Switching to TCP in BIND.
sthaug at nethelp.no
sthaug at nethelp.no
Wed May 5 09:10:16 UTC 2010
> > > I know of no such feature. What do you mean by "spoofed" anyway? How
> > > would you expect named to detect "spoofing", and is that its job?
> >
> > It seems (not tested by me) that Nominum CNS does that: when many
> > responses arrive which do not match (src IP address, query ID, etc)
> > any pending answer, it switches to TCP, assuming someone tries to
> > poison it.
> >
> > This is supposed to be a protection against the Kaminsky attack.
>
> Interesting. "Switches" by what means? Returns TC responses to all UDP
> queries? Just for particular clients or particular domains? Is this
> documented at all (yes, I'm too lazy to Google :-) ).
According to the Nominum CNS manual,
"When a single query ID mismatch is detected in the expected DNS
response, CNS switches the recursive query to the more reliable TCP
protocol ..."
So it is definitely documented - though I'm sure there are details of
the implementation which are *not* documented in the regular user
manual.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the bind-users
mailing list