[dns-operations] porttest.dns-oarc.net: check your resolver's source port behavior

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Jul 10 07:53:46 UTC 2008


On Wed, Jul 09, 2008 at 06:57:46PM +0000,
 Duane Wessels <wessels at dns-oarc.net> wrote 
 a message of 17 lines which said:

> I've put together a quick hack that you can use to check your
> resolver's source port characteristics.  Use 'dig' to send a query
> to porttest.dns-oarc.net:

On most machines, I get the same result from porttest.dns-oarc.net and
from Michael C. Toren's "noclicky".

But I found a resolver where it does not match:

%  perl noclicky-1.00.pl 217.70.184.225
Looking up d9cr6ej9ziw9.toorrr.com against 217.70.184.225
Fetching http://209.200.168.66/fprint/d9cr6ej9ziw9
Requests seen for d9cr6ej9ziw9.toorrr.com:
  217.70.184.225:32769 TXID=31148
  217.70.184.225:32769 TXID=47685
  217.70.184.225:32769 TXID=61808
  217.70.184.225:32769 TXID=41194
  217.70.184.225:32769 TXID=56445
Your nameserver appears vulnerable; all requests came from the same port.


% dig +short porttest.dns-oarc.net TXT 
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"217.70.184.227 is GOOD: 13 queries in 1.9 seconds from 13 ports with std dev 20832.02"

Do note that the IP address is different. May be 217.70.184.225 is
using a forwarder?




More information about the dns-operations mailing list