On Tue, Jul 22, 2008 at 1:32 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > http://www.provos.org/index.php?/pages/dnstest.html > > DNS Resolver Test > > For secure name resolution, it is important that your DNS resolver uses > random source ports. The box below will tell you if there is something you > need to worry about. > > Your DNS Resolver needs to be updated. > > If the box says that you are using random ports, there is nothing to worry > about. If it shows a red border, your resolver does not use completely random > source ports. This could imply a security problem; see the following CERT > advisory. However, some resolvers have implemented countermeasures that do > not solely rely on random source sources. > > There is a little bit more information about this security problem on Dan > Kaminsky's blog. > > Should be we getting worried now?
You probably should be. I have nothing to worry about according to that page. Your DNS Resolver uses random ports. This is an unpatched BIND caching name server (that is certainly NOT using random ports) sitting behind a pfSense box. However, the checker at doxpara.com, absolutely DOES show the issue. From what I understand, it's not necessarily an issue that pfSense can solve for you as it's keeping quasi state on the UDP traffic for the queries and they'll have the same tuple multiple times within the state timeout so all the queries will match the first state. --Bill
