Choose a suitable hardware platform

• Fast Intel/AMD based processor architecture
• 2 GB RAM – 8GB or higher if you plan to take advantage of additional DNS based features like redirection, or extensive statistics
• Gigabit interface

Server configuration:

• Assign a separate IP address for query source
• Memory cache value: Depending on your environment, this value could vary. The number of subscribers accessing this server will have an impact on the configuration value. A value between 500-1500MB can be used.
• Recursive contexts: This value needs to stay low. A Recursive context is a thread that is used for recursion. The lower the number of recursive contexts the better is your Cache hit. The two values go hand in hand during the optimization of your caching server.
• Negative Cache TTL: the default value usually works in most environments, but with very low TTLs critical for RRs for most global entities, it is better to keep this value low, between 15 and 45 minutes.

Security:

• Don’t deploy a firewall in front of caching DNS servers (can deploy an Intrusion Prevention System or similar if needed)
• Define an ACL list that matches the address ranges of the subscribers who can access the server
• Use the maximum number of ports (16) for UDP Source Port Randomization to maximize protection against spoofed queries.
• Take advantage of query case randomization, also known as “0×20”.  Be sure the server can requery (over TCP) without randomization to cover the small percentage of authoritative nameservers that don’t mirror query case.

Redundancy: Redundancy is critical when building a reliable caching infrastructure. Some common practices are

• Two logical caching servers at a minimum
• Ideally on different networks
• In different datacenters
• At least one server close to the subscriber < 20msec delay

Availability: The caching infrastructure always has to be available for the best subscriber Internet experience. There are several ways to deploy – the best solution will be guided by the network topology, the desired subscriber experience and cost.

• Load balanced: Horizontally scalable in large environments. It also allows additional control of ACLs on a hardware device if needed. The overhead is that it requires a load balancer expertise to manage the environment
• Anycast: This is a very common deployment model. This allows for individual servers to present themselves as DNS nodes on a network. DNS traffic is routed to the closest server on the network.
• Hybrid (Anycasting via a load-balanced configuration): This configuration is in use in large environments. This provides the flexibility of scaling a node to multiple servers based on subscriber density and traffic flows.

Capacity: A scalable infrastructure should be capable of handling failures in the network and/or hardware.  Always provide enough headroom on a server for:

• Loss of a site
• Loss of a server
• Site maintenance
• Server maintenance

Set thresholds: This will allow your network operations center to be proactive to potential problems way before they become serious

• CPU utilization > 40%, 50% 60%
• Recursive Contexts should run at around 20% sustained rate, 50% should trigger a notification and 75% requires attention to see what’s going on.
• QPS per client

DDoS:

• Rate limit queries per IP
• Distribute servers
• Use best of breed caching servers

Deployment process:

Simplify the deployment process so patches and software upgrades can be deployed quickly.

• Be able to quickly rebuild the OS
• Be able to quickly deploy a patch
• Be able to quickly upgrade the DNS software

Authoritative DNS Servers host your domains like www.yourcompany.com, and associated resource records, as well as their location. It does this by mapping names of hosts to their IP-addresses.

Caching DNS Servers help applications and services – browsers, VOIP, IPTV, etc. – navigate the DNS hierarchy to find the appropriate Authoritative servers and eventually the target host of your domain.

When you design and deploy DNS caching infrastructure, it’s important to understand and research the following first.

• How many subscribers are going to access the environment?  100-150 thousand per server is a typical maximum for high performance software running on a current generation hardware platform.
• What is the anticipated subscriber growth?  It’s worth matching growth to the hardware refresh cycle of 3-4 years.  Using the growth rate work back from 100-150 thousand subscribers maximum to figure out what the starting subscriber count should be.
• How distributed do you want the infrastructure to be? This usually depends on the network topology.  Keeping DNS clusters/servers as close as possible to end-users provides the best possible Internet experience.
• What additional features need to be enabled like IPv6 or DNSSEC?
• What additional solutions – like redirection, bot identification and mitigation or others need to be run on the platform?
• What statistics and metrics do you need to feed internal systems – what DNS related stats are tracked currently, are there new stats offered with the new platform that would be useful?
• What are other business growth drivers – are there plans to deploy new services that will fuel DNS growth?
• How will your operations team manage the new infrastructure?
• What processes and procedures have to been implemented to support the new and/or upgraded platform.

Once you have a clear understanding of the questions above and a few other that might be specific to your environment you can start putting your requirements into play.  Since you have the opportunity to build an infrastructure from scratch or upgrade an existing one, it’s worth spending time understanding business needs can be balanced with cost and capabilities of the solution.  Work the numbers – look at subscriber count and performance and consider factors that impact the subscriber experience like latency and costs.

SUNNYVALE, Calif., January 24, 2012- Fortinet® (NASDAQ: FTNT) – a world leader in high-performance network security – today announced the introduction of two new DNS caching appliances designed for the SMB, Enterprise, Federal, Financial Services and Educational markets. The FortiDNS-400C and FortiDNS-1000C, the first of a planned product family of security-focused DNS, DHCP and IPAM solutions, enable organizations to prevent malicious attacks against their DNS infrastructure.

The FortiDNS-400C and FortiDNS-1000C are the result of a technology partnership with Nominum, the worldwide leader in intelligent DNS and DHCP business solutions that support over 500 million broadband and mobile users worldwide. Powered by Nominum, the FortiDNS appliances introduce significant security benefits to help protect an organization’s DNS, the method of translating URLs (such as www.fortinet.com) to individual device IP addresses. Without a fully secure Domain Name Server (DNS) infrastructure, there can be catastrophic consequences that include hijacking of legitimate users and an inability to send email, find Websites or access the Internet. For example, criminals seeking to steal the login credentials of online banking customers could hijack the DNS of an ISP and redirect customers to a fraudulent site.

“If compromised, DNS can open an organization up to attack and subversion via the redirection of users to malicious content,” says Dr. Paul Mockapetris, Chairman and Chief Scientist of Nominum and inventor of the Domain Name System (DNS). “It is one of the most critical but often overlooked components of Internet use. That’s why today’s introduction of the initial FortiDNS appliances is so significant. Organizations now have a DNS caching appliance running a hardened, commercially-crafted software, that is field-proven with hundreds of millions of users, providing exceptional security for one of the most important aspects of their IT infrastructure.”

The security-focused FortiDNS-400C and FortiDNS-1000C feature a high-performance recursive DNS caching engine that supports IPv6 and Domain Name System Security Extensions (DNSSEC) making it an ideal upgrade option over aging and functionally-limited legacy solutions. By integrating the high performance and secure DNS features from Nominum with Fortinet’s broad management, network security and cloud-based FortiGuard™ services, the FortiDNS family provides organizations with a simple-to-deploy and affordable appliance that provides critical DNS security capabilities.

