As everyone was upgrading their DNS infrastructure to be ready for August 7th, some security reseachers independently discovered the DNS flaw and disclosed it. For those of us, who were either informed or had figured out the problem ourselves, it is surprising to find irresponsible and grossly negligent disclosure from respected members of our community. There was a reason that Kaminsky did not disclose the flaw publicly when he found it. The DNS infrastructure needed to be upgraded and repaired.
Well, the time has run out. A current study by David Dagon and myself puts the number of open recursive resolvers using static source ports at about 78%. That is a lot of servers that need to be patched. Two more weeks till August 7th could have helped to fix many of them. Unfortunately, we will not find out now.
As we are all trying to patch and upgrade our resolvers and NAT devices, I created a small image tag that automatically assesses the randomess of a visitor's resolver:
This is still in reference to the CERT Advisory on Multiple DNS implementations vulnerable to cache poisoning
. You can place the image tag on your web page to test your visitors:
<center><a href="http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html"><img src="http://porttest.honeyd.org/-s-_dns.png" border=0></a></center>
The a href
link can of course point to a more helpful web page and the image itself can also be changed according to need.
If you want to show this on your pages with different images, just let me know.
Over the last few days, we have heard a lot about DNS cache poisoning and how we need to get our recursive resolvers to use random source ports. We are being told that this is a flaw in the protocol, but no details are going to be available until a presentation at Blackhat in August. DNS cache poisoning of course has been around for a long time, most notably when the 16-bit query IDs were not randomized. Here are some good references:
Oarc in the meantime has made a port testing server
available. A simple invocation of dig tells you if your recursive resolver is vulnerable:
dig +short porttest.dns-oarc.net TXT
The TXT record assesses a resolver's source port randomness as poor, fair or good. Unfortunately, on my network, I found this record constantly cached from other resolvers, so I wrote a small Python tool that analyzes the randomness
of both your source port numbers as a well as your query IDs. The tool can be downloaded from:
Its usage is pretty simple:
Continue reading "DNS and Randomness"