[afnog] Big DNS vulnerability (Here is my finds and Quickst Solution 4 those running BIND on Centos or Fedora Linux Distros)...
kurup at afrinic.net
Sat Jul 26 10:04:02 UTC 2008
On 26/07/2008 11:46, Maina Noah wrote:-
> got you. The funny thing is, the test on the web sends back a positive
> result when i test the same centos box using the dns check tool from
> Both the Source port randomness and Transaction ID randomness were GREAT.
> Now on the box itself, i noted one strange thing. See outputs below. The
> first dig test does not generate an error. But the second dig output
> does generate an ID mis-match error.
> Is it because of the @ns1.yourdomain.co.tz. I guess it is. But both
> tests give a positive responce of GOOD though the standard deviation
> values vary.
In the first test, it is probably picking a different resolver from your
As for the tests on dns-oarc, I get confusing results myself.
dig returns POOR but the web page returns GREAT.
(PS: In both cases I am using only 127.0.0.1 as my resolver).
More information about the afnog