Simplified Management

Until now, DNS has had a history of being a somewhat complicated and, at times, error-prone system to manage and administer. Simple configuration errors on the command line have proven disastrous and difficult to troubleshoot. To overcome these issues, FortiDNS is a fully hardened appliance that removes the need to patch and maintain the host operating system. As a GUI-configured solution, the FortiDNS family simplifies the task of administering the appliance to reduce operational overhead and significantly minimize the risk of misconfiguration.

FortiDNS Features

As a hardened system powered by Nominum, the FortiDNS-400C delivers market leading, carrier-class DNS security that has been tested in the most demanding environments in a simple-to-deploy appliance form factor for a wide range of enterprises and businesses. Through its secure DNS implementation including Transaction ID, UDP source port and case (query name) randomization, the appliance can prevent DNS cache poisoning attacks. In addition, its high-performance DNS caching speeds up name resolution and network performance.

FortiDNS appliances also provide support for IPv6 and DNSSEC to help ensure future requirements are supported in order to protect customer investments. To secure remote management and protect against brute force attacks to gain access, they also integrate with FortiToken two-factor authentication.

And for enhanced visibility, network and security administrators can gain insight into what is being queried on their network and who is making the query. This aids in quickly identifying potential misconfigurations and compromised systems and helps organizations adhere to audit requirements.

“The need to secure DNS infrastructures has never been greater,” said Michael Xie, chief technology officer with Fortinet. “Because DNS is a fundamental enabling component of the Internet, it has to be aggressively safeguarded from malicious attacks that can wreak havoc on an organization’s ability to conduct business. That’s why we’re collaborating with Nominum on the release of our initial secure DNS caching appliance. By combining best of class technologies from two market leaders, the FortiDNS family is a powerful yet highly affordable solution to help protect and preserve the integrity of an organization’s DNS infrastructure.”

Availability

The FortiDNS-400C and FortiDNS-1000C will be available in Q1 2012.

About Nominum (www.nominum.com)

Nominum is the leading provider of business solutions powered by world-class Intelligent DNS and DHCP software and service platforms. Our solutions enable our customers, including fixed and mobile service providers and OEM technology partners, to provide the most secure, scalable, robust and reliable Internet experience to more than 500 million users worldwide. Nominum’s DNS- and DHCP-based solutions are the only commercial offerings in the marketplace meeting the rigorous demands that today’s service providers and enterprises have for security, low latency and high-speed performance. Nominum is a global organization headquartered in Redwood City, CA.

About Fortinet (www.fortinet.com)

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and the market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2011 Fortune Global 100. Fortinet’s flagship FortiGate product delivers ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Fortinet’s broad product line goes beyond UTM to help secure the extended enterprise – from endpoints, to the perimeter and the core, including databases and applications. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

Criminals always follow the money and with growth in mobile broadband at the base of the power curve and the billions of devices forecast to be navigating the web, there is little doubt tremendous energy will be expended to target mobile devices.  They will become prime targets especially since people are already comfortable banking and executing other kinds of transactions from their smartphones.

Mobile network operators face different challenges than their fixed network counterparts.  Although mobile devices like tablets and smartphones have become extraordinarily powerful they still have processor and memory constraints as compared to even modest laptop computers.  With this kind of environment, traditional security solutions (like client software) introduce trade-offs.   Mobile users won’t be happy if security software noticeably impairs the performance of their devices, especially if they’re depending on it for directions or information while they’re on the go.

Using precious bandwidth for shipping security software updates is also unlikely to appeal to either network operators or mobile users.  For network operators aggregate bandwidth consumption for updates will be substantial and there is a real cost associated with its use.  Users like the idea of security but if the practical reality means waiting for an update rather than surfing to find the nearest restaurant they’ll always prefer the latter and will quickly tire of intrusions that interrupt their routines.

There are other, more subtle issues with mobile.  With mobile devices in general there’s less opportunity to provide context and cues to users to alert them to security threats.  Small(er) screens introduce unique human factors challenges.  With less display area there’s a reflexive tendency to scroll to where the action is on the screen and even experienced users may miss important cues indicating a security threat, for instance by quickly scrolling below the address bar in a browser window.

Just as criminals are dependent on networks for launching their exploits, they’re also dependent on the network to harvest their gains;  they need phishing sites to gather valuable personal information, drop-off sites for malware to upload personal information, and in the future Command and Control for botnets. These telltale signs reveal their presence.

Mobile network operators have a unique opportunity to address these issues.  Enabling a layer of security protections in the network is an obvious alternative to traditional approaches.  Network based protections offload the burden on mobile devices and eliminate the need to continually update what will rapidly grow to be billions of devices.

Leveraging the DNS as a network based security solution offers even more benefits as discussed in these posts: Strategic Vantage Point, The Power of the Control Plane, Advantage DNS.  Most importantly, it allows network operators to demonstrate an active commitment to protecting their customers – enhancing their safety online and improving their overall Internet experience.  This will increase their affinity for the base service and make them more receptive to other offers.

The DNS is proven and well understood, it’s been an integral part of IP networks for more than 25 years. It’s also stable; there have been very few changes to the protocol so there is little inherent risk in leveraging it for new applications like security.

The DNS is universally deployed; every IP network in the world uses it.  Every client device that accesses the Internet also uses it because it’s essential for navigation.  DNS ubiquity is a Good Thing, leveraging the DNS removes the need for new equipment and changes to network architectures.   Since every device already has a DNS client there’s no need for client software either.

The DNS is a superb vantage point in the network.  Virtually every Internet application relies on the DNS, as do social engineering exploits, malware, fake AV etc.  If something bad is happening on a network the DNS is the place to see it.

DNS deployments are virtually always designed with redundancy.  DNS clients are already setup to talk to multiple DNS servers so a DNS based security system will be inherently redundant.

Better still, most Internet transactions start with a DNS query, navigating to a web site, sending an email, making a phone call, etc.  This means security exposure can be detected as early as possible.  Early detection means many exploits never even get off the ground.  No other security system is as proactive.

The DNS scales beautifully, it’s the largest distributed database in the world, hosting hundreds of millions of domain names.  There is no question it can scale to meet security challenges.

The DNS is pervasive, it’s distributed across literally every corner of the Internet and hundreds of millions of Internet resources rely on it to advertise their presence.  Today millions of exploits use the DNS to advertise malicious resources; it just makes sense to use the DNS against them to prevent them from being successful.

Because the DNS is fully distributed and it’s a relatively simple protocol a single server can process queries from tens of thousands of devices.  In aggregate, trillions of DNS queries are handled every day – no other system even comes close.  As traffic increases the DNS is beautifully suited to handle it.

“Zero Cost” protection – using the DNS to protect networks and end users does not introduce any overhead.  There is no new equipment in the network and no additional latency; “intelligent” DNS queries are processed in exactly the same way as conventional DNS queries.

