[afnog] Big DNS vulnerability (Here is my finds and Quickst Solution 4 those running BIND on Centos or Fedora Linux Distros)...

Hari Kurup kurup at afrinic.net
Sat Jul 26 10:04:02 UTC 2008

On 26/07/2008 11:46, Maina Noah wrote:-
> got you. The funny thing is, the test on the web sends back a positive
> result when i test the same centos box using the dns check tool from
> <https://www.dns-oarc.net/>https://www.dns-oarc.net/
> Both the Source port randomness and Transaction ID randomness were GREAT.
> Now on the box itself, i noted one strange thing. See outputs below. The
> first dig test does not generate an error. But the second dig output
> does generate an ID mis-match error.
> Is it because of the @ns1.yourdomain.co.tz. I guess it is. But both
> tests give a positive responce of GOOD though the standard deviation
> values vary.

In the first test, it is probably picking a different resolver from your
resolv.conf file.

As for the tests on dns-oarc, I get confusing results myself.

dig returns POOR but the web page returns GREAT.
(PS: In both cases I am using only as my resolver).


More information about the afnog mailing list