Granted it's nice to have good, working tools. I'm just surprised that
someone wrote a perl script to test this vulnerability when the dig
test already existed.

As for the different results, all I can say is that's pretty odd. I'd
like to know what ISC has to say about this.

Chris Buxton
Professional Services
Men & Mice

On Jul 25, 2008, at 11:02 PM, Brian Keefer wrote:

> On Jul 25, 2008, at 10:43 PM, Chris Buxton wrote:
>
>> That sure seems like a lot of work when you could just:
>>
>> dig porttest.dns-oarc.net txt +short @server-ip
>>
>> For example:
>>
>> $ dig porttest.dns-oarc.net txt +short @217.151.171.7
>> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b. a.pt.dns-oarc.net.
>> "217.151.171.7 is GOOD: 26 queries in 3.9 seconds from 26 ports with
>> std dev 19886.66"
>>
>> Notice the word "GOOD" in the output. Also notice the standard
>> deviation shown at the end - you want 5 digits before the decimal
>> point.
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice

>
> Trust me, I'm not trying to say this way is better, I'm just saying
> if you're going to use noclicky, make sure it's giving you the right
> results. Most people using noclicky probably already found the
> problem and fixed it on their own, but I just wanted to get the
> correction publicized for those who might be relying on it without
> understanding it. It seems a bit more polite to the author than to
> simply say "don't use that, it's broken". *shrug*
>
> Also, I noticed that doxpara/noclicky have different results for my
> nameservers than porttest.dns-oarc.net has. doxpara says I fail, dns-
> oarc.net says I pass. Looking at a tcpdump I see that the queries
> indeed use the same port for doxpara, but different ports for dns-
> oarc. I haven't had a chance to look closely enough yet to figure
> out why that is.
>
>
>
> Brian Keefer
> Sr. Systems Engineer
> www.Proofpoint.com
> "Defend email. Protect data."
>