DNS Randomness Test

Discussion in 'Windows Vista Security' started by Kayman, Jul 28, 2008.

  1. Kayman

    Kayman Guest

    "The test takes a few seconds to complete. When its done you'll see a page
    where the transaction ID and source port randomness will be rated either
    GREAT, GOOD, or POOR. If you see a POOR rating, we recommend that contact
    your ISP and ask if they have plans to upgrade their nameserver software
    before August 7th."
    https://www.dns-oarc.net/oarc/services/dnsentropy
     
    Kayman, Jul 28, 2008
    #1
    1. Advertisements

  2. Kayman

    Twayne Guest

    "The test takes a few seconds to complete. When its done you'll see a
    Umm, I'd beware any stranger offering advice in case that appeals to
    you. It's outright spam to begin with and of no known value or
    recognition otherwise. It's designed to make you curious and want to
    visit that URL where who knows what might go on? It'd be funny if it
    weren't so stupid!
     
    Twayne, Jul 28, 2008
    #2
    1. Advertisements

  3. Kayman

    Geoff Guest

    As an advisory it lacks any real information. This is supposed to be an
    advisory about the Kaminsky DNS vulnerability but is of limited use to end
    users other than to generate grass roots movement from users to get ISP's
    to upgrade their DNS code.

    The full text of the dns-oarc.net page follows:

    ----------------------

    US-CERT's Vulnerability Note VU#800113 describes deficiencies in the DNS
    protocol and implementations that can facilitate cache poisoning attacks.
    The answers from a poisoned nameserver cannot be trusted. You may be
    redirected to malicious web sites that will try to steal your identity or
    infect your computers with malware. On August 7, 2008, Dan Kaminsky will
    release the details of how such attacks can be launched against vulnerable
    DNS resolvers.

    The essence of the problem is that DNS resolvers don't always use enough
    randomness in their transaction IDs and query source ports. Increasing the
    amount of randomness increases the difficulty of a successful poisoning
    attack.

    This page exists to help you learn if your ISP's nameservers are vulnerable
    to this type of attack. If you click on the button below, we will test the
    randomness of your ISP DNS resolver.


    The test takes a few seconds to complete. When its done you'll see a page
    where the transaction ID and source port randomness will be rated either
    GREAT, GOOD, or POOR. If you see a POOR rating, we recommend that contact
    your ISP and ask if they have plans to upgrade their nameserver software
    before August 7th.

    See porttest for another way to check your resolver from a Unix
    commandline.
     
    Geoff, Jul 28, 2008
    #3
  4. | Umm, I'd beware any stranger offering advice in case that appeals to
    | you. It's outright spam to begin with and of no known value or
    | recognition otherwise. It's designed to make you curious and want to
    | visit that URL where who knows what might go on? It'd be funny if it
    | weren't so stupid!



    No. Both Kayman and the site are legitimate and most importantly this is a good test
    concerning the US CERT
    Vulnerability Note VU#800113

    Reference:
    http://www.kb.cert.org/vuls/id/800113

    This is NOT spam!
     
    David H. Lipman, Jul 28, 2008
    #4
  5. Kayman

    Lon Guest

    I'd also beware of self appointed security experts who do not recognize
    the site www.dns-oarc.net.
     
    Lon, Jul 29, 2008
    #5
  6. But how do we know that clicking that link will actually
    resolve to that (considering the topic) legitimate site? :O)

    URL's are not dangerous, however the software you run to
    access them may well be.
     
    FromTheRafters, Jul 29, 2008
    #6
  7. Kayman

    Lon Guest

    Klothnet nslookup if your software doesn't display the full encoded
    url on mouseover.
    Most of the problems are just above and behind the keyboard.
     
    Lon, Jul 29, 2008
    #7
  8. Kayman

    Twayne Guest

    f'ups set to msp sec... .virus to save gas, I mean, ether.


    None the less, it is spam and as such is subject to all the things spam
    is worthy of: nothing. I repeat: "It's designed to make you curious
    and want toSpam is spam and you are a spammer.
    And speaking of "experts", you seem totally unaware that spam isn't
    acceptable, and also that redirections are easy. If you think that URL
    is so well known, you have another think coming. It is NOT a recognized
    web site for security aspects. In fact:

    It's blacklisted at APEWS-L1: (SPEWS replacement)
    -----------------------------------------------
    http://openrbl.org/client/#www.dns-oarc.net
    APEWS_L1 - Anon PM Early Warning System - Level 1
    RHS: Spamvertized Domains and alike_
    homepagehttp://apews.org/
    typeHOST (RHS) Blacklist
    zonel1.apews.rhsbl.uceprotect.net [Wiki]
    statusBlocklisted at l1.apews.rhsbl.uceprotect.net
    -----------------------------------------------
    WAS recently listed at SORBS,
    ----------------------------------------------
    and is mired in a long list of AS horizontals and verticals that most
    would only use for the purpose of making it difficult to trace them
    specifically. Hmm, now who would want that? Oh! I know! Spammers!

