Linux Sysadmin Blog

How to Check if Your DNS Server Implements Source Port Randomization

- | Comments

The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. DNS cache poisoning is not a new concept; in fact, there are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning.

Fixed source port for generating queries – in most dns implementations the source port for outgoing queries is fixed at the traditional assigned DNS server port number, 53/udp. We can easily find out if our own dns server is using a fixed source port for queries by looking into named.conf and if we see a line like: query-source port 53; this means that the port 53 udp will be used for all dns outgoing queries.

This can be tested externally (you can check on your ISP resolvers for ex.) with the dig command: dig +short @<IP_DNS_SERVER> txt

Here is a sample output for a server not using source port randomization: dig +short @ txt " is **POOR**: 26 queries in 2.0 seconds from 1 ports with std dev 0"

and also one for a server that does this: dig +short @ txt " is **GREAT**: 26 queries in 1.2 seconds from 26 ports with std dev 5243" as this shows it is using random ports for each query.

Now if you want to be safe from this vulnerability you should upgrade to the latest bind version available (yum install bind if using rhel/centos/etc. or apt-get install bind9 if you use debian/ubuntu) and also remove from your named.conf such lines: query-source port 53; query-source-v6 port 53; and reload named afterwards: rndc reload

Once you are done check it again with dig and this should show now ’GREAT’ as expected.