outages caused by exploited DNS servers."
Secure64 is one of several companies including Nominum, a DNS software vendor, and Infoblox, a DNS appliance vendor, to introduce carrier-class DNS systems.
Secure64 "is unique in that it provides a much higher degree of inherent security – a truly hardened server with security protection at the chip level – than I’ve seen to-date," Whiteley says. "To provide the level of performance and security they claim with an Intel-based platform is a very attractive idea. But Secure64 doesn’t have it all. It still lacks the slick interface and policy management of a good [IP address management] tool."
Secure64 sells the SourceT micro operating system and its DNS application together for $9,995. The software runs exclusively on HP’s Integrity rx2660 servers, which cost around $6,000.
Founded in 2002, Secure64 has 23 employees. It has its headquarters in Greenwood Village, Colo. Secure64 has three patents pending on its technology.