    lookuphttp://apews.org/?page=test&ip=www.dns-oarc.net
    http://www.uceprotect.net/en/apews.html

    public.dns-oarc.net

    public.dns-oarc.net has one IP record . www.dns-oarc.net point
    to the same IP.
    network-scanner-230-for-more-info-see.public.dns-oarc.net and
    network-scanner-224-for-more-info-see.public.dns-oarc.net are subdomains
    to this hostname.
    baserecordnameipreverserouteas
    public.dns-oarc.neta149.20.58.8www.dns-oarc.net149.20.0.0/16 AS1280
    project netblockAS1280 ISC AS1280 Internet Systems Consortium, Inc
    dns-oarc.netnshq-ns.oarc.isc.org204.152.184.186hq-ns.oarc.isc.org204.152.184.0/21
    ns-ext.isc.org204.152.184.64ns-ext.isc.org
    ns-ext.nrt1.isc.org192.228.90.19ns-ext.nrt1.isc.org192.228.90.0/24
    Internet Software ConsortiumAS2500 WIDE Project in Japan
    ns-ext.lga1.isc.org192.228.91.19ns-ext.lga1.isc.org192.228.91.0/24
    Internet Systems Consortium, Inc., New York, NY, USAAS27319 ISC LGA1
    Internet Systems Consortium, Inc , New York, NY, US
    ns-ext.sth1.isc.org192.228.89.19ns-ext.sth1.isc.org192.228.89.0/24
    Internet Systems Consortium, Inc.AS8674 NETNOD IX Netnod Internet
    Exchange Sverige AB (former D GIX) $Id: aut num:AS8674,v 1 12 2008/07/01
    12:56:12 liman Exp $
    mxmail.dns-oarc.net149.20.58.4mail.dns-oarc.net149.20.0.0/16 AS1280
    project netblockAS1280 ISC AS1280 Internet Systems Consortium, Inc
    org isc.org net nrt1.isc.org oarc.isc.org sth1.isc.org lga1.isc.org
    --------------------------------------

    NOW, IDIOT SPAMMER, I gave you a pass on reporting you since it appeared
    you might not know what you're doing. But from just 3 minutes worth of
    research I can see you not only know what you're doing is spamming, but
    you are still spamming even though you're dropped by at one list and
    have been noted at around 8 other lists. SORBS may have "dropped" you
    but rest assured it won't take a lot to put you back on their list.

    If I come across you again on ANY group, forum or other means, rest
    assured I will not hassle you, but I WILL report you for spamming, and
    I'll resurrect the discussions at nanae for you using your own tripe as
    proof!
    So either get your ass out of here or be prepared to start looking
    for other resources again. It looks like discussions at nanae would be
    pretty easy to reopen; it's only been a short period of time.
    Don't address me again: I only give one warning.

    HTH (you provide the word for the last H)
     
    Twayne, Jul 29, 2008
    #8
  9. Kayman

    Kayman Guest

    Kayman, Jul 29, 2008
    #9
  10. Kayman

    Newell White Guest

    :

    Those of us who have reached the age of discretion right click on the link,
    then copy and paste into our browser's address bar.

    We get lots of practice at this because our incoming e-mails are shown in
    plain text format.

    We are suspicious old farts who plan on living a long time.
     
    Newell White, Jul 29, 2008
    #10
  11. Which doesn't address the DNS poisoning issue. Any URL at all
    (requiring a lookup) is suspect. Only comparing returns from a known
    good name server can confirm if the URL's friendly name is actually
    where your browser will be directed.
    ..
     
    FromTheRafters, Jul 29, 2008
    #11
  12. Kayman

    Newell White Guest

    Point taken.
    But even before the DNS issue using the Internet involves a certain amount
    of trust.
     
    Newell White, Jul 29, 2008
    #12
  13. Kayman

    Twayne Guest

    Yes, it does. But clicking a link in any spam is asking for trouble
    sooner or later.
     
    Twayne, Jul 29, 2008
    #13
  14. From: "Twayne" <>



    | Yes, it does. But clicking a link in any spam is asking for trouble
    | sooner or later.


    Except this was a legitimate post and was in no way shape or form 'spam'.
     
    David H. Lipman, Jul 29, 2008
    #14
  15. Kayman

    John Guest

    I'm not sure how these tools work but they seem to automatically "pick" our
    ISP's DNS IP address to scan. The thing is the IP address doesn't
    necessarily match the ones I'm using (also belong to my ISP). As an example,
    I'm using x.x.x.x as my resolver but the tools pick up y.y.y.y and tell me
    that the test is good (it's been patched). Both x.x.x.x and y.y.y.y are my
    ISP's DNS servers.

    I understand that they have multiple addresses (may be hundreds/thousands
    depending on ISP size). My questions is:
    Is there a tool that lets us input IP address to scan?

    Or is it safe to assume that if my ISP DNS at x.x.x.x (as seen by the tools
    at dns-oarc.net or doxpara.com) has been patched, they have patched the rest
    of their DNS servers and therefore it is safe to use any of their DNS?

    Thanks in advance.
     
    John, Jul 29, 2008
    #15
  16. Kayman

    Kayman Guest

    Yes, that's seems to be the procedure.
    Talk to you Internet Service Provider (ISP); They probably issue dynamic IP
    addresses.
    FYI:
    http://searchwindevelopment.techtarget.com/sDefinition/0,,sid8_gci520967,00.html
    Don't know, sorry.
    I'd assume it's safe; If in doubt talk to the ISP.
    Let us know their response.
     
    Kayman, Jul 30, 2008
    #16
  17. This guy hates spam.

    To a hammer, everything looks like a nail. :eek:)
     
    FromTheRafters, Jul 30, 2008
    #17
  18. From: "FromTheRafters" <>



    | This guy hates spam.

    | To a hammer, everything looks like a nail. :eek:)



    :)
     
    David H. Lipman, Jul 30, 2008
    #18
  19. ....and a certain amount of luck. :eek:)

    DNS is like the mother of all hosts files and adware/foistware has
    already shown how useful the name servers can be for increasing
    overall stickiness.
     
    FromTheRafters, Jul 30, 2008
    #19
  20. You know, I have yet to see a single posting from you that makes any
    sense..... Welcome to the Kill File (along with this thread.......)....

    --

    Regards,
    Hank Arnold
    Microsoft MVP
    Windows Server - Directory Services
     
    Hank Arnold (MVP), Jul 30, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.