Summary

There’s tremendous upside to using systems that are familiar and proven to deter security threats that are becoming more and more common. The DNS is an essential part of the Internet and there’s a tremendous opportunity to leverage its power, scope and scale in the security battle.

A major advantage of the DNS is it works in the control plane – helping set up IP transactions by providing applications with the location or identity of resources. It does not participate in any of the subsequent protocol interactions – to connect to a server and download or exchange data such as web pages, video, email etc.  Yet a single, short, DNS query can reveal a potential security threat like a malicious web site, or a bot trying to reach its command and control.  It’s an extremely effective and lightweight method of identifying existing and potential threats that does not add any overhead to DNS query processing.  There is also no additional equipment or processing required in the network.

All other network-based security solutions work in the data-plane: specialized equipment such as Deep Packet Inspection (DPI) boxes are placed in a network to observe data traffic between client devices and servers.  High performance hardware promiscuously scans every packet on a network link looking for malicious activity.  Network operators configure filters based on information contained in reputation lists or signature updates.  When a packet matches a filter it triggers additional actions to capture data such as the destination of the packet.  Interestingly the presence of such traffic is an indication that an exploit is at least partially successful.

There is another limitation of data-plane based filtering.  In most cases it’s necessary to filter based on IP addresses rather than domain names.  Although for some purposes filtering in IP addresses is adequate it is often ineffective, especially for dynamic threats where attackers change the IP address continuously to avoid detection.  Filtering based on domain names is more effective because dynamic threats can be captured.   But data plane based equipment is typically not situated in the right place in the network to take full advantage of domain-based filtering because it will not see all the DNS traffic (best case it will only see recursive requests from a caching server), and client level IP visibility is lost (recursive requests will always use the caching server IP).  It is certainly possible to situate DPI equipment in front of the DNS and set up filters to trigger on domain names but this justifies and strengthens the case for native use of the DNS for security!

The other disadvantage of data-plane based filtering is it raises privacy concerns.  End users are increasingly aware of the implications of Deep Packet Inspection and wary of its presence.  The notion of a network operator looking at all the data traffic on a network has raised objections from privacy advocates and makes mainstream users extremely nervous.  By contrast, DNS-based solutions only resolve requests for web sites; it is impossible to derive any insight into what someone does at a website when they visit.

To start with, DNS servers occupy a strategic vantage point with tremendous visibility into what’s happening on networks.  Every end user, device, and IP application uses the DNS to locate resources; legitimate applications like web browsers, VoIP, and email use it, and malicious applications use it too.  DNS queries for malicious destinations – malware sites with “drive-by” downloads, phishing sites that harvest valuable confidential information, botnet command and control, and many other things – are a telltale sign of security exposure.  They’re a clear indication an end user intends to navigate to a dangerous place, or may already be infected with malware.

In the security world early detection is highly desirable.  The sooner a threat can be detected, the less damage it can do, and the fewer resources it consumes.   A DNS query is a great leading indicator of security exposure because it precedes all other tasks for most of the interactions that take place on a network.   For instance, when someone clicks on a malicious web link the first thing their browser does is initiate a DNS query.  Similarly when a bot is activated it sends a DNS query to find its command and control server.  Even Advanced Persistent Threats signal their presence with DNS queries.

Although there are other methods of detecting these kinds of threats DNS servers are the best early warning system because they see potential security threats before anything else in the network.  It’s even possible to move from a reactive, to a proactive, security model where end users are prevented from going to malicious destinations altogether so their machines don’t get infected in the first place.  Contrast this with today when users get infected, and then rely on client software to discover the infection, hopefully before any real damage is done.

There’s a great opportunity to leverage the strategic vantage point of the DNS and introduce a layer of security in networks that is a far better match for today’s dynamic threats.

It’s actually a straightforward proposition: make caching DNS servers smarter so they can identify malicious Internet destinations.  Dynamically updating caching servers with the latest threat information from “reputation lists” makes them more intelligent.  When an Intelligent DNS server sees a request for a web destination that matches a cached malicious destination it can provide a safer more “intelligent” answer based on policies set by a network operator.  For instance depending on the type of threat the server could:

• Log the request if the threat is not serious or not well understood (to capture data for further analysis), or
• Provide the IP address of a “safe” website when a user requests a malicious destination, this website could offer specific guidance on the threat and link to other resources
• Provide the IP address of a sinkhole where traffic can be analyzed, or a blackhole where it is dropped

Other policies are possible based on a network operators needs.

Providing an intelligent answer to a DNS query does not require any additional processing of the query.  The server does exactly the same amount of work whether an answer is “intelligent” or not.  It just does a normal look-up on the domain name and pulls whatever answer is cached in memory.   Performance (queries per second) and latency (the time to respond to a query) of the server are not affected.  There is a small amount of work to receive and load reputation list updates, but this can be performed when the server is not responding to queries, so it does not affect the primary function of the server.

Making DNS servers more intelligent can enable a new layer of highly agile security defenses.   A familiar, proven system can be inducted into the security battle and have a substantial impact no significant overhead.

To some extent this problem is not a surprise.  Client software was originally developed in an era when exploits propagated far more slowly (remember infected floppy disks?) so it wasn’t necessary to update signatures continuously.  Now attackers have all the resources of the Internet at their disposal – and use them.  Exploits can be morphed and redeployed in seconds.

The problem is not an inherent inability of client software to detect dynamic threats.  It’s human factors or technical constraints preventing the very latest signatures and algorithms from always being installed on every machine.  Security vendors have done a remarkable job of identifying and tracking even the most agile attacks, but the value of their efforts is substantially diminished if people are unwilling, or unable, to keep their client software current.

Agile attacks require agile defenses.  Since virtually every threat today originates in the network, moving protections into the network is a sensible thing to do.  Because threats operate at Internet scale security solutions need to scale as well.  Aggregation is a natural benefit of moving security protections into the network. A few systems, strategically situated, can provide effective protection for potentially millions of hosts.  Fewer systems means updating threat information is simpler and far more reliable which greatly improves agility and responsiveness to a rapidly changing threat landscape.   Consumers, network administrators and other IT staff get relief too, and the burden on hosts can be reduced, especially as network based protections become pervasive.

The idea of network based security is not new, it’s been happening since the Internet was first commercialized and firewalls arrived on the scene to protect corporate networks from outside intruders.  But what’s needed now are solutions that are as dynamic, adaptable and scalable as the threats they are designed to deter.  The question to ask isn’t whether additional security protections should be deployed in the network, but how.

• Make sure your primary Authoritative server is not accessible by anything other than your secondary Authoritative servers. In particular, the primary should not be accessible via UDP/TCP port 53 from anywhere other than the secondaries.  If a secondary is compromised, you can quickly take it down and rebuild it, because your authoritative DNS data is still secure.

