JON.OBERHEIDE.ORG
Passive DNS Port Test (PDPT)
Description
The Passive DNS Port Test (PDPT) tool acts as a passive DNS monitor to flag resolvers that may be vulnerable to the cache poisoning issue described in CERT VU #800113. Similar to OARC's porttest, this monitor will judge the source port behavior of resolvers based on the standard deviation of observed source ports.
Active probing may be insufficient in discovering vulnerable servers within an organization as resolvers are often configured to only provide recursive service to a restricted address range. By passively monitoring near an organization's egress point, these resolvers can be flagged and audited.
Dependencies
Download
- pdpt.py - released July 21st, 2008
Usage and Example Output
Example output of the passive DNS monitor (with the IP addresses anonymized):
tup ~ # ./pdpt.py -h Usage: pdpt.py [options] Options: -h, --help show this help message and exit -i DEVICE interface to listen for queries on -c COUNT queries to observe before judging a resolver tup ~ # ./pdpt.py -i eth0 -c 300 listening on eth0: udp and dst port 53 Mon Jul 21 01:55:38 2008: 1.2.3.4 is BAD: 300 queries from 1 ports with std dev 0.000000 Mon Jul 21 01:55:45 2008: 4.3.2.1 is GOOD: 300 queries from 300 ports with std dev 15005 ...
Related Tools
Duo Two-Factor Authentication
Recent Blog Posts
Twitter Updates
Upcoming Events
- RSA Conference - Feb 27-Mar 2
- SOURCE Boston - Apr 17-19
- SyScan - Apr 24-27