[dns-operations] Web-based DNS Randomness Test

brett watson brett at the-watsons.org
Thu Jul 24 18:44:29 UTC 2008

On Jul 24, 2008, at 11:13 AM, Duane Wessels wrote:

> On Thu, 24 Jul 2008, Ken wrote:
>> This resulted in testing 10 DNS servers, 2 of which had POOR results.
>> My question is, does using forwarders, and multiple backend DNS  
>> servers
>> result in any less of a vulnerability?
> I'm not sure exactly how your ISP nameserver forwarding works, but
> I can't see how they would be less vulnerable.
> The attacker's job is made easier when things are predictable.  If the
> attacker cannot predict which of 10 IP addresses a given query would
> come from, then the attack becomes a little harder.

I wrote an article for CircleID on forwarders and cache poisoning back  
in 2005:


Granted it was related to a different vulnerability but I would say  
that if you don't test the scenario of multiple servers behind a  
forwarder, you surely *might* be vulnerable and not know it (as was  
the case that led to the article above). No sense guessing, test it.


More information about the dns-operations mailing list