Nominum's Skye: Still A Service Provider Product

Nominum, which provides IP addressing services like DNS and DHCP to service providers, announced a cloud based DNS service called Skye. The only cloud aspect is the business model where customers a pay as you go based on query volume rather than on a fixed monthly fee. Skye may make sense if your company is running numerous external sites and you want a more robust DNS solution than you have now, but I don't see enterprise customers giving Skye serious thought for internal use.

September 25, 2009

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Nominum, which provides IP addressing services like DNS and DHCP to service providers, announced a cloud based DNS service called Skye. The only cloud aspect is the business model where customers a pay as you go based on query volume rather than on a fixed monthly fee. Skye may make sense if your company is running numerous external sites and you want a more robust DNS solution than you have now, but I don't see enterprise customers giving Skye serious thought for internal use.

To understand Skye services, it's important to have a basic understanding of two DNS components: the authoritative name server and the caching name server. An authoritative name server is the name server that responds to queries for hosts under your domain. You enter host names for servers you own and tell the world how to reach them via DNS. A caching name server simply looks up host names from authoritative name servers and then caches the results so that it doesn't have to keep asking the same question over and over. The DNS addresses that you set for workstations and servers are often caching DNS servers. You can, and organizations often do, put an authoritative and caching name server on the same computer.

Skye is composed of four core services:

  • Skye Core is a caching DNS hosted by Nominum. Nominum claims that Skye Core is resistant to DNS attacks, such as cache poisoning, and is widely available throughout the Internet.

  • Skye Secure is a hosted authoritative DNS service that you control. Your company isn't responsible for maintaining a DNS server.

  • Skye Search is an ISP that attempts to provide search results when users mistype a hostname.

  • Skye Trust is a threat management service that uses DNS resolution to stop hosts from going to malicious hosts. This is similar to content filtering services, but functions at DNS.

The services of interest to the enterprise are most likely Skye Core, Secure, and Trust. But after listening to the presentation, I don't think Skye Core is a good fit for the enterprise. There are certainly risks in running a caching DNS server for your enterprise, but caching DNS servers are often contained within an enterprise network and don't have direct connections to the Internet. You still have to open a path to send and receive queries to and from Skye Core.

Finally, configuring a caching DNS server is fairly well known. Like any service, Skye Core relieves administrators from having to configure a caching name server, but that is a small benefit. Nominum doesn't offer a secure connection like a VPN between your network and theirs, so anyone with DNS traffic flying over the Internet can still intercept and subvert DNS resolution. Getting network access to the packets is a difficult step, but it is still a gap that Nominum doesn't address.

Skye Secure, in some situations, has benefits, but these are limited to a few scenarios. For instance, in cases where you need to let people outside your organization resolve DNS names for external resources like web sites, mail, etc, and you don't want to run an external DNS server yourself, and when you need more tools, control, and robustness than a hosting provider offers. For example, if you had a number of customers facing websites, using Skye Secure to act as an authoritative DNS server for your external hosts might be a useful service for robust DNS services.However, running an authoritative DNS server as an external service with no internal DNS service is a recipe for disaster. If DNS resolution fails, perhaps your network connection goes down and your enterprise grinds to a halt. Windows networking, which relies on Active Directory, which in turn relies on DNS, will fail. Users won't be able to find printers, phones, or even send an email to support since they can't reach email. You need to have an internal Authoritative DNS server, something Nominum readily admits.

Skye Secure compares DNS lookup requests with a list of malicious sites and if a match is found, it can direct the user to a page explaining that the URL is malicious. It's one more arrow in the quiver to use against malware, worms, phishing, and bots nets, but chances are you might already have either a network or desktop service that does something similar.

If your company has grown to the point that DNS is getting out of control, you might want to look at DNS and IP Address Management (IPAM) products from Bluecat Networks, Infoblox, Men&Mice, or MetaInfo. Skye seems more suited for Nominum's core customer, the service provider.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights