back to article Black hats attack gaping DNS hole

Miscreants are actively exploiting a gaping hole in the internet's address lookup system that can cause millions of web surfers to receive counterfeit pages when they try to access online banking services and other types of websites. The first confirmed instance came on Tuesday, when security researcher H D Moore discovered a …

COMMENTS

This topic is closed for new posts.
  1. nick
    Coat

    Whaaat

    I was extecting to read a story about people in bowler/top hats & other rediculous headgear to be invading t'internet. Oh well.

  2. Neil Woolford
    Thumb Up

    PlusNet look to be patched.

    s-oarc.net reckon "212.159.6.113 appears to have GREAT source port randomness and GREAT transaction ID randomness"

    The Kaminsky page reckoned ok as well, but without the nice scatter plots and GREAT CAPITALISATION.

  3. Dave Morgan
    Thumb Up

    Eclipse seems Ok

    1. 212.104.130.65 (resolver2.th.eclipse.net.uk) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    2. 212.104.128.102 (uplink2-bba1.th.eclipse.net.uk) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    Test time: 2008-07-31 18:36:45 UTC

  4. bob, mon!
    Go

    shure, Y nought?

    ISP - Verizon (buncha scumbagz)

    DNS resolvers - 71.242.0.39, 71.242.0.36

    Doxpara and DNS-OARC basically agree that my ISP's DNS servers are okay, but my local NAT router isn't randomizing the source ports very well.

    My router is a re-imaged Linksys - guess I better get around to updating it :-(

    (Icon? "Proceed with this nonsense at flank speed!")

  5. Anonymous Coward
    Anonymous Coward

    gasp

    Well no one ever implied that Dan Kaminsky was the first person to know about these vulnerabilities. He made them public, and the bad guys are just getting their returns in while the getting is good. Who knows how long these holes have been in use for.

  6. Anonymous Coward
    Anonymous Coward

    Virgin Media

    Came back as safe from doxpara.

    dns-oarc gave the following :

    1. 194.168.8.110 (winn-dnsbep-2.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    2. 194.168.8.109 (winn-dnsbep-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    3. 62.254.32.148 (belf-dnsany-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    Pretty middle of the road then.

  7. David Jones
    Dead Vulture

    BT Broadband

    DNS Resolver(s) Tested:

    1. 194.74.65.68 (ns6.bt.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    2. 194.72.9.34 (bcn.customer.bt.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    Test time: 2008-07-31 18:49:17 UTC

  8. Richard Conto

    Comcast - Great Lakes Region

    https://www.dns-oarc.net/oarc/services/dnsentropy

    DNS Resolver(s) Tested:

    68.87.72.131 (chic-cns01.area4.il.chicago.comcast.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    68.87.77.131 (detr-cns01.westlandrdc.mi.michigan.comcast.net) appears to have

    POOR source port randomness and GREAT transaction ID randomness.

    68.87.72.133 (chic-cns03.area4.il.chicago.comcast.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    Test time: 2008-07-31 18:37:53 UTC

    ---

    When I changed my DNS forwarder to one I knew was patched, it reported GREAT GREAT.

    ---

    DOXPARA said that things were good, and only reported ONE of the DNS servers I forward to.

  9. Test Man
    Happy

    ADSL24

    "195.74.113.58 (ths-dns-cache1.enta.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    195.74.113.62 (ths-dns-cache2.enta.net) appears to have GREAT source port randomness and GREAT transaction ID randomness."

    So this is good then?

  10. Andrew Tyler

    Road Runner

    Time Warner ( Road Runner) - 65.24.7.3

    GREAT/GREAT at DNSOARC

    DoxPara - Looks good to me. I guess.

  11. ben edwards

    eek

    How do we really know doxpora is legit? We'd be freely giving away the names of our DNS servers, and easily too!

  12. Kincaid
    Thumb Up

    OpenDNS

    I saw that Time Warner & Roadrunner were both deemed unpatched the last I checked. I use OpenDNS instead which is protected according to the DoxPara DNS Checker.

  13. Lee T.
    Go

    aanet - australia adsl

    great/great/great/great

    great.

  14. Glenn Booth
    Thumb Up

    Well done Zen.

