The DNS cache poisoning attacks (see VU#800113) / vulnerabilities that are going to be disclosed on the next Black Hat are attracting a lot of attention.

People are commenting (here and here) whether or not the cat has been let out of the bag or not. The exploit has been out there all the time … so what’s the (new) fuzz? Deal with it and apply the patches. Because of the nature of the patch (using ‘random’ ports) proper testing is required and certain environments might require a change in their firewall policy.

The people at DNS-OARC have a dns server that you can use to test if your resolver is using random ports.

$ dig +short porttest.dns-oarc.net TXT