DNS Server check message

Can anyone advise me in what I can do when I receive these messages whilst checking DNS server vulnerabilities:

This one:

Your name server, at 194.109.xxx.xxxxx, appears to be safe, but
make sure the ports listed below aren't following an obvious
pattern 1001, :1002, :1003, or :30000, :30020,
:30100...).Requests seen for a3d7e4e1a9fc.toorrr.com:
194.109.21.251:57926 TXID=20325
194.109.21.251:61320 TXID=48354
194.109.21.251:52602 TXID=45692
194.109.21.251:55552 TXID=34849
194.109.21.147:4177 TXID=59681

Or this one?:

Your name server at 194.x.x.x, may be safe, but the
NAT/Firewall in front of it appears to be interfering with
its port selection policy. The difference between largest
port and smallest port was only 24.
Edit/Delete Message

Checking can be done here: http://www.doxpara.com and here: https://www.dns-oarc.net/oarc/services/dnsentropy

 

Hello,

Checking and patching DNS vulnerability is not your problem. It's your ISP problem. On the same note, why don't you audit your ISP web, mail, ftp servers - or any other site for that matter?

Let's say you get some sort of answer - bad, for this matter, considering you can correctly interpret the results? What are you going to do?

Mrk

 

Hi Mrk. I agree with you that it is primarily my ISPs responsibility.
But what if they are slow (or just don't care)?

I can switch ISPs of course, but that takes some time.
There must be something a customer can do to make sure he doesn't become a 'victim' of DNS exploits.

 

Hello,
And what if the root servers get exploited? What then?
There's no effective way for someone to avoid being affected by something happening on the web - by participating in the web.
Mrk

 

Stijnosn; This may help
http://www.dslreports.com/forum/r20843454-Exploit-Code-for-Kaminsky-DNS-Bug-Goes-Wild

This issue may be a serious biggie

 

Thanks Longboard.
Makes a nice read -

Some useful suggestions there, too.
I also think that this may become a very big issue (if it isn't already). Let's hope all (or at least most) ISPs will fix this asap.

 

The following are not perfect solutions but (in the words of Charlie Brown) they are "pretty perfect"...

1- Set up you computer to use OpenDNS for your Domain Name Servers. The OpenDNS site clearly explains how to do this.

2- When doing financial business (banking etc): (a) be sure you see the Lock symbol in the bottom right hand corner of your browser, thereby indicating you are in SSL, AND (b) use your browser to view the site's certificate

3- It isn't quite on-topic, but I heartily recommend (a) use of Sandboxie, configured so that your browser is the ONLY app authorized to connect to the internet, AND (b) use of Firefox with the NoScript add-on

P.S. I have heard that some folks will exit their browser and restart their browser just before doing financial business. I do not know if this is a good idea, or is merely akin to throwing salt over one's left shoulder. Hopefully someone will comment.

 

Hello,

As to OpenDNS or any other non-ISP solution, I know who my ISP is and what they do - and if needed, I can sue them. Not so with a 3rd paty voluntary DNS service who knows where.

Even so, OpenDNS - and any DNS service - relies on the root servers. And if these get compromised, the entire web does.

So, trusting OpenDNS over your ISP is just a fancy. They both have an equal chance of being vulnerable. And again, your ISP is right next door, you can do, you pay to them, they are contractually obliged to you as a customer.

Mrk

 

The max instances of problems (at least for now) are with cache moreso than root.

In any event, OpenDNS passes whereas (at this moment) Time-Warner, ATT, & many other ISPs do not. If the process is A => B==> user, & A is ??, whereas B1 is good whereas B2 is ??, I think it makes sense to use B1. Why add another set of question marks into the pipeline? OpenDNS passes some meaningful tests. OP's ISP does NOT pass those tests.

As of now, I do not know of anyone who has come up with a perfect method of protection against DNS poisoning. Even so, we should take those precautionary steps that we CAN take, instead of just bending over & grabbing our ankles.

Hopefully, the goal here is NOT to focus on what cannot be done, & the futility of even trying. Instead, I believe & hope our goal is to discuss what CAN be done, and to help each other learn more & better ways from that starting point.

 

If you do this, be sure to disable all their fancy mis-features which essentially break things badly.

- Their "typo correction" stuff does a wildcard matching for non-existant domains which is a horrible idea (breaks spam filtering and anything else that expects NXDOMAIN as a DNS response when querying for unregistered domains). Additionally it will move you to their advertising-flooded search page if you type an address that can't be resolved in your browser.

- Their shortcuts and opendns proxy feature hijacks Google - allegedly a wonderful "solution" to certain manufacturers doing the same. Ugh.

With all those features disabled, it is a temporary workaround until your ISP fixes their DNS server. Otherwise, I can't recommend using OpenDNS as a permanent replacement the reasons above.

 

The problem is only caused by a targeted attack. Pointing your computer to the OpenDNS servers (which have good security policy and is not vulnerable to this problem) is a solution.

If the root servers are targeted, we are all screwed anyway but that is a different issue.

 

I have been doing some reading and it appears that this message is caused by my router. Apparently it has poor port randomisation (Speedtouch 780, Alcatel/Thomson). It seems it reduces the effect of applied patches.

Does anyone have suggestions how to fix this one?
Speedtouch/Alcatel/Thomson isn't known for its 'patching' qualities I'm afraid.