    I didn't expect anything different, but Zen Internet's DNS services are all in the green. I hit both 212.23.3.100 and 212.23.6.100 - they've done their job; source port randomness abounds.

    Toodle pip.

  15. Martin Sylvester
    Thumb Up

    Plusnet scoring "GREAT"

    "1. 212.159.6.101 appears to have GREAT source port randomness and GREAT transaction ID randomness.

    "2. 212.159.6.97 appears to have GREAT source port randomness and GREAT transaction ID randomness.

    "Test time: 2008-07-31 20:08:11 UTC"

  16. Anonymous Coward
    Anonymous Coward

    How do we know this is his exploit

    DNS gets attacked all the time, maybe someone else just spilled their version.

    He should have created a encrypted file with the details and publicly posted it.

    So who knows.

    Thing is people will use the known exploits just as they emerge, the chaos helps to cover tracks. I still think what he has done is a bit irresponsible, DNSSEC has been preventing these attacks for a while, and the latest bind patch was available before this went public. So, what we have here is a known attack given a lot of publicity.

    Well, if the sec guys can keep up with the numbers, they may find quite a few of the crackers, but this has upped the volume.

  17. Colin Morris
    Paris Hilton

    OK!

    Yep, Zen Internet seem to know what time it is!

    Paris, cos she's safe too...

  18. Anonymous Coward
    Dead Vulture

    Verizon

    DNS Resolver(s) Tested:

    68.238.112.36 appears to have POOR source port randomness and GREAT transaction ID randomness.

    68.238.96.38 appears to have POOR source port randomness and GREAT transaction ID randomness.

    68.238.96.37 appears to have POOR source port randomness and GREAT transaction ID randomness.

    Ok, does this mean that redirection to a bogus site would still work?

  19. Petr

    Bellsouth (now AT&T) - South florida

    1. 205.152.132.31 appears to have GREAT source port randomness and GREAT transaction ID randomness.

    2. 205.152.144.13 (oldmail1.mia.bellsouth.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    3. 209.244.5.159 (ics2.Atlanta1.Level3.net) appears to have GOOD source port randomness and GREAT transaction ID randomness.

  20. Steve Evans (a different one)
    Thumb Up

    Newnet seems to be ok

    Newnet seems to be ok

    Your name server, at 212.87.64.7, appears to be safe, but make sure the ports listed below aren't following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100...).

    but how do I check the ports??

  21. adnim

    Clara

    1. 195.8.69.7 (resolver1.uk.clara.net) appears to have GOOD source port randomness and GREAT transaction ID randomness.

    2. 80.168.69.20 (resolver3.clara.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    I like my ISP, not cheap, not throttled either. No apparent port blocking. Local call rate support. Just in case anyone wants to jump ship from any Phormised ISP.

    No I am not a Clara employee ;-)

  22. Robert Grant
    Thumb Up

    Sky

    1. 90.207.242.85 (5acff255.bb.sky.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    2. 90.207.242.82 (5acff252.bb.sky.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    3. 90.207.242.87 (5acff257.bb.sky.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.

  23. Chronos

    Re: Verizon

    Yes, they're vulnerable. The transaction ID is irrelevant as it is guessed by the attacker with chances of a hit being one in 65536 per shot. The crux of the matter is a static upstream query port on the recursive server being queried, allowing the attacker to both send unique unresolvable queries within the target domain (1.example.com, 2.example.com...) to port 53 AND know which port the server is listening for an answer on. He then fires answers at it pretending to be the server the resolver is querying (remember, this is UDP. No state, easy to spoof, no reply needed once you get an answer accepted). You only need to guess the transaction ID correctly once and then you've polluted the cache for the entire example.com domain for however long you set that answer's TTL to (or the cache lifetime, whichever is smaller) by dint of in-bailiwick answers always being accepted for the whole domain. All the real example.com DNS servers will send back is NXDOMAIN, which doesn't get cached so you have, in effect, limitless query headroom to get the transaction ID correct without the risk of the real servers populating the cache first.

    What the patch does is enable the server to use a random source port for every query in a recursive search, spoiling the cracker's ability to track which port the server expects a response on, thus giving the cracker no opportunity to insert his own bogus answers. It is, unfortunately, security by obscurity. We need signed roots and DNSSec. DNS is and always has been insecure. It's only a matter of time before more holes are found and this whole song and dance commences yet again. Of course, that implies ISPs will care enough to set up trust anchors, but that's a discussion for another day.

    By the way, if anyone thinks adding 1 IN A x.x.x.x, 2 IN A x.x.x.x etc. to their zones is a defence, just ponder the use of very small shell scripts, uuidgen and sed to create the hostnames to query. I'm sure you'll agree that this idea is no defence at all. The hostname used is just a simple way of explaining the exploit. Even your run-of-the-mill skiddie isn't going to be that obliging. Patch. Now.

  24. Mark McC
    Thumb Up

    Tiscali

    212.139.132.41/42 both scored great on all fronts. Which is surprising, because everything else about them is a bit pants.

  25. robert

    gentoo portage up to date?

    Ive just emerged the latest version of BIND from portage on my nameservers (9.4.2-P1) and restarted the service but im still getting:

    (...co.uk) appears to have POOR source port randomness and GREAT transaction ID randomness

  26. Trix
    Boffin

    @ robert - GIYF

    After a whole 3 seconds of Googling, I found this page on the Gentoo site:

    http://www.gentoo.org/security/en/glsa/glsa-200807-08.xml

    'All BIND users should upgrade to the latest version:

    Code Listing 3.1: Resolution

    # emerge --sync

    # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.2_p1"

    Note: In order to utilize the query port randomization to mitigate the weakness, you need to make sure that your network setup allows the DNS server to use random source ports for query and that you have not set a fixed query port via the "query-source port" directive in the BIND configuration.'

    So did you check your "query-source port" directive in BIND?

  27. grant warkentin

    Open DNS tested okay

    Open DNS tested okay

    1. 208.67.216.13 (bld3.sea.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.

  28. Kanhef
    Thumb Down

    Verizon DNSs

    141.154.0.68 (gtebo.ba-dsg.net)

    141.155.0.68 (gteny.ba-dsg.net)

    151.197.0.39 (home4.bellatlantic.net)

    151.198.0.39 (home5.bellatlantic.net)

    151.201.0.39 (home6.bellatlantic.net)

    151.202.0.85 (nyc2-qwest.bellatlantic.net)

    151.203.0.85 (boston2-qwest.bellatlantic.net)

    All come up with poor source port randomness, great transaction ID randomness.

  29. J. Simon van der Walt

    Orange UK

    dns-oarc.net gives Orange UK;

    193.36.79.101 Source Port Randomness: GREAT

    193.36.79.101 Transaction ID Randomness: GREAT

    but at doxpara.com the test doesn't seem to work; get a 'page not found'

  30. Old Man - Grey Fleece
    Go

    Demon

    Appears to be patched

  31. Stewart Midwinter

    Shaw Cable ok

    1. 64.187.29.134 (h64-187-29-134.gtcust.grouptelecom.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    2. 64.59.135.133 (nsc1.so.cg.shawcable.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    3. 64.59.135.135 (nsc2.so.cg.shawcable.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

  32. Anonymous Coward
    Dead Vulture

    @ Chronos

    Re: Verizon

    Thanks for the explaination about port versus transaction randomness.

    The thing about all this that really boils my bottom is that even though I have bothered with a home router, firewall, anti-virus and such for years my IS-freaking-P's unpatched DNS could render such preparations moot.

    Alas, poor internet, I knew it Horatio. A place of infinite wit and zest.<holding 4-port router, talking to it>

  33. when_the_sh*t_hits_the_fanboi

    Oops - Nildram still vulnerable

    Your name server, at 213.208.106.212, appears vulnerable to DNS Cache Poisoning.

    All requests came from the following source port: 33542

  34. System Administrator
    Linux

    BT Broadband

    DIG: "62.6.40.162 [indnsc70.ukcore.bt.net.] is POOR: 26 queries in 3.8 seconds from 25 ports with std dev 271"

    WEB Version: POOR source port randomness GREAT transaction ID randomness.

    I get the POOR source port warning whatever test I use. I run my own LAN and LAMP setup via my otherwise vanilla BT Broadband connection (via HomeHub).

