To truly lock down your DNS servers, Secure64 says you need a proprietary OS and the added security features only available on an Intel Itanium-based server.

by Alex Goldman ISP-Planet Managing Editor [May 18, 2007]

UltraDNS is now part of Neustar, but companies like it have been offering secure DNS for a long time (in internet terms). Founded in 2002, Greenwood Village, Colo-based Secure64 is a new arrival, having released its Secure64 DNS product on March 19, 2007. The company will be showcasing its app at ISPCON.

The product runs on a "micro operating system" called SourceT, which was built from the ground up with security in mind. In addition to the features of a hardened OS that ISP-Planet readers are familiar with: zero unnecessary user accounts, ports, or system services, the company added features such as:

• Fully authenticated boot process that checks the digital signature of the operating system to ensure that it has not been tampered with.
  
  
• A "secured runtime environment" in which application data, once written to disk, cannot be overwritten. In addition, applications that exist only in RAM can be prevented from running.
  
  
• The use of two I/O stacks to protect against buffer overflow attacks.

The numbers
Mark Beckett, Secure64 vice president of marketing, says that the product is compatible with an ISP's existing DNS solution and therefore does not require a forklift upgrade. If that's true, we ask, could an ISP rollback a Secure64 deployment? "They could, but of course we would hope they would not want to," he replies.

He says that a good metric by which to measure DNS performance is queries per second. On standard HP Itanium hardware (dual core processor, 4 GB RAM), it achieves 108,000 queries per second, more than most ISPs will ever need.

He provides a web-based demonstration using DNSPerf. The Secure64 DNS system discards SYN Flood attacks and its performance declines by barely 1 percent during a UDP reflected flood.

He also tells a customer story. "We had one beta customer who had a rack of DNS servers protected by a $12,000 NetScreen firewall who was thrilled when we told him he could redeploy the firewall elsewhere if he bought our product."

Pricing and availability
Secure64 DNS is available now. A software license costs about $9,995 and the Itanium hardware costs $5,000 to $6,000. The software is available direct from Secure64 and the hardware can be purchased from Secure64 or any HP reseller.

—End