Kaminsky's exploit: What about CNS?

[Jeff Reasoner]

This may actually have nothing to do with CNS, but rather NAT traversal
at a firewall. I noticed something very similar while verifying my
bind-9.4.2-P1 systems.

Post-install I saw:
[foo at dnstest foo]# dig +short porttest.dns-oarc.net TXT @localhost
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"204.10.216.194 is POOR: 26 queries in 1.7 seconds from 26 ports with
std dev 248.94"

I suspected that the poor entropy here was a result of the fact that my
server is behind a Cisco FWSM. I also knew that this traffic was being
PATed. I threw in a couple of lines of config to statically NAT this
outbound traffic and got the following:

[foo at dnstest foo]# dig +short porttest.dns-oarc.net TXT @localhost
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"204.10.218.24 is GOOD: 26 queries in 1.9 seconds from 26 ports with std
dev 20227.32"

I'm not finished testing yet, but I'm seeing the same with various PIX
releases too.

On Tue, 2008-07-15 at 10:30 -0700, Chris Buxton wrote:
> I happened to check my home ISP's name servers using the porttest  
> query, and I did not get entirely reassuring results:
> 
> $ dig +short porttest.dns-oarc.net TXT  
> @68.87.76.178z 
> .y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "68.87.76.181 is POOR: 26 queries in 0.2 seconds from 24 ports with  
> std dev 126.32"
> 
> $ fpdns 68.87.76.178
> fingerprint (68.87.76.178, 68.87.76.178): Nominum CNS
> 
> $ dig +short porttest.dns-oarc.net TXT @68.87.78.130
> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "68.87.78.133 is POOR: 26 queries in 1.0 seconds from 25 ports with  
> std dev 149.32"
> 
> $ fpdns 68.87.78.130
> fingerprint (68.87.78.130, 68.87.78.130): Nominum CNS
> 
> Since we have consulting customers using CNS, should we be advising  
> them to install some kind of upgrade?
> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> 
-- 
Jeff Reasoner
HCCA
513 728-7902 voice