Re: [SCRIPT] Check DNS servers against porttest.dns-oarc.net for "Dan's Bug" (CVE-2008-1447, CVE-2008-1454)

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 16 Jul 2008 22:41:48 +0000 or thereabouts Brandon Enright
<bmenrigh () ucsd edu> wrote:

> Fellow developers;
>
> As everyone knows at this point, Dan Kaminsky found a serious flaw in
> DNS and a bunch of vendors have patched their implementation to try to
> work around the problem.
>
> Duane Wessels of OARC setup a great service at porttest.dns-oarc.net
> to help you audit your DNS servers.  This is a NSE script (attached)
> to help automate that checking.

Hi folks,

After a heck of a lot of testing and debugging I have improved this
script.  The script now better understands how to parse DNS and handles
edge-cases better.  I also added output for various errors if you turn
on debugging or verbose (level 2 to see everything).

I'd say this script is "well tested" now and should up to the task of
auditing your organization.

The only trouble I've had with this version of the script is that if
you turn Nmap's parallelism up too much with --min-parallelism NSE
becomes sad and starts to reduce accuracy.

I haven't heard back from Duane yet though so the sharing restrictions
listed in my previous email and in the script still stand for now.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkiNSc0ACgkQqaGPzAsl94JwWQCdFefx293g0tdyYc70Qvi6qKp8
TMEAnizqcBfMZv/GyhdUZSL5CSuKM/uv
=PHKI
-----END PGP SIGNATURE-----

Attachment: dns-safe-recursion.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org