DNS Randomness Test

  • Thread starter Thread starter Kayman
  • Start date Start date
K

Kayman

"The test takes a few seconds to complete. When its done you'll see a page
where the transaction ID and source port randomness will be rated either
GREAT, GOOD, or POOR. If you see a POOR rating, we recommend that contact
your ISP and ask if they have plans to upgrade their nameserver software
before August 7th."
https://www.dns-oarc.net/oarc/services/dnsentropy
 
"The test takes a few seconds to complete. When its done you'll see a
page where the transaction ID and source port randomness will be
rated either GREAT, GOOD, or POOR. If you see a POOR rating, we
recommend that contact your ISP and ask if they have plans to upgrade
their nameserver software before August 7th."

Umm, I'd beware any stranger offering advice in case that appeals to
you. It's outright spam to begin with and of no known value or
recognition otherwise. It's designed to make you curious and want to
visit that URL where who knows what might go on? It'd be funny if it
weren't so stupid!
 
Umm, I'd beware any stranger offering advice in case that appeals to
you. It's outright spam to begin with and of no known value or
recognition otherwise. It's designed to make you curious and want to
visit that URL where who knows what might go on? It'd be funny if it
weren't so stupid!
As an advisory it lacks any real information. This is supposed to be an
advisory about the Kaminsky DNS vulnerability but is of limited use to end
users other than to generate grass roots movement from users to get ISP's
to upgrade their DNS code.

The full text of the dns-oarc.net page follows:

----------------------

US-CERT's Vulnerability Note VU#800113 describes deficiencies in the DNS
protocol and implementations that can facilitate cache poisoning attacks.
The answers from a poisoned nameserver cannot be trusted. You may be
redirected to malicious web sites that will try to steal your identity or
infect your computers with malware. On August 7, 2008, Dan Kaminsky will
release the details of how such attacks can be launched against vulnerable
DNS resolvers.

The essence of the problem is that DNS resolvers don't always use enough
randomness in their transaction IDs and query source ports. Increasing the
amount of randomness increases the difficulty of a successful poisoning
attack.

This page exists to help you learn if your ISP's nameservers are vulnerable
to this type of attack. If you click on the button below, we will test the
randomness of your ISP DNS resolver.


The test takes a few seconds to complete. When its done you'll see a page
where the transaction ID and source port randomness will be rated either
GREAT, GOOD, or POOR. If you see a POOR rating, we recommend that contact
your ISP and ask if they have plans to upgrade their nameserver software
before August 7th.

See porttest for another way to check your resolver from a Unix
commandline.
 
| Umm, I'd beware any stranger offering advice in case that appeals to
| you. It's outright spam to begin with and of no known value or
| recognition otherwise. It's designed to make you curious and want to
| visit that URL where who knows what might go on? It'd be funny if it
| weren't so stupid!



No. Both Kayman and the site are legitimate and most importantly this is a good test
concerning the US CERT
Vulnerability Note VU#800113

Reference:
http://www.kb.cert.org/vuls/id/800113

This is NOT spam!
 
Lon said:
I'd also beware of self appointed security experts who do not recognize
the site www.dns-oarc.net.

But how do we know that clicking that link will actually
resolve to that (considering the topic) legitimate site? :O)

URL's are not dangerous, however the software you run to
access them may well be.
 
f'ups set to msp sec... .virus to save gas, I mean, ether.
I'd also beware of self appointed security experts who do not
recognize the site www.dns-oarc.net.



None the less, it is spam and as such is subject to all the things spam
is worthy of: nothing. I repeat: "It's designed to make you curious
and want toSpam is spam and you are a spammer.
And speaking of "experts", you seem totally unaware that spam isn't
acceptable, and also that redirections are easy. If you think that URL
is so well known, you have another think coming. It is NOT a recognized
web site for security aspects. In fact:

It's blacklisted at APEWS-L1: (SPEWS replacement)
-----------------------------------------------
http://openrbl.org/client/#www.dns-oarc.net
APEWS_L1 - Anon PM Early Warning System - Level 1
RHS: Spamvertized Domains and alike_
homepagehttp://apews.org/
typeHOST (RHS) Blacklist
zonel1.apews.rhsbl.uceprotect.net [Wiki]
statusBlocklisted at l1.apews.rhsbl.uceprotect.net
-----------------------------------------------
WAS recently listed at SORBS,
----------------------------------------------
and is mired in a long list of AS horizontals and verticals that most
would only use for the purpose of making it difficult to trace them
specifically. Hmm, now who would want that? Oh! I know! Spammers!

