Check Your DNS Resolver

Emergency

Since the announce of the major DNS vulnerability (multi-vendors), it’s patching time for all admins around the world. Did you already perform your homework?

The people at OARC have crafted a special DNS name and server that you can query to check whether or not your resolver is using random ports. A simple “dig +short porttest.dns-oarc.net TXT” should return a good, fair or poor rating, depending on your setup (Source: BELNET CERT Newsletter NEW2008-28). Here is an example:

$ dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"88.191.254.6 is GOOD: 26 queries in 3.9 seconds from 26 ports with std dev 19554.27"

This one is not yet patched:

$ dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"212.35.96.66 is POOR: 35 queries in 4.3 seconds from 1 ports with std dev 0.00"

Leave a Reply

Your email address will not be published. Required fields are marked *