Wednesday, December 16, 2009

Web-based DNS Randomness Test

SkyHi @ Wednesday, December 16, 2009

US-CERT's Vulnerability Note VU#800113 describes deficiencies in the DNS protocol and implementations that can facilitate cache poisoning attacks. The answers from a poisoned nameserver cannot be trusted. You may be redirected to malicious web sites that will try to steal your identity or infect your computers with malware. Working exploits for this issue are already widely circulated! Upgrade your nameservers ASAP if you haven't done so already! On August 7, 2008, Dan Kaminsky will release additional details about these poisoning attacks.

The essence of the problem is that DNS resolvers don't always use enough randomness in their transaction IDs and query source ports. Increasing the amount of randomness increases the difficulty of a successful poisoning attack.

This page exists to help you learn if your ISP's nameservers are vulnerable to this type of attack. If you click on the button below, we will test the randomness of your ISP DNS resolver.

The test takes a few seconds to complete. When its done you'll see a page where the transaction ID and source port randomness will be rated either GREAT, GOOD, or POOR. If you see a POOR rating, we recommend that contact your ISP and ask if they have plans to upgrade their nameserver software
before August 7th.

See porttest for another way to check your resolver from a Unix commandline.