• Implement query-rate limiting on network devices (load balancers, firewalls) in front of your secondary Authoritative servers.

• It might also be worth considering approaches for introducing a redundant master authoritative server.  Active-standby configuration have limitations with only a single primary authoritative nameserver accepting zone changes and transmitting them to secondary servers across their network at any one time, especially for voice and real-time applications.  Existing approaches for handling failure of a master add complexity and often introduce synchronization problems as well as unacceptable and unpredictable delay,  all of which can have a negative impact on application performance.

In some cases backing up or supplementing internally managed servers with hosted services may make sense (Nominum offers SKYE Authority). This provides additional live capacity to maintain DNS service for handling unusual loads or if you are attacked.  Look for a globally distributed network that is actively monitored for any unusual traffic.

• Place recursive DNS servers close to customer access networks – this minimizes network latency for DNS queries, and helps to reduce the perceived response times from websites.  Complex web pages can generate 20 or more DNS queries, often sequentially, so fast DNS response has a significant impact on overall page load times.
• Allow plenty of capacity. A maximum CPU load of 20% for the DNS process and 30% overall (including management agents and other things that may be running) at peak time are good targets to ensure ample headroom. Remember that monitoring systems such as Cacti give a short-term average, usually over several minutes, and DNS traffic spikes may be hidden. Plenty of headroom means that these spikes can be handled, and allows “breathing space” if an attack starts or something on the Internet creates an unusual surge in traffic.
• Block UDP and TCP port 53 access to your servers from outside your network. There is no need to provide DNS service to the rest of the Internet (and all the DDoS sources out there!). Optionally, using the distributed Anycast system described above, each DNS server only needs to be exposed to “local” users. However, if this is done, care must be taken to ensure that there are accessible servers in the event that the local one fails.
• If you site multiple DNS servers together, use a suitable load balancer.  The Anycast system is not capable of accurately load-balancing between adjacent servers. However, most load balancers and switches are capable of advertising Anycast routes, and withdrawing them when available server capacity drops below a defined threshold. Remember the traffic is mostly UDP. Load balancers are very important tools, and can help rate-limit when an attack occurs, but they do introduce another potential failure point.
• An option worth considering is hosted services (Nominum offers Skye Resolution) to provide additional live or backup capacity to maintain caching DNS service if you are attacked.  Be sure to confirm the vendor has a globally distributed network to minimize the likelihood a DDOS attack against your DNS servers affects the hosted service at the same time. Hosted services should also be actively monitored for unusual traffic.
• Before the DDOS attack happens, make sure your monitoring and alarms are up to the job. You need to know very quickly when server load has increased. Have trace tools ready to look at query source addresses for unusual patterns. Nominum iView is a valuable ally here, as it is specifically designed to monitor and control DNS systems.
• Make sure your organization and response procedures are well understood. Often, when a major outage or attack occurs, the biggest reason for delayed response is confusion: who to call, what steps to take? In many cases, the attack is over before the attacked organization has started analyzing it. At minimum be ready to capture relevant data during an attack so you  have something to analyse after the event.
• Document what you find out after the event. Even if you cannot analyse the event while it is happening, there is still great value in a post-mortem investigation, as it will help you defend better and respond more quickly next time.

Over a few posts we’ll cover 13 simple techniques to ensure good service. They’re relevant for service provider networks and many are applicable to Enterprises as well.

Below is our first suggested technique, which is how Anycast can be used to make your caching DNS more robust.

Anycast is a simple way to advertise the same IP address for all DNS servers – this simplifies customer provisioning, and means that DNS queries will automatically be re-routed if a server fails. A DDoS attack from within the network will only affect the “nearest” server(s) to the attack source(s), so disruption is minimized. 

Anycast can be implemented on a server with a simple script, which performs a DNS health check and then advertises a /32 route to the relevant routers. Routers propagate this route to the network edge using the relevant routing protocol. As /32 routes take precedence over larger subnets, this ensures that all DNS queries from the local network edge are routed to the “local” DNS server. 

If the DNS software fails, the script health check will withdraw the route. If the server fails or becomes unreachable, the adjacent router will age the route out. Some tuning of route aging on the routers may be needed. In both cases, there is already a route to the “next nearest” DNS server and queries will flow to it. 

The process of route withdrawal can be made shorter than the client’s “no DNS response” failover time, so clients need never fail over to a secondary DNS server address. Recovery is, of course, automatic. The Anycast address is configured as a VIP on each server. The real address of each server should not respond to UDP/TCP 53, or should be protected from this traffic by adjacent network elements. This ensures that attempts to DDOS the servers from off-net, or by using the real addresses, will fail.

One of the stresses that will be imposed on the DNS during the transition to IPv6 is an increase in query volume. In fact it’s already happening. The default behavior of MacOS X is to request both A and AAAA records even when the clients making the queries aren’t provisioned on an IPv6 network! In many cases it is believed to be a major source of IPv6 DNS traffic, measurements show the query volume approximates MacOS X adoption.

Windows 7 and Vista will also query for both AAAA and A records if the OS sees a publicly routable (non-local link) IPv6 address configured. As more and more clients are transitioned to IPv6, operating system behaviors like this will cause query volumes to grow rapidly since from the standpoint of the DNS, adding a new IPv6 address will be almost equivalent to adding a new host. Because these operating systems dominate the market the aggregate effect will be a noticeable bump in query volume.
Since the shelves at IANA are now bare, Service Providers have to accept the fact that IPv4 addresses are officially scarce and thus have tangible value; they’re no longer “free”. There may come a day when dual stack deployments for new subscribers will not be economical, especially for consumer services, due to the “cost” of an IPv4 address. This is causing network operators to consider technologies such as DNS64/NAT64 to preserve precious IPv4 addresses. However this also results in a corresponding increase in DNS queries, since IPv6 hosts will query a caching server for a AAAA record and when it does not exist (often for now) the caching server will re-query for an A record. Bottom line: regardless of which transition technologies predominate DNS query volumes will increase.

DNS queries for both A and AAAA records could continue long into the future, essentially until the last IPv4 addresses are retired – which could be a long time. It’s possible when a significant majority of web content is migrated to IPv6 operating systems could be modified again to be biased toward IPv6 (only issuing AAAA queries unless an IPv6 record is not found) but it appears as though we are a ways away from that!

The good news is ensuring critical systems like the DNS are truly ready for the transition to IPv6 is straightforward. The most important task is ensuring the DNS infrastructure is dimensioned to account for the additional load. The primary variable that needs to be considered is processor utilization, with Best Practices calling for average utilization of around 20%. This provides headroom in the event of a DoS attack, or other network event, that spikes query volume (DoS attacks have been measured that increase query volume as much as 800%).

