Wednesday, December 16, 2009

porttest.dns-oarc.net -- Check your resolver's source port behavior

SkyHi @ Wednesday, December 16, 2009

Yesterday's announcement of CERT VU#800113 makes it clear that resolvers should use random source source ports when sending queries. Here at OARC, we've crafted a special DNS name and server that you can query to learn whether or not your own resolver is using random ports. Use a DNS query tool such as dig to ask for the TXT record of porttest.dns-oarc.net:

$ dig +short porttest.dns-oarc.net TXT

You should get back an answer that looks like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"

Your resolver's randomness will be rated either GOOD, FAIR, or POOR, based on the standard deviation of observed source ports. In order to receive a GOOD rating, the standard deviation must be at least 10,000. For FAIR it must be at least 3,000. Anything less is POOR. The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

DNS records used in this test are given 60 second TTLs. To repeat the test you should wait at least 60 seconds.

Note that you can tell dig to test a specific resolver with an @-argument:

$ dig @4.2.2.3 +short porttest.dns-oarc.net TXT

On Windows you can use this command:

> nslookup -querytype=TXT -timeout=10 porttest.dns-oarc.net.

You can test a specific resolver address by appending it to the end of the command.

Update 2008-07-28

The scoring critera has been changed to match the web-based port test. The scoring is now as follows:


Rating Standard Deviation Bits of Entropy
GREAT 3980 -- 20,000+ 13.75 -- 16.0
GOOD 296 -- 3980 10.0 --13.75
POOR 0 -- 296 0 -- 10.0