[olug] DNS exploit VU#800113 - should we be alarmed?

[Jay Hannah]

On Jul 15, 2008, at 1:32 PM, Jay Hannah wrote:
> http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
> http://www.kb.cert.org/vuls/id/800113

Uh oh...?   POOR is bad, apparently.

I can't figure out if I should be scared or not.

j




13:40 <@waswas> jhannah: with a new(er) version of dig you can test your
environment's susceptibility with "dig porttest.dns-oarc.net in txt"   
FAIR
or GOOD means you have no worries, anything else and you are SOL on  
aug 7th

$ dig porttest.dns-oarc.net in txt

; <<>> DiG 9.3.4 <<>> porttest.dns-oarc.net in txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21288
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;porttest.dns-oarc.net.         IN      TXT

;; ANSWER SECTION:
porttest.dns-oarc.net.  5       IN      CNAME    
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.  
60 IN TXT "63.174.225.42 is POOR: 26 queries in 1.9 seconds from 1  
ports with std dev 0.00"

;; AUTHORITY SECTION:
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.  
60 IN NS  
ns.z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.

;; Query time: 4221 msec
;; SERVER: 10.0.33.164#53(10.0.33.164)
;; WHEN: Tue Jul 15 13:41:40 2008
;; MSG SIZE  rcvd: 217