Since the announce of the major DNS vulnerability (multi-vendors), it’s patching time for all admins around the world. Did you already perform your homework?
The people at OARC have crafted a special DNS name and server that you can query to check whether or not your resolver is using random ports. A simple “dig +short porttest.dns-oarc.net TXT” should return a good, fair or poor rating, depending on your setup (Source: BELNET CERT Newsletter NEW2008-28). Here is an example:
$ dig +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "88.191.254.6 is GOOD: 26 queries in 3.9 seconds from 26 ports with std dev 19554.27"
This one is not yet patched:
$ dig +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "212.35.96.66 is POOR: 35 queries in 4.3 seconds from 1 ports with std dev 0.00"