[dns-operations] Web-based DNS Randomness Test

Duane Wessels wessels at dns-oarc.net
Thu Jul 24 18:13:42 UTC 2008



On Thu, 24 Jul 2008, Ken wrote:

> I have dsl service at home. My (major U.S.) broadband provider hands out DNS 
> servers that are forwarders. So, to test my DNS I ran this:
>
> # for (( i = 0 ; i <= 10; i++ )); do dig +short porttest.dns-oarc.net
> TXT @(assigned DNS server ip) ; sleep 2; done;
>
> This resulted in testing 10 DNS servers, 2 of which had POOR results.
>
> My question is, does using forwarders, and multiple backend DNS servers
> result in any less of a vulnerability?

I'm not sure exactly how your ISP nameserver forwarding works, but
I can't see how they would be less vulnerable.

The attacker's job is made easier when things are predictable.  If the
attacker cannot predict which of 10 IP addresses a given query would
come from, then the attack becomes a little harder.

DW



More information about the dns-operations mailing list