Bind-9.5.0-P2 testing
Kevin Darcy
kcd at chrysler.com
Mon Aug 18 23:08:34 UTC 2008
Binmakhashen, Latif wrote:
> That's a very interesting question because I'm pretty much on the same
> boat.
> I just upgraded to bind-9.5.0-P2 and was looking for a good tool that
> will show me if this version really fixes the DNS cache poisoning issue.
>
> I found the following tool which I believe is pretty good but it
> probably does more check than just the DNS cache poisoning...
>
> Go here and under Testing and Reporting Tools, run the DNS Vulnerability
> Testing Tool => Test Now.
>
> http://www.infoblox.com/library/dns-security-center.cfm#2
>
> I'm getting POOR for the Source Port randomness and GREAT for the
> transaction ID randomness.
> Is that expected? Does the source port randomness has something to do
> with the way named.conf is setup?
>
> Also, another test from the command line is showing a POOR result? Refer
> to the following link for more info about the command line test:
>
> https://www.dns-oarc.net/oarc/services/porttest
>
> # dig @hpadm2 +short porttest.dns-oarc.net TXT
> porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.n
> et.
> "12.109.107.60 is POOR: 26 queries in 2.1 seconds from 1 ports with std
> dev 0"
>
>
> Anybody has an idea?
>
>
1. You're not using the binary you think you're using (try "dig
version.bind chaos txt")
2. You have a "query-source" statement in named.conf
3. Some intermediate device -- DNS forwarder (if configured), firewall,
PNAT -- is "de-randomizing" your packets.
- Kevin
More information about the bind-users
mailing list