> surely the tool is not focused at a dns operator/admin audience..
I suspect the tool's form might partly be meant to obscure exactly what
patterns it is looking for.
Kind of how one might release a vulnerability checker in binary form
(but with source code intentionally witheld)
5 query samples would not seem to be a sufficient number to compute the
probability that the TXIDs and
source ports are both independent and random, with stringent confidence
intervals, and that there is
no sequence predictability (due to use of a PRNG)...
More exhaustive tool would operate on tcpdump output or run live with
pcap, gather samples of sequences of TXIDs,
port numbers, timestamps.
And perform tests for independency between TXID and port number, timestamp,
and some statistical tests for randomness.
Since it appears as though a significant part of the solution is tied to
upgrading to new code, which implements better PRNG *and* random source
ports, it seems that one indicator for vulnerability is simply the reuse
of a source port number, which should be trivial to identify without any
concern for having to look for "patterns" within the PRNG-generated TXID.
You do not necessarily need to be able to verify that something is NOT
vulnerable in order to detect vulnerability. Your answers will only be
"is vulnerable" and "might be vulnerable" of course, but that's useful
all by itself.