The first obvious reaction for the infosec crowd (with all the recent DNS flaws), is to question the security of the Google DNS service.
HD Moore has done some good analysis on the service as outlined below.
Yesterday, Google launched its new Public DNS service. Among the benefits that Google is claiming for the new service is that it helps to secure DNS for users. Is that an accurate claim?
One of the big issues that security researcher Dan Kaminsky disclosed about DNS insecurity in 2008 was that DNS request information isn’t quite as random as it should be. The way DNS works is that each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000. DNS is at risk when there isn’t enough randomization and a hacker can ‘guess’ the number.
So is Google’s Public DNS random enough? I got a comment from famed security researcher, H D Moore on that point. Moore knows what he’s talking about when it comes to DNS exploits as his Metasploit tool was among the first to have a weaponized version of the Kaminsky DNS flaw.
It seems like the port allocation of the Google DNS system is adequately random even though it’s drawing from a fairly small port range.
So the claims this could be a more secure DNS server for most systems are true, it will protect against DNS cache poisoning attacks at least.
Moore has now put together a mapping of Google’s source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports.
According to HD, it looks like Google’s focus on security might be on the right track and the DNS could be good at preventing cache poisoning attacks.
His sample size is only 10,000 requests here, which isn’t a huge number but does give a decent sample in my view. He has also graphed source ports, transaction IDS and a comparison of source ports to those transaction IDs.
I’ll switch over from OpenDNS and give the Google system a try, maybe it’ll reduce the lag time a little.
If anyone else is already using it, do share with us your thoughts in the comment section below.
Source: Internet News (Thanks Navin)