Network operators can make judgment calls about how “hot” they run their servers. When limits are reached it’s only a matter of deploying incremental servers and redistributing clients. The task of staying ahead of server performance requirements is far simpler with extensive query statistics and detailed IPv6 metrics so query trends can be understood. If detailed data is available from servers across the network, monitoring and benchmarking can be highly automated and potential problems dealt with proactively. Monitoring performance is valuable even in the absence of the IPv6 transition since the underlying trend of continuous growth in DNS traffic is unlikely to change.

Another DNS server resource worth paying attention to is memory. Empirical evidence thus far suggests IPv6 has had little impact on memory but since IPv6 addresses are 4 times larger, AAAA records require more storage capacity. As more and more web servers are provisioned on IPv6 the impact will be felt since servers will have to store both record types. As mentioned the availability of detailed statistics from DNS servers will give network operators visibility into IPv6 query trends so DNS infrastructure can be ready.
There’s one last thing on the check list. If DNS64 /NAT64 is used it is also necessary to configure an IPv6 interface in DNS servers, since the clients will only have IPv6 connectivity. There have been cases where the IPv6 protocol stack has an impact on server performance so it’s worth testing to see if an OS or HW upgrade is needed. A similar impact has been observed with load balancers so again prudence suggests some basic performance testing to ensure availability levels can be maintained, even under load.

By late 2009 wireline and wireless broadband subscriptions crossed 1 billion globally, but most connections are in the developed world, with the developing world far behind. Fortunately that is starting to change. Brazil is executing on an ambitious Plan Nacional de Banda Larga (PNBL or National Broadband Plan) to bridge the digital divide and meet the following goals:

• reduce social and regional inequality,
• create jobs and income,
• improve government services,
• increase Brazil’s overall competitive position

An action plan was created for PNBL to address major challenges that had been identified:

• Broadband in Brazil was priced far higher as a percentage of per capita income as compared to other developing countries. Regulations and incentives were created to increase competition and lower prices. In fact taxes on items such as modems were lowered to help reduce costs.
• Many regions of Brazil were underserved with broadband services and connection speeds were far below world averages in most of the country. A plan was developed to build a nationwide fiber optic network and Telebras was selected to construct it.

As part of the plan, policies for technology development were proposed to lay the groundwork for a national industry in telecoms equipment. The Brazilian Development Bank (BNDES) also provided financing incentives for digital cities.

The PNBL is already showing results. The first city, San Antonio, in the Goias state in central Brazil, has been connected to Telebras’ high speed backbone. In exchange for high speed connectivity, local providers offer reduced rate broadband or provision a higher speed connection without increasing the cost. More than 300 more municipalities are targeted for connection by the end of 2011, and more than 4,200 by 2014. The president has set a goal of increasing broadband penetration from 27% of households currently, to 70% of households by 2014. In all more than $10 billion will be spend from both federal and private sources.

Nominum was proud to play a role in the Brazilian national network. Starting with early involvement in the planning phase, followed by intensive consultation throughout the design and implementation, the new national network was contructed with a state of the art DNS to match the high speed fiber backbone. Advanced services will help protect Internet users from malware and other threats and because they are based in the network, end users do not have to install or maintain specialized client software.

In this interview with Telesemana Paul discusses the importance of layered security and the kinds of exposure Internet users face.

RCRWireless News talks with Paul about the latest Internet attacks and how they can be addressed.

They bring friends, kids and occasionally dogs. Everyone brings an appetite. This year’s picnic was held at our corporate headquarters in Redwood City. The mouth-watering scent of barbecue, the lively sounds of bluegrass (performed “impromptu” by 3 members of our Engineering team) and a handful of family activities made the day one to remember.

Nominum continues to grow and evolve; there are always new faces, and yet our spirit remains strong. We’re here to do what we do best, and have some fun along the way!

Stay tuned for additional posts from our team. We’ll keep it light & interesting, and we always enjoy your feedback!

What attracted you to Nominum?

Nominum is a major player in the networking world with incredible product and technology assets.  Hundreds of millions of users depend on us for DNS every day, making us a force in most markets and geographies. Our unparalleled market success has been fueled by some of the world’s brightest DNS minds, including our Chairman, Paul Mockapetris the inventor of the DNS. Our exceptional engineering team is not only steeped in the history of the Internet but also has a deep understanding of how networks work and how to make them better.  They’re committed to innovating to deliver powerful products that will reshape the future of the Internet and keep Nominum ahead of the pack.

What are your top priorities?

First and foremost, is to engage our customers and make them an integral part of our understanding of how best to do business with them. Second, is to continue our rapid worldwide expansion and record growth. Third, is to share more of Nominum’s deep DNS knowledge and thought leadership through a diverse set of channels and tools such as our newly launched [names & numbers] blog.

What does it mean to you to be a “customer-centric CEO”?

Everything I’ve accomplished in business I owe to customers buying from and trusting in me.  As a result, I respond in kind.  That means listening to and being responsive to their needs.  It means treating them with respect and working within their constraints, not asking them to bend to ours.  It’s not only about providing great products; it’s also about providing a great commercial experience.

What do you see as Nominum’s role in the Internet?

No one disputes  DNS is critical.  That’s why we’ve invested in transforming it to make the Internet better – more secure, more available and easier to use for over 500 million users every day.  For network operators, we’ve created a suite of products that make it simpler to build and run networks – with far better visibility into what’s really happening and with far friendlier interfaces like our new mobile app.

How would you like customers to describe Nominum?

Our customers universally tell us we have the best DNS products in the world.  But to me, that’s only the first part of the answer.  By far, the more important part is for them to also say we are the best company they’ve ever done business with.  I’m confident our new management team will make that happen.

People at Nominum spend a lot of time thinking about DNS and how to use it to make the Internet better. That’s why we’ve created the [names & numbers] blog. It’s a place to start conversations and stimulate thought. It aims to be deeply informative, provocative, and non-commercial. We welcome your comments.

Redwood City, Calif. – Aug. 23, 2011 — Nominum, the worldwide leader in Intelligent DNS systems, today announces the appointment of Gary Messiana as the company’s new Chief Executive Officer. Messiana, a seasoned industry veteran who has led a number of start-ups into high-growth markets, will oversee corporate strategy and all operations as the company enhances its products to expand into new markets. Messiana’s appointment marks the beginning of a new path for customer relations and strategic partnerships for Nominum.

“I am excited to join Nominum during such a high-growth phase and to build upon our leadership within carrier and enterprise markets globally,” states Gary Messiana, CEO of Nominum.  “With our new management team, our new approachability and the company’s industry leading products and services, we will continue our work as the leading force shaping the new Internet.  I am committed to ensuring our customers recognize Nominum as the most customer-centric and commercially-friendly company they do business with.”

Since 2008, Messiana has been an entrepreneur-in-residence at Bessemer Venture Partners, one of Nominum’s investors, focused on evaluating investment opportunities in the software and infrastructure-as-a-service sectors.   His background includes notable CEO positions with Netli and Diligent Software.  Under Messiana’s leadership, companies have innovated, grown and competed successfully across multiple markets and geographies.

