[dns-operations] porttest.dns-oarc.net: check your resolver's source port behavior
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Jul 10 07:53:46 UTC 2008
On Wed, Jul 09, 2008 at 06:57:46PM +0000,
Duane Wessels <wessels at dns-oarc.net> wrote
a message of 17 lines which said:
> I've put together a quick hack that you can use to check your
> resolver's source port characteristics. Use 'dig' to send a query
> to porttest.dns-oarc.net:
On most machines, I get the same result from porttest.dns-oarc.net and
from Michael C. Toren's "noclicky".
But I found a resolver where it does not match:
% perl noclicky-1.00.pl 217.70.184.225
Looking up d9cr6ej9ziw9.toorrr.com against 217.70.184.225
Fetching http://209.200.168.66/fprint/d9cr6ej9ziw9
Requests seen for d9cr6ej9ziw9.toorrr.com:
217.70.184.225:32769 TXID=31148
217.70.184.225:32769 TXID=47685
217.70.184.225:32769 TXID=61808
217.70.184.225:32769 TXID=41194
217.70.184.225:32769 TXID=56445
Your nameserver appears vulnerable; all requests came from the same port.
% dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"217.70.184.227 is GOOD: 13 queries in 1.9 seconds from 13 ports with std dev 20832.02"
Do note that the IP address is different. May be 217.70.184.225 is
using a forwarder?
More information about the dns-operations
mailing list