<div class="auth-picture"><img src="http://www.securityweek.com/sites/default/files/imagecache/auth_story/pictures/picture-6.jpg" alt="" title="" class="imagecache imagecache-auth_story" height="67" width="68"></div><h2 class="page-title">
In Defense of BIND: Open Source
DNS Software Yields a Better Breed of Secure Product</h2>
<div class="meta">
<div class="submitted"><a href="http://www.securityweek.com/defense-bind-open-source-dns-software-yields-better-breed-secure-product">http://www.securityweek.com/defense-bind-open-source-dns-software-yields-better-breed-secure-product</a><br>
By <a href="http://www.securityweek.com/authors/ram-mohan">Ram Mohan</a> on
May 25, 2010
<span id="sharethis_0"><a href="javascript:void(0)" title="ShareThis via email, AIM, social bookmarking and networking
sites, etc." class="stbutton stico_default"><span class="stbuttontext">ShareThis</span></a></span>
<a style="text-decoration: none;" name="fb_share" type="icon_link" href="http://www.facebook.com/sharer.php?u=http%3A%2F%2Fwww.securityweek.com%2Fdefense-bind-open-source-dns-software-yields-better-breed-secure-product&t=In%20Defense%20of%20BIND%3A%20Open%20Source%20DNS%20Software%20Yields%20a%20Better%20Breed%20of%20Secure%20Product%20%7C%20SecurityWeek%20-%20Information%20Security%20News&src=sp"><span class="FBConnectButton_Simple"><span class="FBConnectButton_Text_Simple">Share</span></span></a>
<a style="text-decoration: none;" title="Post on Google Buzz" class="google-buzz-button" href="http://www.google.com/buzz/post"><span dir="ltr" class="buzz-small"><span class="buzz-small-1-ltr buzz-small-1"> </span><span class="buzz-small-2-ltr buzz-small-2">Buzz</span><span class="buzz-small-3-ltr buzz-small-3"> </span></span></a>
</div>
</div>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;"><strong>BIND</strong>, the <strong>Berkeley
Internet Name Domain</strong>, is the market share leader for domain
name system (DNS) server software, with something like 85 per cent of
installations worldwide. That's getting into Windows' market-share
territory, so it's hardly surprising that the software has received more
than its fair share of security criticism over the years. Malicious
hackers and white-hat vulnerability researchers tend to focus their
efforts on the most widely deployed software. After all, it brings the
quickest outcome for expended effort. In reality, open source software
is already part of most IT infrastructure<sup>1</sup>, with</span></span><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;"><img src="http://www.securityweek.com/sites/default/files/Domain_Photo.jpg" alt="BIND DNS" title="BIND DNS" style="float: right; margin: 5px;" height="223" width="315"></span></span><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">
little negative impact. Just like much of the Internet, open source has
become both ubiquitous and essential. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Over the years, BIND has been criticized for
the sheer number of software vulnerabilities that have been disclosed,
and the relatively large number of software patches that have been
issued to handle these bugs<sup>2</sup>. Vendors of competing products
have shown this as evidence of the superiority of their own proprietary
software, but clam up when asked to produce equivalent statistics of the
number of bugs and exploits fixed in their products. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">As Forrester Research’s Michael Goulde<sup>3</sup>
says, “North American companies are more likely to have embraced open
source for mission-critical use. Companies are finding open source
suitable for certain types of critical business applications.” We know
now that the very openness of BIND has led to many individuals and
companies examining each version of the product, discovering design
problems and programming errors, and correcting them within days of
discovery – a far cry from the traditional once a year upgrade cycle of
proprietary software. </span></span><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;"></span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">As a result, the open source nature of BIND
has resulted in it being considered more secure than proprietary DNS
solutions. After all, BIND gets updated an order of magnitude more
frequently than its proprietary competitors, creating a much smaller
opportunity for exploits to remain in the open. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Some say that malicious hackers have an easier
time finding vulnerabilities in software when they have access to the
underlying source code. But when one considers how vulnerability
hunters, both white-hat and black-hat, go about the work of hacking into
software, this is an unreliable argument. More vulnerabilities are
discovered via probing and reverse engineering, trying to break into the
software from the outside, rather than wading through the endless guts
of programs, hoping to get lucky. Even relatively lightweight software
such as BIND can contain tens of thousands of lines of source code. And
it is likely that proprietary software has as high a propensity for
vulnerabilities in it as open source BIND, if not more. Sunlight tends
to be a great disinfectant, and that openness effect holds good in the
software industry as well. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Consider the tools the good guys use to test
their own security. While it is possible to obtain commercial or
non-commercial software capable of scanning source code for potential
vulnerabilities, these types of applications are far outnumbered by
security tools and hacking programs that conduct “black box” testing
against compiled or live code, in which the vulnerability scanner
sometimes assumes the role of an attacker. One of the reasons for this
is that analyzing millions of lines of source code is a considerably
more challenging problem, even for software, than simulating known
attack vectors to beat on the surface of an application until it breaks.
