[dns-operations] Web-based DNS Randomness Test
Duane Wessels
wessels at dns-oarc.net
Thu Jul 24 18:13:42 UTC 2008
On Thu, 24 Jul 2008, Ken wrote:
> I have dsl service at home. My (major U.S.) broadband provider hands out DNS
> servers that are forwarders. So, to test my DNS I ran this:
>
> # for (( i = 0 ; i <= 10; i++ )); do dig +short porttest.dns-oarc.net
> TXT @(assigned DNS server ip) ; sleep 2; done;
>
> This resulted in testing 10 DNS servers, 2 of which had POOR results.
>
> My question is, does using forwarders, and multiple backend DNS servers
> result in any less of a vulnerability?
I'm not sure exactly how your ISP nameserver forwarding works, but
I can't see how they would be less vulnerable.
The attacker's job is made easier when things are predictable. If the
attacker cannot predict which of 10 IP addresses a given query would
come from, then the attack becomes a little harder.
DW
More information about the dns-operations
mailing list