DNS Poisoning Attack, How Safe Am I?

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, August 05, 2008

Follow me on Twitter as @mattiasgeniar

If you haven’t heard about the latest “major dns leak” in the last couple of weeks, you’ve either lived beneath a big rock, or have no way to access to internet. News posts are created on daily basis, new warnings are thrown out on a near-minute frequency.

And you know what? They’re right too. It’s a serious problem, but how do you know your nameservers are correct? Or the nameservers of your ISP?

If you want to test the nameservers you’re currently using, I suggest you use the tool created by the discoverer of the leak, at http://www.doxpara.com/. Click on “check my DNS”, on the right. It’ll use your current nameservers to see if they’re vulnerable or not.

If you want to check out other nameservers, here’s how to do it on a Linux machine with Dig installed.

The following command will check the nameservers for their vulnerability, and provide a readable answer.

dig +short @[your nameserver] porttest.dns-oarc.net txt 

You can change [your nameserver] with the nameserver you wish to check, of course. It could turn in to the following command.

dig +short @ns1.nucleus.be porttest.dns-oarc.net txt 

And that might produce the following result, meaning the nameservers is patched and protected against the latest leak. Hooray administrators!

root@mattias:~# dig +short @ns1.nucleus.be porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"195.207.48.18 is GREAT: 26 queries in 5.4 seconds from 26 ports with std dev 18893"

If it’s still vulnerable, it’ll give you the following message. It’s time to poke your local administrator about this problem, and tell them to fix it asap.

root@mattias:~# dig +short @125.22.47.125 porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"125.22.47.136 is POOR: 28 queries in 10.2 seconds from 1 ports with std dev 0"

Update 11/8/2008: Here’s how to do it on a Windows Machine, using NSLookup to determine whether or not you’re vulnerable to the latest cache poisoning attack.

nslookup -querytype=TXT porttest.dns-oarc.net. ns1.nucleus.be

This will produce the same output as the Linux command, and will also tell you whether or not you are safe. You can replace “ns1.nucleus.be” with your own nameserver you want to test.

It could give some strange results for NATs (such as your home router/switch, that acts as nameserver proxy), but it’ll tell you plain and simple if you’re vulnerable or not.

If the command produces no output at all, it means your current nameserver isn’t acting as a proxy nameserver (a proxy nameserver accepts dns requests, even for domains it doesn’t know – which produces the entire problem in the first place) and you’re not at risk.

Try out as many nameservers as you like, latest polls have placed more than 40% of nameservers still at risk – which is way too much! Alert the administrators, save the cheerleader, save the world!



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.