</span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Take one of the most famous DNS
vulnerabilities, the “Kaminsky Bug.” Did Dan Kaminsky spend months
poring over source code to find the vulnerability, which had been
sitting there undiscovered in all kinds of DNS implementations for
years? No. He used Scapy, a network packet manipulation tool, to prod
and probe for holes in production DNS servers<sup>4</sup>. What he found
was essentially a hole in DNS itself, rather than BIND alone, but the
principle remains: it is much more effective for vulnerability hunters
to search the attack surface of live object code than its source. To put
this in simpler terms, a burglar walking down a quiet street trying
door handles will have a higher success rate than a burglar who spends
all of his time studying the blueprints of a Yale lock. <img src="http://www.securityweek.com/sites/default/files/DNS_Extensions.jpg" alt="Domain Extensions" title="BIND DNS" style="float: right; margin: 5px;" height="168" width="269"></span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">To extend the analogy, if a homeowner has left
their house unlocked for whatever reason, hoping that a burglar will
not simply walk down their street trying handles, that person is relying
on a principle known as security through obscurity. This notion,
especially as it applies to cryptography, has been discredited by some
of the world's top security experts, starting with Auguste Kerckhoffs in
the late 19th century<sup>5</sup>. Keeping source code secret and
proprietary does not mean it does not contain vulnerabilities. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Proprietary solutions do offer several
advantages – technical support, training, published upgrades, APIs,
great user interfaces, etc. However, BIND, powered by the California
not-for-profit Internet Systems Consortium, provides all of these
features, albeit in the style of a not-for-profit organization. Perhaps
the biggest thing that BIND does not offer is a targeted marketing
message that reduces dissonance after a buying decision, which its
proprietary counterparts do a great job of. When someone is on the
phone congratulating you for spending your money on their product, sends
you whitepapers and invites you to industry conferences that validate
your decision, it is easier to defend the purchase, as compared to
receiving security update after security update from BIND’s active
mailing list. At the C-level executive suite, this lack of dissonance
reduction is probably the single biggest reason why BIND continues to be
replaced with expensive proprietary solutions once companies decide to
invest more fully in a robust DNS infrastructure. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Of course, proprietary solutions also pursue a
vendor lock-in model, where migration out of one solution to another is
typically a painful and often troublesome experience. Combine this
with an uncertain feature upgrade and release cycle and maintenance
costs that tend to quickly be as much as the price of the software
itself, the cost benefit analysis of BIND shows it to be a very
attractive solution. In the case of open source software like BIND,
which has a professional non-profit entity as well as an expert
user/developer community behind it, users get some of the benefits of
both worlds. When every user is also potentially a developer or patcher,
the number of eyeballs keeping the code secure increases exponentially
and the time to discover and resolve issues is drastically reduced. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Of course, at the end of the day, it comes
down to accountability. If your BIND installation fails, who can you
call? Is there dedicated support available to help configure your
software, or do you need to troll through message boards and wait on
email responses while your web site is suffering? User experience is
varied here, but my suggestion is that for all mission critical software
installed in your enterprise, you should secure proper support
contracts and also train people in-house to ensure that you are not in
trouble when a problem occurs, as it inevitably will. BIND provides
how-to guides, a searchable database of problems, and may even provide
training under contract. </span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;">Human beings are fallible, so all software is
buggy and can have security vulnerabilities. It's a fact of life that
more widely deployed software like BIND is more likely to be attacked
than less popular alternatives. It's also a fact of life that BIND’s
open source development process acts to minimize, over time, the total
number of vulnerabilities, creating a much more resilient piece of
software. We put our faith in it, and it has not let us down.<strong><sup>-RM</sup></strong></span></span></p>
<p><span style="font-family: tahoma,arial,helvetica,sans-serif;"><span style="font-size: small;"><strong>Disclosure:</strong> <em>The author’s
firm, Afilias, uses BIND software extensively in its global computer
network and sponsors development and innovation of BIND software.</em></span></span></p>
<p style="text-align: center;"><span style="font-family: verdana,geneva;"><span style="color: rgb(51, 51, 153);"><em><span style="font-size: small;"><strong><span style="color: rgb(0, 51, 102);">Ram
</span></strong></span><strong><span style="color: rgb(0, 51, 102);">Mohan
is the Executive Vice President and Chief Technology Officer at
Afilias, a global provider of Internet infrastructure services
including domain name registry and DNS solutions. Ram also serves as
the Security & Stability Advisory Committee's liaison to ICANN’s
Board of Directors and has helped direct and write numerous policies
effecting domain name registration and DNS security. </span></strong></em></span></span></p>