[YLUG] DNS vulnerability - your ISP

mike cloaked mike.cloaked at gmail.com
Fri Aug 1 09:29:14 UTC 2008


On Fri, Aug 1, 2008 at 10:01 AM, Matthew Gates <matthew at porpoisehead.net> wrote:
> I've been using openDNS for a little while now.  They check out just fine
> according to the site Mike posted (GREAT randomness for both source ports
> and transaction ports).
>
> I was curious about the ones which BT provide via their broadband deal, so I
> told my router to use them and then took the test.  Source ports
> were "POOR", although transactions ports were "GREAT".

Interesting and worrying !

I can also post a few other useful urls:

http://member.dnsstuff.com/pages/tools.php?ptype=free
Click on Test Now - and this does another test.

Also there is a lot more information at
http://marc.info/?l=bind-users&m=121754031625416&w=2
and
http://groups.google.com/group/comp.protocols.dns.bind/msg/b6c67170b468d693

I also note that my brother started seeing some strange lines in his
logs a few days ago that had kaminsky specifically in the name, but I
have just discovered that:
" client 149.20.56.10#10053: query:
> not-an-attack.dan-kaminsky.browse-deluvian.doxpara.com IN ANY +
>
> The ip address goes back to isc.org so just wondering if there is a spider
> of sorts running to determine whose name server is running what version or
> something.

yes, isc is supporting several dns spiders who are measuring the population
of patched vs. unpatched, and measuring for poison injections."

This was from the "bind-users" list... so the "not-an-attack... etc"
kaminsky reference is in fact a monitor spider set up at doxpara and
not a dns attack at all - which is re-assuring!  However yesterday my
brother placed an ip address block in his firewall so that these went
into a black hole - he was getting them about every 10 minutes!

-- 
mike



More information about the York mailing list