The TNET Blog

How to check your DNS server

While there are a number of websites that you can use to see if the nameserver you are using is vulerable to the Cache Poisoning Vulerability… most of them don’t provide you a way to test a name server that you are not personally using with those websites (ie a unix server at a remote location).

The following test will do that.

dig +short @ns1.yourdomain.com porttest.dns-oarc.net TXT

Replacing the ns1.yourdomain.com with your actual name server and executing, will produce output like:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
“192.168.1.3 is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00″

Where, Poor is an indication of an unpatched bind server.

A cleaner named server would look like:

porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
“24.249.176.163 is GREAT: 26 queries in 1.1 seconds from 26 ports with std dev 17751″

We are currently using ICS BIND 9.6.0-P1 for most of our name servers, which was released in Jan 2009.

Computer Stuff
10 January 2009 comment TrackBack-URI

0 comments

Leave a comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Name (required)

E-Mail (will not be published, required)

Url

Read more

« Replacement for DNSstuff …
WM6 Stop SMS Sent Message Notification »