“As our technology evolves and we look to the future, Gary is a perfect match for Nominum,” explains Paul Mockapetris, chairman and chief scientist at Nominum. “Gary brings an extensive track record of leadership and success in software and hosted service solutions. His customer relationship skills, operational excellence and deep industry experience make him an ideal CEO to manage our current growth.”

“Now that our DNS enables security and growth for the world’s largest Internet providers, Nominum’s poised to be the next Cisco,” said board member David Cowan of Bessemer Venture Partners. “It’s a star team in need of a star CEO, so naturally we recruited Gary.”

About Nominum

Nominum’s Intelligent DNS systems improve IP networks of all sizes globally, ensuring people always have a safe, secure and enjoyable Internet experience.  Nominum in-network software solutions and SKYE™ hosted services form the foundation of the always-on Internet, protecting operator and enterprise networks and the families and businesses that use them, and providing superior performance and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region.  For more information visit www.nominum.com.

For press inquires contact:

Nominum, Inc.
David Contreras
+1 650 381 6000
pr@nominum.com

Vantio’s policy software modules MDR, NXR, and UAR and hosted network services SKYE™ Network Protection Service and NavAssist™ provide network-wide benefits including protecting users from becoming infected with malware and the propagation of botnets, helping them reach their intended destinations more quickly and better informed, and isolating PCs infected with viruses from draining network resources.

KISA, established in 2009, is a public corporation dedicated to ensuring a high-quality and safe Internet framework for Korea by working with the government to develop Internet-related policy, protect national Internet-infrastructure, and promote Internet usage. As part of this initiative, KISA chose Nominum’s Vantio caching DNS system as a highly secure, scalable, and reliable augmentation to their existing DNS infrastructure. The full DNSSEC support included with Vantio was a major selling point for KISA who plans to ensure a safe Internet for consumers by offering DNSSEC validation for the first time in Korea. ISPs, in partnership with KISA, will direct their customers who want DNSSEC validation to KISA’s DNS servers. This relationship also provides the structure KISA will use to offer future security solutions around network protection which will be offered both to Korean service providers and directly to end customers as is being done with this current DNSSEC project.

“KISA continues to play a critical role in ensuring the security of the Internet in Korea and protecting the safety of Internet users throughout the country. We are proud to be a part of that process and to work with such a respected partner. We are looking forward to our continued relationship in this growing market,” said Pete Wisowaty, Executive Vice President of Worldwide Sales at Nominum, Inc.

About KISA

KISA was established as a public corporation responsible for managing the Internet of Korea on July 23th, 2009, by merging three institutes NIDA, KISA, and KIICA. KISA is now an improved public agency that plays a major role in developing and researching the Internet in Korea.

About Nominum

Nominum’s Intelligent DNS systems improve IP networks of all sizes globally; ensuring people always have a safe, secure and enjoyable Internet experience.  Nominum in-network software solutions and SKYE™ hosted services form the foundation of the always-on Internet, protecting networks and the families and businesses that use them, and providing superior performance and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region.  For more information visit www.nominum.com.

For press inquires contact:

Nominum, Inc.
John Arledge
+1 650 381 6000
PR@nominum.com

Redwood City, Calif. – July 11, 2011 — Nominum, following on the introduction of iView™ its hosted network intelligence service, today announced the launch of iView Mobile extending real-time network intelligence to Apple and Android-based devices worldwide.  As with Nominum’s iView service, iView Mobile brings together DNS information, application metrics, and performance data from resources across an operator’s network to provide actionable intelligence.  iView and iView Mobile leverage information gathered by the Nominum Analytics System a cross-platform technology integrated within Nominum’s DNS software products and hosted services.

“When we introduced iView last year, it was a leap forward for network owners in terms of their ability to deeply understand the important network activity and trends to deliver a better service for their customers.  With iView Mobile we have removed the location constraint on this information by making it accessible anywhere and in doing so have made it available to a much broader audience.  With this new level of visibility, C-level executives and non-IT staff can now have up-to-the-minute network intelligence that used to be limited to datacenter staff,” said Jon Shalowitz, Nominum’s Executive Vice President of Marketing.

Network owners of all types can benefit from the insights provided by iView and iView Mobile. Whether a service provider using the Vantio™ Intelligent DNS System, an enterprise using SKYE™ Authority, or a government agency using a combination of Nominum technologies, iView and iView Mobile tie the information from these sources together.  On the recent World IPv6 Day on June 8, Nominum customers using iView were able to monitor IPv6 queries being generated on their network and isolate misconfigurations that could lead to customer-impacting events.  iView has also been instrumental in identifying denial-of-service attacks and rogue clients on an operator’s network allowing them to take proactive steps to maintain service levels.  All of these capabilities are now accessible to executives and decision-makers wherever they may be.

In addition to its vast reporting capabilities iView allows management of a broad range of services.  iView provides management options for SKYE™ Resolution and SKYE Authority offerings.  In doing so, network owners now have a single interface for not only reporting, but also basic day-to-day management previously unavailable in web-based tools.

With iView being in production in customer networks around the world since 2010, certain trends have emerged based on information customers have shared with Nominum. These trends sometimes validate what would be expected and sometimes shed light on entirely new areas of network activity. For instance, global trending suggests that usage patterns change on the weekends vs. midweek. Interestingly, the pattern reverses when considering residential providers vs. commercial providers. Aside from trends, Nominum customers are reporting some interesting operational learnings from iView:

·   Uncovered routing inefficiencies leading to excessive DNS and network usage
·   Found unexpected IPv6 activity prior to launching IPv6 network support
·   Reported anomalous DNS traffic later diagnosed as an early indicator of a virus outbreak

In these and other cases, customers were able to take immediate actions based on this information gleaned from iView to better prepare their networks for future activity or thwart threats before having an adverse impact on the customer experience.

iView Mobile is available immediately as a free download via the iTunes Store for both iPad and iPhone and via the Android Market for Android devices.  The iView service itself is available to Nominum customers as part of their annual support and maintenance contract.

About Nominum
Nominum’s Intelligent DNS systems improve IP networks of all sizes globally; ensuring people always have a safe, secure and enjoyable Internet experience.  Nominum in-network software solutions and SKYE™ hosted services form the foundation of the always-on Internet, protecting networks and the families and businesses that use them, and providing superior performance and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region.  For more information visit www.nominum.com.

