• On MovieTome: See the villain of IRON MAN 2!
July 29, 2008 5:16 PM PDT

The best test for vulnerability to the DNS flaw

by Michael Horowitz

Not only is there is a flaw in the Domain Name System, there is also a flaw in the suggested ways to test whether your computer is vulnerable.

Many articles suggest going to Web site x or y to run vulnerability tests. (I'm guilty of this too.) But the nature of the problem is that you can't trust Web site names.

The fallacy is simple: use a name you can't trust to see if you can trust a name.

As I explained in "What you need to know about the latest DNS flaw," every Web site can be accessed by an IP address. The DNS flaw does not affect this rare, but quite valid, method of addressing Web sites. Thus, it's the best approach for an online vulnerability test.

One often-cited vulnerability test is offered by the DNS Operations, Analysis, and Research Center (DNS-OARC) at: https://www.dns-oarc.net/oarc/services/dnsentropy

I asked them about using an IP address to get to their online test and was told (thanks, Duane) that the test is also available at:

http://149.20.3.33/test/

To me, this is the best vulnerability test for the current DNS flaw.

While this link bypasses the introduction to the topic offered by DNS-OARC, hopefully your computer is safe and you won't need to read about the problem. If all is well, it will report "great" for both the source port randomness and the transaction ID randomness.

If you are vulnerable, see "A cheatsheet for defending against the DNS flaw."

See a summary of all my Defensive Computing postings.

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Topics:

Software,

FYI

Tags:

DNS

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defensive Computing
Fixing bugs in the Flash Player yet again
Getting more battery power for your computer
Get an MSI Wind Netbook for only $349
Not interested in a Netbook computer? Consider the Honda Fit
Beware emails linking to blogspot.com
When Word documents break
More about printer ink rip-offs
Some computers are too important to be networked
Related
Add a Comment (Log in or register) (6 Comments)
  • prev
  • 1
  • next
by Pete Bardo July 30, 2008 9:55 AM PDT
Hey, that test using the ip address redirects to "http://0a449ba8531fbf93d23142f8.et.dns-oarc.net/", which is unavailable. It hardly does any good to access a test site using the IP address if it's redirected to a domain name. That makes it dependent on DNS all over again. Did you even try this link before posting it?
Reply to this comment
by mhinnewyork July 31, 2008 9:20 PM PDT
The unavailability was temporary. Perhaps they're overloaded or they were under attack. Michael
by dbjohnson2 July 30, 2008 4:19 PM PDT
Michael,

How about some comments about how to interpret the results of the test. I got the following results when I ran the test using the IP address given in this post:

DNS Resolver(s) Tested:

1. 68.87.71.228 (chlm-cns02.chelmsfdrdc2.ma.boston.comcast.net) appears to have POOR source port randomness and GREAT transaction ID randomness.
2. 68.87.73.243 (mana-cns01.manassaspr.va.dc02.comcast.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

So, should I be concerned or not?

Doug
Reply to this comment
by mhinnewyork July 31, 2008 9:23 PM PDT
Yes you should be concerned. The server side patch created greater source port randomness. Michael Horowitz
by briancgraham July 30, 2008 10:57 PM PDT
I highly recommend using OpenDNS for your DNS needs. Business or home user. It's free, fast, helps protect from phishing websites and rates MUCH higher on this test than Comcast DNS servers.

Check it out: http://www.OpenDNS.com or http://www.opendns.com/features/overview/

DNS Resolver(s) Tested:
208.67.216.13 (bld3.sea.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
208.67.216.14 (bld4.sea.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
Test time: 2008-07-31 05:54:29 UTC
Reply to this comment
by mhinnewyork July 31, 2008 9:25 PM PDT
Agreed. I wrote about OpenDNS in December 2007. See
http://blogs.cnet.com/8301-13554_1-9834579-33.html
and
http://blogs.cnet.com/8301-13554_1-9835649-33.html
Michael Horowitz
(6 Comments)
  • prev
  • 1
  • next
advertisement

Making sense of Windows 7 upgrades

faq The basics and the fine print on Microsoft's options for those eyeing the next operating system from Redmond.
• Full Windows 7 coverage

Road Trip 2009: Big Sky Country

CNET News reporter Daniel Terdiman takes his car full of gadgets to the Rockies and the Great Plains in search of tech, science, nature, and more.
• America's Fortress: Cheyenne Mountain

About Defensive Computing

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He views Defensive Computing as taking steps, when things are running well, to avoid or minimize the inevitable problems down the road. It's about educating yourself to the level where you can make your own intelligent decisions about keeping your computers and data happy and healthy. If you depend on computers, yet are on your own, without an IT department or nearby nerd, this blog's for you. His personal web site is michaelhorowitz.com.

He is a member of the CNET Blog Network and is not an employee of CNET.

Disclosure.

Add this feed to your online news reader

Defensive Computing topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET