Kaminsky’s DNS vulnerability

Post date: May 31, 2012 8:38:00 PM

Originally posted July 25, 2008

One of the biggest Internet related vulnerabilities I’ve seen thus far was announced on 7-9-2008. To test your own DNS servers, (note that this might be your NAT router/gateway which would also need to be patched):

From https://www.dns-oarc.net/oarc/services/porttest:

Yesterday’s announcement of CERT VU#800113 makes it clear that resolvers should use random source source ports when sending queries. Here at OARC, we’ve crafted a special DNS name and server that you can query to learn whether or not your own resolver is using random ports. Use a DNS query tool such as dig to ask for the TXT record of porttest.dns-oarc.net:

$ dig +short porttest.dns-oarc.net TXT

You should get back an answer that looks like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.

“169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00″

Your resolver’s randomness will be rated either GOOD, FAIR, or POOR, based on the standard deviation of observed source ports. In order to receive a GOOD rating, the standard deviation must be at least 10,000. For FAIR it must be at least 3,000. Anything less is POOR. The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

DNS records used in this test are given 60 second TTLs. To repeat the test you should wait at least 60 seconds.

Note that you can tell dig to test a specific resolver with an @-argument:

$ dig @4.2.2.3 +short porttest.dns-oarc.net TXT

The patches coming out for this vulnerability are really a workaround to make things harder to exploit. The end solution will be along the lines of applying DNSSEC, although it will require quite a bit of changes to occur at the ISP level.