Over the last few days, we have heard a lot about DNS cache poisoning and how we need to get our recursive resolvers to use random source ports. We are being told that this is a flaw in the protocol, but no details are going to be available until a presentation at Blackhat in August. DNS cache poisoning of course has been around for a long time, most notably when the 16-bit query IDs were not randomized. Here are some good references:
Oarc in the meantime has made a port testing server available. A simple invocation of dig tells you if your recursive resolver is vulnerable:
dig +short porttest.dns-oarc.net TXT
The TXT record assesses a resolver's source port randomness as poor, fair or good. Unfortunately, on my network, I found this record constantly cached from other resolvers, so I wrote a small Python tool that analyzes the randomness of both your source port numbers as a well as your query IDs. The tool can be downloaded from:
The tool works by issuing DNS queries that return the source port and query ID as part of the resolved answer. To test a different resolver specify one via --resolver=ip. The statistics are based on the differences sequence for port and query ID. We compute the standard deviation; a high standard deviation means more randomness; and also the number of up an down runs, a higher Z-Scores means lower randomness.
In the meantime, I guess we all need to wait for Dan Kaminsky to spill the beans.