From the “H D Moore Knows” files:
Yesterday, Google launched its new Public DNS service. Among the benefits that Google is claiming for the new service is that it helps to secure DNS for users.
Is that an accurate claim?
One of the big issues that security researcher Dan Kaminsky disclosed about DNS insecurity in 2008 was that DNS request information wasn’t quite as random as it should be. The way DNS works is that each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000. DNS is at risk when there isn’t enough randomization and a hacker can “guess” the number.
So is Google’s Public DNS random enough?
I got a comment from the famed security researcher, Metasploit founder and CSO at Rapid7, H D Moore, on that point. Moore knows what he’s talking about when it comes to DNS exploits as his Metasploit tool was among the first to have a weaponized version of the Kaminsky DNS flaw.
Here’s his graph, click for the full size. (credit: H D Moore, Rapid7):