Switching to TCP in BIND.
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed May 5 09:38:18 UTC 2010
On Wed, May 05, 2010 at 09:35:38AM +0100,
Sam Wilson <Sam.Wilson at ed.ac.uk> wrote
a message of 22 lines which said:
> > It seems (not tested by me) that Nominum CNS does that: when many
> > responses arrive which do not match (src IP address, query ID, etc)
> > any pending answer, it switches to TCP, assuming someone tries to
> > poison it.
> >
> > This is supposed to be a protection against the Kaminsky attack.
>
> Interesting. "Switches" by what means?
I don't understand the question. When detecting an attack, CNS decides
to query the authoritative name servers with TCP instead of querying
with UDP as it does by default, that's all.
> Returns TC responses to all UDP queries?
Why would it do that? The stub resolvers would not know what to do
with it.
> Just for particular clients or particular domains? Is this
> documented at all
I don't know.
More information about the bind-users
mailing list