[gull] comment tester son DNS

Erik Rossen rossen at linux-gull.ch
Thu Jul 24 21:13:18 CEST 2008


Pour ceux qui veulent savoir si leur DNS est secure, voici une teste
rapide:

dig +short porttest.dns-oarc.net TXT z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.

Pour plus d'explication, voici un copie-coller du
https://www.dns-oarc.net/oarc/services/porttest :

-----------------------------------------------------------------------
 porttest.dns-oarc.net -- Check your resolver's source port behavior

Yesterday's announcement of CERT VU#800113 makes it clear that resolvers
should use random source source ports when sending queries. Here at
OARC, we've crafted a special DNS name and server that you can query to
learn whether or not your own resolver is using random ports. Use a DNS
query tool such as dig to ask for the TXT record of
porttest.dns-oarc.net:

    $ dig +short porttest.dns-oarc.net TXT

You should get back an answer that looks like this:

    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
    "169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"

Your resolver's randomness will be rated either GOOD, FAIR, or POOR,
based on the standard deviation of observed source ports. In order to
receive a GOOD rating, the standard deviation must be at least 10,000.
For FAIR it must be at least 3,000. Anything less is POOR. The best
standard deviation you can expect to see from 26 queries is in the
18,000-20,000 range.

DNS records used in this test are given 60 second TTLs. To repeat the
test you should wait at least 60 seconds.

Note that you can tell dig to test a specific resolver with an
@-argument:

    $ dig @4.2.2.3 +short porttest.dns-oarc.net TXT

-----------------------------------------------------------------------

-- 
Erik Rossen                               OpenPGP key: 2935D0B9
rossen at rossen.ch                          If you do not know what
http://people.linux-gull.ch/rossen        to do, start with RTFM.



More information about the gull mailing list