Google recently launched a public DNS service similar to the popular service over at OpenDNS, you can find it on Googlecode here – http://code.google.com/speed/public-dns/.

The first obvious reaction for the infosec crowd (with all the recent DNS flaws), is to question the security of the Google DNS service.

HD Moore has done some good analysis on the service as outlined below.

Yesterday, Google launched its new Public DNS service. Among the benefits that Google is claiming for the new service is that it helps to secure DNS for users. Is that an accurate claim?

One of the big issues that security researcher Dan Kaminsky disclosed about DNS insecurity in 2008 was that DNS request information isn’t quite as random as it should be. The way DNS works is that each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000. DNS is at risk when there isn’t enough randomization and a hacker can ‘guess’ the number.

So is Google’s Public DNS random enough? I got a comment from famed security researcher, H D Moore on that point. Moore knows what he’s talking about when it comes to DNS exploits as his Metasploit tool was among the first to have a weaponized version of the Kaminsky DNS flaw.

It seems like the port allocation of the Google DNS system is adequately random even though it’s drawing from a fairly small port range.

So the claims this could be a more secure DNS server for most systems are true, it will protect against DNS cache poisoning attacks at least.

Moore has now put together a mapping of Google’s source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports.

According to HD, it looks like Google’s focus on security might be on the right track and the DNS could be good at preventing cache poisoning attacks.

His sample size is only 10,000 requests here, which isn’t a huge number but does give a decent sample in my view. He has also graphed source ports, transaction IDS and a comparison of source ports to those transaction IDs.

I’ll switch over from OpenDNS and give the Google system a try, maybe it’ll reduce the lag time a little.

If anyone else is already using it, do share with us your thoughts in the comment section below.

Source: Internet News (Thanks Navin)

This program retrieves version information for the nameservers of a domain and produces a report that describes possible vulnerabilities of each.

Vulnerability information is configurable through a configuration file; the default is porkbind.conf. Each nameserver is tested for recursive queries and zone transfers. The code is parallelized with libpthread.

Changes for v1.3

• Wrote in-a-bind shell script that scans random domain names from DMOZ
• Implemented recursive query testing
• Changed porkbind.conf to use CVE numbers in addition to CERT alerts
• Modified text displayed on stdout to make it more parsable
• Licensed with GNU Lesser General Public License
• Fixed timeout/concurrency/memory corruption bugs
• Fixed improper comparison of alpha/beta version numbering bug
• Added typecasts to silence compiler warnings

The tool now scans for 14 flaws and reports CVE numbers & CERT.

You can download PorkBind v1.3 here:

porkbind-1.3.tar.gz

Or read more here.