Kaminsky's exploit: What about CNS?

nicole nicole.sean at gmail.com
Fri Jul 25 15:51:48 UTC 2008 

On Jul 15, 1:53 pm, Jeff Reasoner <jeff.reaso... at mail.hccanet.org>
wrote:
> This may actually have nothing to do with CNS, but rather NAT traversal
> at a firewall. I noticed something very similar while verifying my
> bind-9.4.2-P1 systems.
>
> Post-install I saw:
> [foo at dnstest foo]# dig +short porttest.dns-oarc.net TXT @localhost
> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "204.10.216.194 isPOOR: 26queriesin 1.7secondsfrom 26portswithstddev248.94"
>
> I suspected that thepoorentropy here was a result of the fact that my
> server is behind a Cisco FWSM. I also knew that this traffic was being
> PATed. I threw in a couple of lines of config to statically NAT this
> outbound traffic and got the following:
>
> [foo at dnstest foo]# dig +short porttest.dns-oarc.net TXT @localhost
> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "204.10.218.24 is GOOD: 26queriesin 1.9secondsfrom 26portswithstddev20227.32"
>
> I'm not finished testing yet, but I'm seeing the same with various PIX
> releases too.
>
>
>
>
>
> On Tue, 2008-07-15 at 10:30 -0700, Chris Buxton wrote:
> > I happened to check my home ISP's name servers using the porttest  
> > query, and I did not get entirely reassuring results:
>
> > $ dig +short porttest.dns-oarc.net TXT  
> > @68.87.76.178z
> > .y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> > "68.87.76.181 isPOOR: 26queriesin 0.2secondsfrom 24portswith  
> >stddev126.32"
>
> > $ fpdns 68.87.76.178
> > fingerprint (68.87.76.178, 68.87.76.178): Nominum CNS
>
> > $ dig +short porttest.dns-oarc.net TXT @68.87.78.130
> > z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> > "68.87.78.133 isPOOR: 26queriesin 1.0secondsfrom 25portswith  
> >stddev149.32"
>
> > $ fpdns 68.87.78.130
> > fingerprint (68.87.78.130, 68.87.78.130): Nominum CNS
>
> > Since we have consulting customers using CNS, should we be advising  
> > them to install some kind of upgrade?
>
> > Chris Buxton
> > Professional Services
> > Men & Mice
>
> --
> Jeff Reasoner
> HCCA
> 513 728-7902 voice- Hide quoted text -
>
> - Show quoted text -

Yes. I have same situation. It shows poor although with 26 queries
from 26 ports. Could you please tell me what did you do on NAT?

thanks

More information about the bind-users mailing list