    I suspect other factors rather than BT's DNS may be involved in the results - it would be great if someone could give us a clue and briefly explain what may restrict source port randomness. I have a clue (NAT/Firewall etc) but some folk out there actually 'know' :-)

    OR - should I rely on the test and BT *are* actually POOR/GREAT rated!

  35. Andrew McAuley
    Happy

    BeThere

    1. 87.194.0.51 (cache0.betherenow.co.uk) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    2. 87.194.0.52 (cache1.betherenow.co.uk) appears to have GREAT source port randomness and GREAT transaction ID randomness.

  36. Theresa Jayne Forster
    Paris Hilton

    Bit worrying

    Well when i test on BOTH sites i get Problem Loading page, Server cannot be found

    Sky Broadband....

    Is this good or bad?

  37. Kibble
    Happy

    Earthlink seems to be all right

    Using my usual local dialup number:

    Your name server, at 209.179.23.207, appears to be safe, but make sure the ports listed below aren't following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100...).

    @ Steve Evans

    I don't know how to check the ports either.

  38. Anonymous Coward
    Happy

    Sprint PCS, patched!

    68.28.250.92 (ns2.atlngar03.spcsdns.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    68.28.242.91 (ns1.atlngar03.spcsdns.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    Test time: 2008-08-01 07:24:35 UTC

    For my wireless broadband, Sprint fixed it within the last week.

    For my Verizon woes, I have pointed my router to OpenDNS, as opposed to letting my ISP do my DNS and that works just fine.

    Thanks again to Chronos, et al, for the information. Yet another reason to love El Reg.

  39. Anonymous Coward
    Thumb Up

    Pipex

    GREAT/GREAT

  40. Goat Jam
    Thumb Up

    OpenDNS

    I haven't used my ISP's dns server for ages. OpenDNS is the way to go.

  41. Dave Harris

    TMNet (Malaysia)

    1. 203.121.16.85 (ns1.time.net.my) appears to have POOR source port randomness and GREAT transaction ID randomness.

    2. 203.121.64.59 appears to have GOOD source port randomness and GREAT transaction ID randomness.

  42. mdubh

    Re: gentoo portage up to date?

    @robert

    BIND 9.4.2-P1 should be immune to this issue:

    http://www.isc.org/sw/bind/bind-security.php#matrix

    Is your DNS server behind a proxy firewall or NAT device that is de-randomizing the source ports?

    http://support.microsoft.com/kb/956190

  43. Subs McNubs
    Thumb Down

    BT - No suprises

    1. 194.72.6.57 (ns3.bt.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    2. 217.169.46.108 (217-169-46-108.bis-internet.co.uk) appears to have UNKNOWN source port randomness and UNKNOWN transaction ID randomness.

    Oh dear.

  44. Tom Smith Silver badge

    Mistral

    217.154.96.244 (adsl-217-154-96-244.mistral.co.uk) appears to have GREAT source port randomness and GREAT transaction ID randomness

    So that's alright then :)

    and I use OpenDNS at home.

  45. Rob Simmonds
    Thumb Up

    Aquiss

    Are Great all round according to the tester.

    Which is nice...

  46. This post has been deleted by its author

  47. Anonymous Coward
    Thumb Down

    nildram fail

    Name servers 213.208.106.212, 213.208.106.213

  48. Wokstation

    Title

    "Your ISP's name server, 80.3.128.148, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for a563cec7b068.doxdns5.com:

    80.3.128.148:33383 TXID=33827

    80.3.128.148:33421 TXID=26554

    80.3.128.148:33406 TXID=40195

    80.3.128.148:33373 TXID=9963

    80.3.128.148:33330 TXID=37889

    ISNOM:ISNOM TXID=ISNOM "

    From Tesco.net, a Virgin reseller.

  49. Chronos

    Re: gentoo portage up to date?

    Check your named.conf for "query_source" and remove/comment that line. Other possible causes are the rc script calling rndc reconfig rather than kill/exec, which will leave the running process resident and just cause it to re-read the config. Manually /etc/init.d/named zap && /etc/init.d/named start (or is it /etc/init.d/dns on Genitals? I forget...) as big bad root. You may also have a firewall/router in the path of the 'net connection undoing all your nice port randomness.

