"The test takes a few seconds to complete. When its done you'll see a page where the transaction ID and source port randomness will be rated either GREAT, GOOD, or POOR. If you see a POOR rating, we recommend that contact your ISP and ask if they have plans to upgrade their nameserver software before August 7th."
On Mon, 28 Jul 2008 20:36:31 +0700 'Kayman' wrote this on alt.comp.freeware:
My results:
-Source Port Randomness: GREAT
-Transaction ID Randomness: GREAT
...phew ;-)
From: "hummingbird"
| On Mon, 28 Jul 2008 20:36:31 +0700 'Kayman' | wrote this on alt.comp.freeware:
| My results: | -Source Port Randomness: GREAT | -Transaction ID Randomness: GREAT
| ...phew ;-)
Verizon (my ISP)...
-Source Port Randomness: POOR
-Transaction ID Randomness: GREAT
1.. 71.250.0.36 appears to have POOR source port randomness and GREAT transaction ID randomness. 2.. 71.250.0.37 appears to have POOR source port randomness and GREAT transaction ID randomness. 3.. 199.45.32.38 (nsdc.bellatlantic.net) appears to have POOR source port randomness and GREAT transaction ID randomness. 4.. 151.198.0.38 (nsmad.bellatlantic.net) appears to have POOR source port randomness and GREAT transaction ID randomness.| -- Dave
Some ISP's, such as Comcast, are fully patched, but also have an additional layer of protection. That additional layer tends to cause issues such as 'NAT or firewall issue' with the doxpara test, or the POOR notes on the test above. It's the tests being fooled by the protection, not a weakness of the protection.
On Mon, 28 Jul 2008 16:36:21 -0400 'David H. Lipman' wrote this on alt.comp.freeware:
randomness and
Is it time to give Verizon a big kick up the ass? ;-)
From: "hummingbird"
| On Mon, 28 Jul 2008 16:36:21 -0400 'David H. Lipman' | wrote this on alt.comp.freeware:
| Is it time to give Verizon a big kick up the ass? ;-)
/* Indeed ! */
Especially in light of their dropping ALL but the "Big 8" Usenet News Groups.
On Mon, 28 Jul 2008 17:33:46 -0400 'David H. Lipman' wrote this on alt.comp.freeware:
Shame on them!
First they came for the binaries... Then they came for the non-Big 8...
If you're not using OpenDNS, you're doing it all wrong. Seriously.
"David H. Lipman" wrote in news:I46dnWrA5q9XsBPVnZ2dnUVZ snipped-for-privacy@giganews.com:
OpenDNS is vulnerable to the attack as well as any other nonvalidating resolver.
Poisoning a fully patched resolver in 10 hours:
Compare DNS resolver strategies (incl. OpenDNS and look at the BOGUS messages):
That does not help much. While opendns might not have a poisoned cache, the dns server IT gets its information from might be poisoned. Ie, when you ask opendns for an address, it does NOT have all addresses in its cache. Simply not big enough. It goes an asks the next DNS server for that address. If that dns server is poisoned, then it will deliver the wrong address to opendns, and you are screwed. DNS is a whole web of trust, not simply a single machine, and a single poisoned node can poison the whole web.
That, AFAIK, is why this cache poisoning attack is so serious. It helps a lot if your immediate DNS server is OK. But it is not the whole story.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.