For press inquires contact:
Nominum, Inc.
John Arledge
+1 650 381 6000
pr@nominum.com

Redwood City, Calif. – June 30, 2011 — Nominum, the worldwide leader in Intelligent DNS systems for network operators, has released the latest version of its SKYE™ Network Protection Service (SKYE NPS).  This latest version incorporates three major enhancements–namely a dynamic global whitelist, enhanced adaptive learning algorithms, and an advanced proprietary scoring system.  The global whitelist ‘learns’ from SKYE NPS deployments worldwide to weed out false positives from the system.  New adaptive algorithms provide improved correlation between bot command and control domains and related nameservers which increases the scope and accuracy of the domain threat list.  The advanced scoring system improves the granularity of the SKYE NPS feed allowing fine-tuning of security levels.

“SKYE NPS plus Vantio represents a significant obstacle to spammers and purveyors of botnet traffic generally.  When we look at global infection rates of up to 14% in some markets around the world, botnets are a significant threat to the stability, scalability, and profitability of an IP network.  Network operators who have deployed SKYE NPS are doing so to avoid the very real bandwidth and performance degradation associated with this form of network pollution,” stated Vivian Neou, Nominum’s Vice President of Research and Data Strategy.  “As an example, a very modest 1,000 infected machines are capable of generating in excess of 500Mbps of upstream traffic causing undue impact on subscriber experience and necessitating substantial incremental infrastructure.”

Introduced last Fall, SKYE NPS is a multi-faceted service which first provides a real-time feed of bot-related domains to network operators who use Nominum’s Vantio™ Intelligent DNS System and/or SKYE Resolution™ caching DNS service.  The solution further learns the specific characteristics of bots in a given operator’s network and combines this knowledge with real-time insights from other operators around the world. Threat lists are updated instantly as new threats are detected across the Nominum Global Network and immediately fed to network operators using Vantio and/or SKYE Resolution ensuring they have access to the very latest information.  This combination of technology deters botnet command and control activities and blocks their propagation. The accuracy of the SKYE NPS feed is further supported by Nominum’s award-winning research and data team.

“SKYE NPS continues to be a major area of investment for Nominum,” said Gopala Tumuluri, Nominum’s Chief Technical Officer, “enhanced native intelligence and improved algorithmic adaptability are just the beginning of coming improvements to NPS.”

SKYE NPS 2.1 is available now and integrates seamlessly with Nominum Vantio and SKYE Resolution deployments

About Nominum

Nominum’s Intelligent DNS systems improve IP networks of all sizes globally; ensuring people always have a safe, secure and enjoyable Internet experience.  Nominum in-network software solutions and SKYE™ hosted services form the foundation of the always-on Internet, protecting networks and the families and businesses that use them, and providing superior performance and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region.  For more information visit www.nominum.com.

For press inquires contact:

Nominum, Inc.

John Arledge

+1 650 381 6000

Redwood City, Calif. – June 28, 2011 — Nominum, the worldwide leader in Intelligent DNS systems for network operators, today announced the latest version of its flagship Vantio™ Intelligent DNS system.  Version 5.1 offers a comprehensive new platform for logging, aggregation and analysis of DNS traffic information.  With this version of Vantio, Nominum also announced the Nominum Analytics System (NAS) that uses a combination of in-network/off-network architecture to offload complex analysis of DNS data from in-network DNS servers, thereby optimizing their performance and maintaining the best user response times. More importantly the off-network analytics system allows for globally aggregated DNS insights to provide early detection of new and emerging DNS-based threats and attacks throughout the Internet in real-time, including early detection and notification of DDoS attacks.  Customers of value-added Nominum services such as iView™ and SKYE™ Network Protection Service (NPS) directly benefit from the Nominum Analytics System with actionable intelligence and network security policies at their fingertips.

“Vantio is really the cornerstone of a scalable, secure IP network.  Enhancements such as the Nominum Analytics System make it even more valuable to a network operator not only for the direct benefit of improved data visibility without impacting performance but also for access to the services Nominum offers on top of this platform.  The combination of Vantio and iView truly provides network operators the most real-time information about their network’s health and operations while running on the industry’s best DNS system.  It’s a win-win,” said Jon Shalowitz, Nominum’s Executive Vice President of Marketing.

In addition to NAS, Vantio 5.1 features support for the new DNS64 draft standard proposed by the IETF to further the transition of the Internet to IPv6.  DNS64 allows IPv6-only clients to communicate with IPv4 services on the Internet that are not yet IPv6 enabled.

Vantio 5.1 is currently available to all Nominum customers as part of their annual support & maintenance.

About Nominum

Nominum’s Intelligent DNS systems improve IP networks of all sizes globally; ensuring people always have a safe, secure and enjoyable Internet experience.  Nominum in-network software solutions and SKYE^TM hosted services form the foundation of the always-on Internet, protecting networks and the families and businesses that use them, and providing superior performance and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region.  For more information visit www.nominum.com.

For press inquires contact:

Nominum, Inc.

John Arledge

+1 650 381 6000

Redwood City, Calif. – June 23, 2011 — Telebrás, the federal coordinator for Brazil’s national broadband plan (PNBL), has awarded a contract to PromonLogicalis to supply Nominum’s Vantio™ Intelligent DNS System to provide caching DNS services and ANS Premier™ authoritative DNS servers for the PNBL.

This system is being deployed by network operators worldwide and especially throughout Latin America where broadband Internet penetration is growing rapidly.  More than simply an industry-proven scalable and reliable DNS system, Vantio allows operators to leverage their investment in DNS to improve the satisfaction, quality, and safety of their network for all users.  Vantio’s policy software modules MDR, NXR, and UAR and hosted network services SKYE™ Network Protection Service and NavAssist™ are providing network-wide benefits including protecting users from becoming infected with malware and the propagation of botnets, helping them reach their intended destinations more quickly and better informed, and isolating PCs infected with viruses from draining network resources. The activity from each of these systems is processed and presented in an actionable manner through iView™, Nominum’s network intelligence service.

“As we experience the explosive growth of Internet traffic in Latin America, network operators have realized the value of the DNS infrastructure for much more than simple query handling.  They are proactively specifying systems that provide far more flexibility, insight, and end-user benefits.  The PNBL is an ambitious undertaking, and Nominum is proud to have been selected as the supplier for this critical component ensuring a safer more enjoyable Internet experience for the people of Brazil,” said Pete Wisowaty, Executive Vice President, Worldwide Sales at Nominum.

Under the PNBL Telebrás plans to connect 1,163 previously unserved municipalities with broadband services in 2011 and 4,283 municipalities by 2014.

About Nominum

Nominum’s Intelligent DNS systems improve IP networks of all sizes globally; ensuring people always have a safe, secure and enjoyable Internet experience.  Nominum in-network software solutions and SKYE^TM hosted services form the foundation of the always-on Internet, protecting networks and the families and businesses that use them, and providing superior performance, and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region.  For more information visit www.nominum.com.

About Logicalis

Logicalis is an international provider of integrated information and communications technology (ICT) solutions and services founded on a superior breadth of knowledge and expertise in communications & collaboration; data centre; and professional and managed services.

