The best test for vulnerability to the DNS flaw

Don't use Web site names to test whether you can trust Web site names. Use the actual IP address instead.


Not only is there is a flaw in the Domain Name System, there is also a flaw in the suggested ways to test whether your computer is vulnerable.

Many articles suggest going to Web site x or y to run vulnerability tests. (I'm guilty of this too.) But the nature of the problem is that you can't trust Web site names.

The fallacy is simple: use a name you can't trust to see if you can trust a name.

As I explained in "What you need to know about the latest DNS flaw," every Web site can be accessed by an IP address. The DNS flaw does not affect this rare, but quite valid, method of addressing Web sites. Thus, it's the best approach for an online vulnerability test.

One often-cited vulnerability test is offered by the DNS Operations, Analysis, and Research Center (DNS-OARC) at:

I asked them about using an IP address to get to their online test and was told (thanks, Duane) that the test is also available at:

To me, this is the best vulnerability test for the current DNS flaw.

While this link bypasses the introduction to the topic offered by DNS-OARC, hopefully your computer is safe and you won't need to read about the problem. If all is well, it will report "great" for both the source port randomness and the transaction ID randomness.

If you are vulnerable, see "A cheatsheet for defending against the DNS flaw."

See a summary of all my Defensive Computing postings.

Autoplay: ON Autoplay: OFF