lookuphttp://apews.org/?page=test&ip=www.dns-oarc.net
http://www.uceprotect.net/en/apews.html

public.dns-oarc.net

public.dns-oarc.net has one IP record . www.dns-oarc.net point
to the same IP.
network-scanner-230-for-more-info-see.public.dns-oarc.net and
network-scanner-224-for-more-info-see.public.dns-oarc.net are subdomains
to this hostname.
baserecordnameipreverserouteas
public.dns-oarc.neta149.20.58.8www.dns-oarc.net149.20.0.0/16 AS1280
project netblockAS1280 ISC AS1280 Internet Systems Consortium, Inc
dns-oarc.netnshq-ns.oarc.isc.org204.152.184.186hq-ns.oarc.isc.org204.152.184.0/21
ns-ext.isc.org204.152.184.64ns-ext.isc.org
ns-ext.nrt1.isc.org192.228.90.19ns-ext.nrt1.isc.org192.228.90.0/24
Internet Software ConsortiumAS2500 WIDE Project in Japan
ns-ext.lga1.isc.org192.228.91.19ns-ext.lga1.isc.org192.228.91.0/24
Internet Systems Consortium, Inc., New York, NY, USAAS27319 ISC LGA1
Internet Systems Consortium, Inc , New York, NY, US
ns-ext.sth1.isc.org192.228.89.19ns-ext.sth1.isc.org192.228.89.0/24
Internet Systems Consortium, Inc.AS8674 NETNOD IX Netnod Internet
Exchange Sverige AB (former D GIX) $Id: aut num:AS8674,v 1 12 2008/07/01
12:56:12 liman Exp $
mxmail.dns-oarc.net149.20.58.4mail.dns-oarc.net149.20.0.0/16 AS1280
project netblockAS1280 ISC AS1280 Internet Systems Consortium, Inc
org isc.org net nrt1.isc.org oarc.isc.org sth1.isc.org lga1.isc.org
--------------------------------------

NOW, IDIOT SPAMMER, I gave you a pass on reporting you since it appeared
you might not know what you're doing. But from just 3 minutes worth of
research I can see you not only know what you're doing is spamming, but
you are still spamming even though you're dropped by at one list and
have been noted at around 8 other lists. SORBS may have "dropped" you
but rest assured it won't take a lot to put you back on their list.

If I come across you again on ANY group, forum or other means, rest
assured I will not hassle you, but I WILL report you for spamming, and
I'll resurrect the discussions at nanae for you using your own tripe as
proof!
So either get your ass out of here or be prepared to start looking
for other resources again. It looks like discussions at nanae would be
pretty easy to reopen; it's only been a short period of time.
Don't address me again: I only give one warning.

HTH (you provide the word for the last H)
 
:

But how do we know that clicking that link will actually
resolve to that (considering the topic) legitimate site? :O)

URL's are not dangerous, however the software you run to
access them may well be.
Those of us who have reached the age of discretion right click on the link,
then copy and paste into our browser's address bar.

We get lots of practice at this because our incoming e-mails are shown in
plain text format.

We are suspicious old farts who plan on living a long time.
 
Newell White said:
:


Those of us who have reached the age of discretion right click on the
link,
then copy and paste into our browser's address bar.

Which doesn't address the DNS poisoning issue. Any URL at all
(requiring a lookup) is suspect. Only comparing returns from a known
good name server can confirm if the URL's friendly name is actually
where your browser will be directed.
..
 
FromTheRafters said:
Which doesn't address the DNS poisoning issue. Any URL at all
(requiring a lookup) is suspect. Only comparing returns from a known
good name server can confirm if the URL's friendly name is actually
where your browser will be directed.
..
Point taken.
But even before the DNS issue using the Internet involves a certain amount
of trust.
 
FromTheRafters said:
Point taken.
But even before the DNS issue using the Internet involves a certain
amount of trust.

Yes, it does. But clicking a link in any spam is asking for trouble
sooner or later.
 
From: "Twayne" <[email protected]>



| Yes, it does. But clicking a link in any spam is asking for trouble
| sooner or later.


Except this was a legitimate post and was in no way shape or form 'spam'.
 