The Logicalis Group has annualised revenues of $1 billion, from operations in the UK, US, Germany, Latin America and Asia Pacific. In Latin America it operates as a joint venture between Logicalis Group and the Brazilian Group, Promon. It maintains offices in Argentina, Bolivia, Brazil, Chile, Colombia, Paraguay, Peru and Uruguay.

For press inquires contact:

Nominum, Inc.

John Arledge

+1 650 381 6000

pr@nominum.com

World IPv6 Day, being led by the Internet Society (ISOC), is the day when major Internet content publishers will offer their web content via IPv6 addresses with the intention of highlighting IPv6 readiness throughout the Internet from content providers, to networks, to clients. Highlighting the rapid growth in Internet services and access devices, especially in the mobile space, the addition of new IP addresses also indicates the significant influence the Internet will have on the world for years to come.

In support of World IPv6 Day, Nominum’s corporate website www.nominum.com is now available to IPv6 enabled clients.

For testing purposes the IPv6 Readiness Program provides network operators worldwide with access to the suite of Nominum’s fully IPv6 compliant Vantio™ Intelligent DNS System and ANS Premier™ for caching and authoritative DNS software as well as the Dynamic Configuration Server for DHCP software. Implementation of the software system will be supported by access to Nominum’s technical support team. Testing of the operator’s implementation will be assisted by access to Nominum’s IPv6 test protocols. All of these software and support services are provided free of charge under the terms of the IPv6 Readiness Program.

“As a company we are dedicated to advancing the state of the Internet both for consumers and our customers, and IPv6 is a major step in that direction. By giving network owners of all types access to our software and expertise we hope to improve understanding of the steps remaining to complete IPv6 support across the Internet,” said Gopala Tumuluri, Nominum’s Chief Technology Officer.

Both current and prospective customers can take advantage of the software, support, and services offered through the program. To register interest in the IPv6 Readiness Program, please visit the program page here.

About Nominum
Nominum’s Intelligent DNS systems improve IP networks of all sizes globally; ensuring people always have a safe, secure and enjoyable Internet experience. Nominum in-network software solutions and SKYE™ hosted services form the foundation of the always-on Internet, protecting networks and the families and businesses that use them, and providing superior performance and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region. For more information visit www.nominum.com.

For press inquires contact:
Nominum, Inc.
John Arledge
+1 650 381 6000

Redwood City, Calif. – April 12, 2011 — Nominum, the leader in secure and intelligent DNS solutions, announced today that Cablevisión Argentina has selected its Vantio™ Intelligent DNS System to provide caching DNS services and SKYE Network Protection Service (NPS) to reduce the incidence of bot and other malicious network traffic throughout Cablevisión Argentina’s broadband network. SKYE NPS is a service hosted on the Nominum Global Network providing real-time data to network operators regarding malicious domains and infected clients on the Internet allowing these operators to instantly identify, validate, and mitigate bot and related threats.  Real-time data analysis is available via Nominum’s iView™, a network intelligence service which provides a completely new view of a network created via intelligent processing of DNS data.

Long known to be a steady drain on network resources, bots on average consume 10-25% of a service provider’s traffic depending on the geographic region and require a provider to purchase additional equipment to handle this added volume with no offsetting revenue.  Cablevisión embraced Nominum’s unique solution that leverages the existing DNS footprint in combination with a hosted service to deliver threat detection, validation, and enforcement all in a single solution with no additional third-party hardware or software integration.  Further, Nominum’s unparalleled access to DNS traffic patterns from around the globe allows all SKYE NPS customers to benefit from instantaneous policy updates generated by Nominum’s real-time adaptive learning technology. This approach ensures threats are detected earlier and are blocked before causing serious damage.

“At Cablevisión we are constantly searching for technology to improve the reliability of our network and the experience of our customers,” said Gabriel Carro, Engineering Manager at Cablevisión Argentina.  “SKYE NPS achieves these goals in a single hosted solution leveraging the Vantio Intelligent DNS System infrastructure.  No other technology we evaluated combines the most advanced detection system with the ability to take action on the spot nor offers the same level of system integration.”

“This service is truly a milestone in our goal of delivering a better Internet for all users,” said Gopala Tumuluri, Chief Technology Officer at Nominum.  “SKYE NPS brings to bear our decade-plus of knowledge supporting our service provider customers around the world to reduce malicious traffic and represents a dramatic shift in methodology for detection and mitigation of malicious traffic utilizing DNS as the platform.”

The project was developed in partnership with solutions provider Logicalis Southern Cone.  “Our goal is always to thoroughly understand customer issues and then implement best-of-breed technology to provide a solution.  We were happy to bring together these two industry leaders for the benefit of broadband subscribers throughout Argentina,” said Rodrigo Parreira, CEO, Logicalis Southern Cone.

About Cablevisión Argentina

Cablevisión is the leading pay TV and Internet services company in Argentina.  It began its operations in La Lucila, Buenos Aires, in 1981.  With more than 3,200,000 customers, it provides pay TV and broadband Internet services in 96 cities across the country and in 12 provinces (Buenos Aires, La Pampa, Santa Fe, Córdoba, Neuquén, Río Negro, Entre Ríos, Corrientes, Misiones, Chaco, Formosa and Salta), as wells as in Uruguay and in Paraguay. Current shareholders are Grupo Clarin with a 60% and Fintech Media LLC, with the remaining 40%.

About Nominum

Nominum’s Intelligent DNS systems improve IP networks of all sizes globally; ensuring people always have a safe, secure and enjoyable Internet experience.  Nominum in-network software solutions and SKYE™ hosted services form the foundation of the always-on Internet, protecting networks and the families and businesses that use them, and providing superior performance, and reliability. Nominum software and SKYE services now support more than 500 million fixed and mobile broadband users as well as enterprises, universities, and government agencies in every region.  For more information visit www.nominum.com.

About Logicalis

Logicalis is an international provider of integrated information and communications technology (ICT) solutions and services founded on a superior breadth of knowledge and expertise in communications & collaboration; data centre; and professional and managed services.

With its international headquarters in the UK, Logicalis Group employs over 1,900 people worldwide, including highly trained service specialists who design, specify, deploy and manage complex ICT infrastructures to meet the needs of over 5,000 corporate and public sector customers.  To achieve this, Logicalis maintains strong partnerships with technology leaders companies.

The Logicalis Group has annualised revenues of $1 billion, from operations in the UK, US, Germany, Latin America and Asia Pacific, In Latin America it operates as a joint venture between Logicalis Group and the Brazilian Group, Promon, achieving the leadership in the ITC market. It maintains offices in Argentina, Bolivia, Brazil, Chile, Colombia, Paraguay, Peru and Uruguay.

For press inquires contact:

Nominum, Inc.

John Arledge

+1 650 381 6000