Switching to TCP in BIND.

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed May 5 09:38:18 UTC 2010

On Wed, May 05, 2010 at 09:35:38AM +0100,
 Sam Wilson <Sam.Wilson at ed.ac.uk> wrote 
 a message of 22 lines which said:

> > It seems (not tested by me) that Nominum CNS does that: when many
> > responses arrive which do not match (src IP address, query ID, etc)
> > any pending answer, it switches to TCP, assuming someone tries to
> > poison it.
> >  
> > This is supposed to be a protection against the Kaminsky attack.
> Interesting.  "Switches" by what means? 

I don't understand the question. When detecting an attack, CNS decides
to query the authoritative name servers with TCP instead of querying
with UDP as it does by default, that's all.

> Returns TC responses to all UDP queries?

Why would it do that? The stub resolvers would not know what to do
with it.

> Just for particular clients or particular domains?  Is this
> documented at all

I don't know.

More information about the bind-users mailing list