  50. Mal Franks

    Andrews & Arnold

    81.187.81.41 (lifeless.aaisp.net.uk) appears to have GREAT source port randomness and GREAT transaction ID randomness

  51. Galaxy Bob

    Kelloggs Frosties

    They'rrrrrrrrrrrrrreeee Grrrrrrrrrrrreat!

  52. Paul Taylor
    Unhappy

    Freeddom2Surf aka pipex aka Tiscali

    quoth www.doxpara.com, "Your name server, at 194.106.56.6, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 32785"

  53. Anonymous Coward
    Thumb Up

    TeleDanmark

    14, 16, 16 and 16 bits of randomness. Can't ask for much more than that. Well, a cold beer and some crisps would be nice...

  54. Adrian Waterworth
    Alien

    Re: BT results

    Although the standard deviation test for randomness seems to give BT a POOR rating all the time, if you look at the scatter plots, there don't seem to be any obvious patterns (leastways there weren't when I ran the tests here), so I suspect that the BT servers are probably patched for this one.

    Perhaps they have some way to limit the port range that they use in requests/responses, so it's a random selection from a (relatively) small pool - hence POOR as far as a standard deviation test is concerned?

  55. John

    Orange DNS test

    Orange. On the DNS-OARC test, the source ports for the 2 Orange DNS's looked nonrandom. The plots of Source ports showed two parallel lines. This happened both for 193.36.79.100 (cache0.orange.net) and 193.36.79.101 (cache1.orange.net). The transaction ID plots are well scattered for both IP addresses. As Simon van der Walt reported, DNS-OARC says the results are great, but advises an eye check for randomness. Doxpara thinks the DNS's are ok, but advises a check for pattern and DNS-OARC shows the pattern.

  56. Anonymous Coward
    Anonymous Coward

    Vodafone mobile 3G

    My Vodafone UK 3G card gives me GOOD source port and GREAT transaction ID randomness.

  57. Photon
    Thumb Down

    iPhone surfing in the UK STILL not safe

    Seeing as o2 data are 'aware of the situation' but seemingly unwilling to do anything about it, they are still wide open (193.113.200.171) so anyone browsing the net on an iPhone could start to have fun in the very near future.

    You can only imagine the fun I had trying to get an answer out of them on the phone about when they were going to patch, and no, not the phone, the server...

  58. Anonymous Coward
    Thumb Up

    job's a good'un

    Our servers are all patched up and very happy. Cacti and Nagios confirm they're actually performing better.

  59. Tom
    Stop

    oops

    which idiot's idea was it to post vulnerable DNS severs here?!?

    you've just given the blackhats a nice list of targets!

  60. Richard Kay
    Alert

    Virgin Media

    1. 194.168.8.110 (winn-dnsbep-2.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    2. 194.168.8.109 (winn-dnsbep-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    Looking at the scatter plots it appears the source ports are randomised but within a very narrow range of 200 or so as opposed to the range of 65,000 or so which should be used. So the source port randomisation combined with the transaction ID randomness gives 8 + 16 = 24 bits of entropy compared to the 32 bits maximum possible. It is possible that Virgin Media may have other defences, e.g. against domains showing suspicious UDP packet storms involving many subdomains over a short duration.

  61. System Administrator
    Thumb Down

    @Tom

    "which idiot's idea was it to post vulnerable DNS severs here?!?"

    Strong words based on a shallow analysis of the situation I feel.

    a) The patch is available and, given it's severity, should have been implemented by now by anyone taking our money for ISP services - notwithstanding the possible costs or impact on network performance.

    b) It's inevitable the 'baddies' will have access to this comments section - but that's offset by us mere mortal users being able to concur here and find out if we have a vulnerable ISP - there is no other source of reliable information other than the likes of this.

    c) Do you honestly believe the 'black hat' community doesn't already have a comprehensive list already?

    d) It's an unfortunate fact of life that an attack on an ISP, or an increase in suspicious traffic, is more likely to spur them to patch than a very clear technical warning - which they have already had.

    Yes - on the face of it this exercise may appear foolish although to say so is plain crass. I see no horse in this stable - therefore I'll leave the door open as it stinks in here ....

  62. Daniel
    Unhappy

    Telenet in Belgium vulnerable

    Your name server, at 85.255.197.4, appears vulnerable to DNS Cache Poisoning.

