What Dan's DNS Checker Doesn't Do

Chris Eng By Chris Eng
July 10, 2008

Despite what various commenters around the blogosphere think (I've read a few but can't find the links now), Dan Kaminsky's online "Check My Dns" utility doesn't:

    • Poison anybody's DNS cache
    • Expose how the actual exploit works


What it does is check whether your ISP's DNS server is patched. Plain and simple. It looks for one thing -- source port randomization. This does not give away the exploit, it checks for the existence of the sledgehammer fix that prevents the exploit from working.

More specifically, there's some Javascript code that generates a random hex string which is used to create a URL, e.g. http://6313d97e498e.toorrr.com. Your OS then does a DNS lookup for that unique hostname. Your ISP's DNS server asks toorrr.com's DNS server (a server Dan controls) to resolve that funky DNS name to an IP address. It sends a few packets in the process. Dan's server makes a note of the source port of each request and sends back the webserver's IP address to your DNS server, which sends it back to you.

Now that you have the IP address, your browser can fetch the results page. The web page is generated dynamically by parsing the hex string out of the URL you requested, using Ajax to fetch the relevant port and TXID data stored on Dan's server, and printing out a "safe" or "vulnerable" message such as:

Your name server, at, appears to be safe.
Requests seen for 6313d97e498e.toorrr.com: TXID=13926 TXID=25412 TXID=30829 TXID=13934 TXID=2701

That's all. Nothing tricky. This particular DNS server is deemed safe because the source port varies from one request to the next.

Come to think of it, those source ports don't really look that random, do they? For anybody "in the know", is that amount of randomness sufficient to protect against the attack?

Veracode Security Solutions
Veracode Security Threat Guides

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.