DNS vulnerability issue

[ginggs]

Your name server, at 196.207.40.167, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 221.

Very interesting! I'll test again tonight.

 

[ginggs]

Cape Town, internet APN, PPDB:

Your name server, at 196.207.40.165, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.Requests seen for 1f05e6f1a190.toorrr.com:
196.207.40.165:20970 TXID=36074
196.207.40.165:56966 TXID=37368
196.207.40.165:11670 TXID=38001
196.207.40.165:34513 TXID=871
196.207.40.165:35532 TXID=40799

 

[CORY]

In Corlett DRIVE, ILLOVO, Jhb

Your name server, at 196.43.38.190, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.
--------------------------------------------------------------------------------
Requests seen for e1752dcc6b55.toorrr.com:
196.43.38.190:14000 TXID=4448
196.43.38.190:20729 TXID=2239
196.43.38.190:47863 TXID=54801
196.43.38.190:15475 TXID=19736
196.43.38.190:56937 TXID=26173

 

[ginggs]

Here's one for the paranoid androids: if your ISP's DNS server is poisoned, how do you know that you are going to the real doxpara website, and not being re-directed to a fake one that reports your server is OK?

DNSstuff have a graphical DNS Vulnerability Check, and it is also available by IP address: http://75.125.82.165/tools/vu800113.php.

PS: Just because you are paranoid, doesn't mean they're not really after you!

 

[UtianG]

Here's one for the paranoid androids: if your ISP's DNS server is poisoned, how do you know that you are going to the real doxpara website, and not being re-directed to a fake one that reports your server is OK?

DNSstuff have a graphical DNS Vulnerability Check, and it is also available by IP address: http://75.125.82.165/tools/vu800113.php.

PS: Just because you are paranoid, doesn't mean they're not really after you!

Hi Ginggs,

I'm still getting the following results on doxpara:

Your ISP's name server, 196.207.40.167, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for 96328d96ab15.toorrr.com:

196.207.40.167:61430 TXID=32054
196.207.40.167:61554 TXID=51555
196.207.40.167:61426 TXID=38654
196.207.40.167:61447 TXID=54380
196.207.40.167:61461 TXID=50865
ISNOM:ISNOM TXID=ISNOM

I also did the check on the DNSStuff site and got the following results:

The DNS server at 196.207.40.165 is NOT overtly vulnerable, however, it may be subtly vulnerable* if any of the results below are POOR or FAIR.

Test - Rating - Notes
Source Port
Standard Deviation - GOOD - The server is issuing queries from different source ports over a wide range.
Bit Distribution - GOOD - The source port(s) used have little to no bias towards 1 or 0.
Variance - GOOD - The variance amongst the ports used is good.

Query IDs
Standard Deviation - GOOD - The server is issuing queries with different query IDs over a wide range.
Bit Distribution - GOOD - The query IDs used have little to no bias towards 1 or 0.
Variance - GOOD - The variance amongst the query IDs used is good.


What does this all mean? Why is my test results different to the other people on here? Should I be concerned about anything?

 

[AirWolf]

I get this:

Your ISP's name server, 196.207.35.29, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.
Requests seen for ba19a5a312b9.toorrr.com:
196.207.35.29:36692 TXID=46687
196.207.35.29:36661 TXID=8215
196.207.35.29:36817 TXID=44330
196.207.35.29:36703 TXID=7917
196.207.35.29:36773 TXID=48684
ISNOM:ISNOM TXID=ISNOM

 

[ginggs]

I've just tried manually setting my DNS server to the two different servers automatically assigned by Vodacom, I'm on PPDB in Cape Town.

Your ISP's name server, 196.207.40.167, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for 838f0c291d50.toorrr.com:
196.207.40.167:61538 TXID=46562
196.207.40.167:61369 TXID=10654
196.207.40.167:61573 TXID=32370
196.207.40.167:61577 TXID=41825
196.207.40.167:61396 TXID=16954
ISNOM:ISNOM TXID=ISNOM

Your name server, at 196.207.40.165, appears to be safe, but make sure the ports listed below aren't following an obvious pattern 1001, :1002, :1003, or :30000, :30020, :30100...).Requests seen for d142eebefa37.toorrr.com:
196.207.40.165:60429 TXID=31113
196.207.40.165:46542 TXID=32078
196.207.40.165:40067 TXID=61055
196.207.40.165:61100 TXID=52746
196.207.40.165:25570 TXID=15512

It seems 196.207.40.167's ports are much close together than 196.207.40.165's. I'll pass on this information to Vodacom and see what they say.

 

[Syndyre]

internet apn, PPDB, Grahamstown.

Your ISP's name server, 196.207.40.167, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for 9ca4c5c66e29.doxdns5.com:
196.207.40.167:61569 TXID=33892
196.207.40.167:61409 TXID=58571
196.207.40.167:61476 TXID=52033
196.207.40.167:61456 TXID=53332
196.207.40.167:61541 TXID=841
ISNOM:ISNOM TXID=ISNOM