    All requests came from the following source port: 32777

  63. John
    Thumb Down

    Bloody black-hats

    Well this is a pain in the arse,

    Guess I'll be doing an nslookup and whois on all sites before I give them any passwords or personal information.

  64. Anonymous Coward
    Thumb Up

    DNS hole

    Charles Johnson of LittleGreenFootballs [http://littlegreenfootballs.com/article/30617_DNS_Cache_Poisoning_Attacks]

    posted an advisory Saturday, July 12. That day I made the switch in my router to OpenDNS.

    DNS Resolver(s) Tested:

    1. 208.69.36.14 (bld4.chi.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    Test time: 2008-08-01 12:19:59 UTC

  65. vagabondo
    Happy

    @Paul Taylor - F2S/Tiscali

    194.106.56.6 was deprecated as a Freedom2Surf nameserver last November. They changed to 212.139.132.44 and 212.139.132.43, which were patched some time ago. If your router gets its nameservers dynamically it would have updated itself.

  66. Bruce Ordway

    above and beyond

    Your ISP's name server, 68.87.77.132, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for 1c512a407263.doxdns5.com:

    68.87.77.132:17745 TXID=56457

    68.87.77.132:18005 TXID=8509

    68.87.77.132:17599 TXID=51463

    68.87.77.132:17774 TXID=3155

    68.87.77.132:17487 TXID=15795

    ISNOM:ISNOM TXID=ISNOM

  67. Ryan
    Thumb Down

    Bell Canada still vulnerable

    Bell in Canada seems vulnerable still.

    Your name server, at 70.52.198.134, appears vulnerable to DNS Cache Poisoning.

  68. Phil

    Recursion - So Why This Focus on 'Your' DNS Servers?

    Whether or not 'my' DNS server is patched, if it queries an unpatched server for the IP of an unknown domain and the unpatched server has been poisoned for this domain then surely 'my' DNS cache becomes poisoned too.

  69. This post has been deleted by its author

  70. Jeffrey Nonken
    Unhappy

    Omsoft (local ISP in Davis CA)

    1. 168.150.253.2 (spoke.dcn.davis.ca.us) appears to have POOR source port randomness and POOR transaction ID randomness.

    2. 168.150.253.1 (wheel.dcn.davis.ca.us) appears to have POOR source port randomness and POOR transaction ID randomness.

    3. 168.150.193.10 (indra.omsoft.com) appears to have POOR source port randomness and GREAT transaction ID randomness.

    Actually, one of their DNS servers seems not to work at all (there should be four entries here).

    I've added information to their entry in the Davis Wiki since this is kind of a local issue.

  71. Johnny Utah

    Verizon / FairPoint DSL iffy

    When I originally tried the test on DoxPara, it said my name server looked ok, but to check that the port numbers didn't appear to follow a predictable pattern, which some of them did. Now it says "Your name server, at 71.250.0.38, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 65."

    These are the results of the other test:

    1. 71.250.0.36 appears to have POOR source port randomness and GREAT transaction ID randomness.

    2. 71.250.0.38 appears to have POOR source port randomness and GREAT transaction ID randomness.

    3. 71.250.0.39 appears to have POOR source port randomness and GREAT transaction ID randomness.

    I do things like pay my bills online, so the other day I called my ISP, FairPoint, to ask if they had addressed this problem. The number on their website actually connected me to Verizon tech support (from whom FairPoint recently bought the phone / internet business in this area). I spent something like an hour on the phone with them doing a lot of waiting and getting bounced around from person to person, and ultimately I got no information. The tech support people at this company are morons and had no idea what I was talking about and were unable to put me in touch with anyone who did.

    So what do these results mean, am I in good shape or not?

  72. Paul Murphy
    Thumb Up

    moved my router to OpenDNS and got better results

    The VM defaults were;

    Ok on doxpara, and

    poor/great on www.dns-oarc.net,

    so I changed to OpenDNS servers;

    doxpara seemed just as happy and

    great/great on www.dns-oarc.net,

    so happier here - unless this is all a great con and now my home network is getting added to another Bots'R'Us swarm.

    ho hum

  73. Joseph Helenihi
    Boffin

    @ System Administrator

    "offset by us mere mortal users being able to concur here and find out if we have a vulnerable ISP - there is no other source of reliable information other than the likes of this."

