Check Your DNS Resolver


Since the announce of the major DNS vulnerability (multi-vendors), it’s patching time for all admins around the world. Did you already perform your homework?

The people at OARC have crafted a special DNS name and server that you can query to check whether or not your resolver is using random ports. A simple “dig +short TXT” should return a good, fair or poor rating, depending on your setup (Source: BELNET CERT Newsletter NEW2008-28). Here is an example:

$ dig +short TXT
" is GOOD: 26 queries in 3.9 seconds from 26 ports with std dev 19554.27"

This one is not yet patched:

$ dig +short TXT
" is POOR: 35 queries in 4.3 seconds from 1 ports with std dev 0.00"

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.