Nmap Development mailing list archives

[SCRIPT] Check DNS servers against porttest.dns-oarc.net for "Dan's Bug" (CVE-2008-1447, CVE-2008-1454)

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 16 Jul 2008 22:41:48 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fellow developers;

As everyone knows at this point, Dan Kaminsky found a serious flaw in
DNS and a bunch of vendors have patched their implementation to try to
work around the problem.

Duane Wessels of OARC setup a great service at porttest.dns-oarc.net to
help you audit your DNS servers.  This is a NSE script (attached) to
help automate that checking.

Here is example output of the script:

Interesting ports on 132.239.x.y:
PORT   STATE SERVICE
53/udp open  domain
|_ Unspecified DNS vulnerabilities (CVE-2008-1447, CVE-2008-1454): 132.239.x.y is GOOD: 26 queries in 0.5 seconds from 
26 ports with std dev 18233.98

Interesting ports on 132.239.a.b:
PORT   STATE SERVICE
53/udp open  domain
|_ Unspecified DNS vulnerabilities (CVE-2008-1447, CVE-2008-1454): 132.239.a.b is POOR: 26 queries in 0.4 seconds from 
1 ports with std dev 0.00

Unfortunately, I haven't spoken to Duane or OARC so this script has
strict sharing guidelines.  Those are:

* Don't share the script outside of nmap-dev
* Don't include the script with Nmap
* Don't abuse porttest.dns-oarc.net

If we are able to get Duane and ORAC's permission to distribute the
script then these sharing restrictions can be lifted.  I'm not sure how
long OARC plans on running porttest though so this script still might
not be a good candidate for inclusion with Nmap.

Hopefully this script will help everyone on this list audit and patch
their DNS servers.  If your organization is anything like ours, you
have _a_lot_ of patching to do.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkh+eTQACgkQqaGPzAsl94IbcgCdGIiNBaXQcW+wkkYt6pIkHbbb
bewAn0RctdJILYctaozTFr3m6EgYiXhQ
=CmM0
-----END PGP SIGNATURE-----

Attachment: dns-safe-recursion.nse
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[SCRIPT] Check DNS servers against porttest.dns-oarc.net for "Dan's Bug" (CVE-2008-1447, CVE-2008-1454) Brandon Enright (Jul 16)
- Re: [SCRIPT] Check DNS servers against porttest.dns-oarc.net for "Dan's Bug" (CVE-2008-1447, CVE-2008-1454) Brandon Enright (Jul 27)