    Precisely stated logic, the mainstay of all that is computing. The fact that it was posted to El Reg solidifies the argument very nicely.

    Everyone else on here with an ISP using unpatched DNS and a story like Johnny Utah's should go to the OpenDNS site. Simply point your router or dialup client application to the safe DNSs offered therein.

    Waiting for a fix from a hamhanded ISP who simply wants your money at the expense of your security deserves neither. But, if they are the only game in town, you don't have to use their dodgy DNSs. You will likely have to reboot your router, and or your PC to get the new DNS addresses to work.

    http://www.opendns.com/

  74. Andrew Gallagher
    Thumb Up

    NTL Ireland (=UPC) looks OK

    doxpara: Your ISP's name server, 89.101.160.5, has other protections above and beyond port randomization against the recently discovered DNS flaws.

    dns-oarc: 1. 89.101.160.4 (ie-dub01a-dns01.upc.ie) appears to have GOOD source port randomness and GREAT transaction ID randomness. Test time: 2008-08-02 00:08:05 UTC

  75. jeffrey
    Thumb Up

    Be Unlimited

    Great for Both on dns-oarc

  76. John
    Thumb Down

    Virgin Media

    194.168.8.110 (winn-dnsbep-2.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    80.3.64.148 (brig-dnsany-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    194.168.8.109 (winn-dnsbep-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

  77. Jim Morrow
    Paris Hilton

    How the DNS works

    >> Whether or not 'my' DNS server is patched, if it queries an unpatched server for the IP of an unknown domain and the unpatched server has been poisoned for this domain then surely 'my' DNS cache becomes poisoned too.

    No. The only way your server should query an unpatched server is when it is asking that unpatched server for authoritative data: ie when your server queries one of the name servers for google.com (say). Even if that google.com name server is unpatched, it will be serving authoritative data that it has loaded from disk. When it does that, the data it loads cannot be compromised by a cache poisoning attack. Besides, most authoritative servers don't *make* queries, they just answer them. If a DNS server doesn't make queries, it can't be spoofed and can't have its cache poisioned. Largely because it doesn't have a cache.

    I've used the Paris icon because even she knows how DNS works

  78. James Cleveland

    OpenDNS

    All is *GREAT*! Yaaay!

  79. Anonymous Coward
    Linux

    Videotron, Quebec

    Your ISP's name server, 24.200.241.97, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.

    Sweet.

  80. Anonymous Coward
    Unhappy

    Melita Cable

    Malta's biggest ISP is unpatched:

    "Your name server, at 212.56.128.196, appears vulnerable to DNS Cache Poisoning."

    Time to move to OpenDNS methinks.

  81. Jason
    Happy

    ADSL24/Entanet

    1. 62.189.58.210 (lnd4eusosrv39.lnd.ops.eu.uu.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    2. 62.189.34.89 (lnd10eusosrv175.lnd.ops.eu.uu.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

    Looking good :D

  82. Anonymous Coward
    Alien

    cox in arizona mostly good

    68.105.28.51 (ip68-105-28-51.at.at.cox.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

    68.2.16.27 (chnddnss06.ph.ph.cox.net) appears to have GREAT source port randomness and GREAT transaction ID randomness.

  83. David Greaves
    Thumb Down

    freedom2surf.net :: POOR

    194.106.56.6 (server0009.freedom2surf.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

  84. Anonymous Coward
    Thumb Down

    No shock here

    Rogers - Canada - Too busy counting money - no time to patch....

    Your name server, at 64.71.246.85, appears vulnerable to DNS Cache Poisoning.

    All requests came from the following source port: 34212

    Due to events outside our control, details of the vulnerability have been leaked. Please consider using a safe DNS server, such as OpenDNS. Note: Comcast users should not worry.Requests seen for 61c747213638.doxdns5.com:

    64.71.246.85:34212 TXID=60558

    64.71.246.85:34212 TXID=14499

    64.71.246.85:34212 TXID=39035

    64.71.246.85:34212 TXID=36982

    64.71.246.85:34212 TXID=20736

This topic is closed for new posts.

Other stories you might like