Nmap Development mailing list archives
[SCRIPT] Check DNS servers against porttest.dns-oarc.net for "Dan's Bug" (CVE-2008-1447, CVE-2008-1454)
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 16 Jul 2008 22:41:48 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fellow developers; As everyone knows at this point, Dan Kaminsky found a serious flaw in DNS and a bunch of vendors have patched their implementation to try to work around the problem. Duane Wessels of OARC setup a great service at porttest.dns-oarc.net to help you audit your DNS servers. This is a NSE script (attached) to help automate that checking. Here is example output of the script: Interesting ports on 132.239.x.y: PORT STATE SERVICE 53/udp open domain |_ Unspecified DNS vulnerabilities (CVE-2008-1447, CVE-2008-1454): 132.239.x.y is GOOD: 26 queries in 0.5 seconds from 26 ports with std dev 18233.98 Interesting ports on 132.239.a.b: PORT STATE SERVICE 53/udp open domain |_ Unspecified DNS vulnerabilities (CVE-2008-1447, CVE-2008-1454): 132.239.a.b is POOR: 26 queries in 0.4 seconds from 1 ports with std dev 0.00 Unfortunately, I haven't spoken to Duane or OARC so this script has strict sharing guidelines. Those are: * Don't share the script outside of nmap-dev * Don't include the script with Nmap * Don't abuse porttest.dns-oarc.net If we are able to get Duane and ORAC's permission to distribute the script then these sharing restrictions can be lifted. I'm not sure how long OARC plans on running porttest though so this script still might not be a good candidate for inclusion with Nmap. Hopefully this script will help everyone on this list audit and patch their DNS servers. If your organization is anything like ours, you have _a_lot_ of patching to do. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkh+eTQACgkQqaGPzAsl94IbcgCdGIiNBaXQcW+wkkYt6pIkHbbb bewAn0RctdJILYctaozTFr3m6EgYiXhQ =CmM0 -----END PGP SIGNATURE-----
Attachment:
dns-safe-recursion.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [SCRIPT] Check DNS servers against porttest.dns-oarc.net for "Dan's Bug" (CVE-2008-1447, CVE-2008-1454) Brandon Enright (Jul 16)