$ dig @ns1.example.net +short porttest.dns-oarc.net TXTYou should get back an answer that looks like this:
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.Your resolver's randomness will be rated either GOOD, FAIR, or POOR, based on the standard deviation of observed source ports. In order to receive a GOOD rating, the standard deviation must be at least 10,000. For FAIR it must be at least 3,000. Anything less is POOR. The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.
"169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"
DNS records used in this test are given 60 second TTLs. To repeat the test you should wait at least 60 seconds.>>> https://www.dns-oarc.net/oarc/services/porttest
Quick take away:
- Patch your DNS ASAP.
- Disable recursion on DNS helps reducing the risk on being attacked.
- Using SSL (e.g. HTTPS) helps in reducing the risk on being cache poisoning.
- It only takes 5~10 seconds to poison the cache.
- A recursive servers behind a NAT gateway: a good caching nameserver hidden behind a firewall that's undoing the port randomisation leaves your server vulnerable.
- Nameservers that are authoritative only are not vulnerable.
- Setting high TTL for your authoritative zone won't help vulnerable resolvers from being poisoned.
- DNS client (running at most workstations/servers that resolve to upstream nameservers) need to be patched too.
- Exploit and patch are available for download now.