[PLUG] Checking source-port randomization of your caching DNS server
Dan Young
danielmyoung at gmail.com
Tue Jul 15 18:39:55 UTC 2008
Assuming everybody's heard about the impending DNS doom by now:
http://www.kb.cert.org/vuls/id/800113
Looking over our own systems, I found a tool to check the source port
randomization of your DNS resolver:
https://www.dns-oarc.net/oarc/services/porttest
Basically:
dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"<your nameserver ip> is GOOD: 26 queries in 0.5 seconds from 26 ports
with std dev 19481.67"
Some of our nameservers had explicitly set the source port in
named.conf w/ "query-source address * port 53;" so these were not
randomizing the source-port even after updating BIND. Commented those
out, of course. Probably worth checking your DNS servers even if
you've applied your distro's updates.
Cheers,
--
Dan Young
More information about the PLUG
mailing list