[dns-operations] Web-based DNS Randomness Test
Ken
ken at pacific.net
Thu Jul 24 15:48:10 UTC 2008
Stephane Bortzmeyer wrote:
> On Fri, Jul 18, 2008 at 05:56:49PM +0000, Duane Wessels
> <wessels at dns-oarc.net> wrote a message of 13 lines which said:
>
>> OARC now has a web-based version of the DNS randomness test:
>>
>> https://www.dns-oarc.net/oarc/services/dnsentropy
>
> On most resolvers, it works fine.
>
> But a MS-Windows user, testing a big ISP, reports me that it
> displays:
>
>
> 1. 80.12.255.136 (dns-nat-fw4-b.wanadoo.fr) appears to have UNKNOWN
> source port randomness and UNKNOWN transaction ID randomness. 2.
> 80.12.204.180 appears to have UNKNOWN source port randomness and
> UNKNOWN transaction ID randomness. 3. 80.12.204.178 appears to have
> UNKNOWN source port randomness and UNKNOWN transaction ID randomness.
>
I have dsl service at home. My (major U.S.) broadband provider hands out
DNS servers that are forwarders. So, to test my DNS I ran this:
# for (( i = 0 ; i <= 10; i++ )); do dig +short porttest.dns-oarc.net
TXT @(assigned DNS server ip) ; sleep 2; done;
This resulted in testing 10 DNS servers, 2 of which had POOR results.
My question is, does using forwarders, and multiple backend DNS servers
result in any less of a vulnerability?
My guess would be NO, since successfully exploiting the vulnerability
and putting a NS record for a common bank site into one of these
vulnerable servers could be 'very bad' for anyone who landed on that
server.
Thanks,
Ken Anderson
> ...
>
> What does UNKNOWN means?
> _______________________________________________ dns-operations
> mailing list dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
>
More information about the dns-operations
mailing list