[dns-operations] Web-based DNS Randomness Test
brett watson
brett at the-watsons.org
Thu Jul 24 18:44:29 UTC 2008
On Jul 24, 2008, at 11:13 AM, Duane Wessels wrote:
> On Thu, 24 Jul 2008, Ken wrote:
>
>> This resulted in testing 10 DNS servers, 2 of which had POOR results.
>>
>> My question is, does using forwarders, and multiple backend DNS
>> servers
>> result in any less of a vulnerability?
>
> I'm not sure exactly how your ISP nameserver forwarding works, but
> I can't see how they would be less vulnerable.
>
> The attacker's job is made easier when things are predictable. If the
> attacker cannot predict which of 10 IP addresses a given query would
> come from, then the attack becomes a little harder.
I wrote an article for CircleID on forwarders and cache poisoning back
in 2005:
http://www.circleid.com/posts/so_you_think_youre_safe_from_dns_cache_poisoning/
Granted it was related to a different vulnerability but I would say
that if you don't test the scenario of multiple servers behind a
forwarder, you surely *might* be vulnerable and not know it (as was
the case that led to the article above). No sense guessing, test it.
-b
More information about the dns-operations
mailing list