[dns-operations] Web-based DNS Randomness Test
ken at pacific.net
Thu Jul 24 15:48:10 UTC 2008
Stephane Bortzmeyer wrote:
> On Fri, Jul 18, 2008 at 05:56:49PM +0000, Duane Wessels
> <wessels at dns-oarc.net> wrote a message of 13 lines which said:
>> OARC now has a web-based version of the DNS randomness test:
> On most resolvers, it works fine.
> But a MS-Windows user, testing a big ISP, reports me that it
> 1. 220.127.116.11 (dns-nat-fw4-b.wanadoo.fr) appears to have UNKNOWN
> source port randomness and UNKNOWN transaction ID randomness. 2.
> 18.104.22.168 appears to have UNKNOWN source port randomness and
> UNKNOWN transaction ID randomness. 3. 22.214.171.124 appears to have
> UNKNOWN source port randomness and UNKNOWN transaction ID randomness.
I have dsl service at home. My (major U.S.) broadband provider hands out
DNS servers that are forwarders. So, to test my DNS I ran this:
# for (( i = 0 ; i <= 10; i++ )); do dig +short porttest.dns-oarc.net
TXT @(assigned DNS server ip) ; sleep 2; done;
This resulted in testing 10 DNS servers, 2 of which had POOR results.
My question is, does using forwarders, and multiple backend DNS servers
result in any less of a vulnerability?
My guess would be NO, since successfully exploiting the vulnerability
and putting a NS record for a common bank site into one of these
vulnerable servers could be 'very bad' for anyone who landed on that
> What does UNKNOWN means?
> _______________________________________________ dns-operations
> mailing list dns-operations at lists.oarci.net
More information about the dns-operations