Kayman said:
On Mon, 28 Jul 2008 19:14:07 -0600, Lon wrote:



Hey Lon, while we're having so much fun, here is another DNS checker
http://www.doxpara.com/
(a good tool to double-check the results obtained from
https://www.dns-oarc.net/oarc/services/dnsentropy )
:-)

I'm not sure how these tools work but they seem to automatically "pick" our
ISP's DNS IP address to scan. The thing is the IP address doesn't
necessarily match the ones I'm using (also belong to my ISP). As an example,
I'm using x.x.x.x as my resolver but the tools pick up y.y.y.y and tell me
that the test is good (it's been patched). Both x.x.x.x and y.y.y.y are my
ISP's DNS servers.

I understand that they have multiple addresses (may be hundreds/thousands
depending on ISP size). My questions is:
Is there a tool that lets us input IP address to scan?

Or is it safe to assume that if my ISP DNS at x.x.x.x (as seen by the tools
at dns-oarc.net or doxpara.com) has been patched, they have patched the rest
of their DNS servers and therefore it is safe to use any of their DNS?

Thanks in advance.
 
I'm not sure how these tools work but they seem to automatically "pick" our
ISP's DNS IP address to scan.

Yes, that's seems to be the procedure.
The thing is the IP address doesn't
necessarily match the ones I'm using (also belong to my ISP). As an example,
I'm using x.x.x.x as my resolver but the tools pick up y.y.y.y and tell me
that the test is good (it's been patched). Both x.x.x.x and y.y.y.y are my
ISP's DNS servers.

Talk to you Internet Service Provider (ISP); They probably issue dynamic IP
addresses.
FYI:
http://searchwindevelopment.techtarget.com/sDefinition/0,,sid8_gci520967,00.html
I understand that they have multiple addresses (may be hundreds/thousands
depending on ISP size). My questions is:
Is there a tool that lets us input IP address to scan?

Don't know, sorry.
Or is it safe to assume that if my ISP DNS at x.x.x.x (as seen by the tools
at dns-oarc.net or doxpara.com) has been patched, they have patched the rest
of their DNS servers and therefore it is safe to use any of their DNS?

I'd assume it's safe; If in doubt talk to the ISP.
Let us know their response.
 
David H. Lipman said:
From: "Twayne" <[email protected]>



| Yes, it does. But clicking a link in any spam is asking for trouble
| sooner or later.


Except this was a legitimate post and was in no way shape or form 'spam'.

This guy hates spam.

To a hammer, everything looks like a nail. :o)
 
Newell White said:
Point taken.
But even before the DNS issue using the Internet involves a certain amount
of trust.

....and a certain amount of luck. :o)

DNS is like the mother of all hosts files and adware/foistware has
already shown how useful the name servers can be for increasing
overall stickiness.
 
FromTheRafters said:
...and a certain amount of luck. :o)

DNS is like the mother of all hosts files and adware/foistware has
already shown how useful the name servers can be for increasing
overall stickiness.

You know, I have yet to see a single posting from you that makes any
sense..... Welcome to the Kill File (along with this thread.......)....

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
 
Hank Arnold (MVP) said:
You know, I have yet to see a single posting from you that makes any
sense..... Welcome to the Kill File (along with this thread.......)....

Specifically what didn't you understand? I'll try to explain what I
meant in any of my previous posts.

Killfile me if you want, but there is no need to announce it unless
you are trolling.
 
Kayman said:
Yes, that's seems to be the procedure.


Talk to you Internet Service Provider (ISP); They probably issue dynamic
IP
addresses.
FYI:
http://searchwindevelopment.techtarget.com/sDefinition/0,,sid8_gci520967,00.html


Don't know, sorry.

Thanks Kayman. I use (my ISP) DNS IP addresses as forwarders on my Windows
DNS system. I guess what I can do is change the forwarders IP addresses to
the ones that have been detected as GOOD.

Btw, http://www.dnsstuff.com/ has a DNS vulnerability check too. Also, if
you haven't heard, check this out:
http://www.networkworld.com/news/2008/073008-dns-attack-writer-a-victim.html
I'd assume it's safe; If in doubt talk to the ISP.
Let us know their response.

Contact our ISP? That's a scary thought. I sent them an email last week,
asking them if they have fixed DNS flaw. A few days later, I got a reply
like this:

At this time we have made no changes to our network and we do not plan to
make any changes. We actively monitor out network for any security breaches.

Shortly before I received the above reply from my ISP, I used DNS check
tools from doxpara.com. It says that it's safe (a few days earlier, the
report said that my DNS was vulnerable to cache poisoning). I appears to me
that my ISP has fixed the problem but a reply from my ISP says otherwise
("we do not plan to make any changes"). Clueless tech support.
 
Back
Top