So looks like its all clear..
On Wed, Jul 30, 2008 at 3:06 PM, Florian Weimer <fw@deneb.enyo.de
<mailto:fw@deneb.enyo.de>> wrote:
* Stephen Vaughan:
> Does anyone know if TinyDNS is vulnerable to the dns cache poisoning
> exploit? I run tinydns servers, I ran the test below and it came
back as
> POOR.
tinydns as in djbdns? dnscache (the iterative resolver component of
djbdns) uses source port randomization, so no code changes are
required.
> mh1:~# dig +short @ns1.example.com <http://ns1.example.com>
porttest.dns-oarc.net <http://porttest.dns-oarc.net> TXT
>
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net
<http://z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net>.
> "1.2.3.4 <http://1.2.3.4> is POOR: 26 queries in 4.4 seconds
from 1 ports with std dev 0.00"
This should not happen with dnscache. Perhaps you're behind a
not-so-transparent DNS proxy, and you're actually testing your ISP's
resolver?
--
Best Regards,
Stephen