Switching to TCP in BIND.
Sam Wilson
Sam.Wilson at ed.ac.uk
Wed May 5 09:39:53 UTC 2010
In article <mailman.1394.1273050634.21153.bind-users at lists.isc.org>,
sthaug at nethelp.no wrote:
> > > > I know of no such feature. What do you mean by "spoofed" anyway? How
> > > > would you expect named to detect "spoofing", and is that its job?
> > >
> > > It seems (not tested by me) that Nominum CNS does that: when many
> > > responses arrive which do not match (src IP address, query ID, etc)
> > > any pending answer, it switches to TCP, assuming someone tries to
> > > poison it.
> > >
> > > This is supposed to be a protection against the Kaminsky attack.
> >
> > Interesting. "Switches" by what means? Returns TC responses to all UDP
> > queries? Just for particular clients or particular domains? Is this
> > documented at all (yes, I'm too lazy to Google :-) ).
>
> According to the Nominum CNS manual,
>
> "When a single query ID mismatch is detected in the expected DNS
> response, CNS switches the recursive query to the more reliable TCP
> protocol ..."
>
> So it is definitely documented - though I'm sure there are details of
> the implementation which are *not* documented in the regular user
> manual.
Oh, I see. It's the other way round from what I had (wrongly) assumed -
if the response to a query looks suspect then CNS will retry the query
using TCP to try to protect against spoofed answers coming back. Seems
sensible.
Sam
More information about the bind-users
mailing list