Switching to TCP in BIND.

Sam Wilson Sam.Wilson at ed.ac.uk
Wed May 5 09:39:53 UTC 2010

In article <mailman.1394.1273050634.21153.bind-users at lists.isc.org>,
 sthaug at nethelp.no wrote:

> > > > I know of no such feature. What do you mean by "spoofed" anyway? How
> > > > would you expect named to detect "spoofing", and is that its job?
> > > 
> > > It seems (not tested by me) that Nominum CNS does that: when many
> > > responses arrive which do not match (src IP address, query ID, etc)
> > > any pending answer, it switches to TCP, assuming someone tries to
> > > poison it.
> > >  
> > > This is supposed to be a protection against the Kaminsky attack.
> > 
> > Interesting.  "Switches" by what means?  Returns TC responses to all UDP 
> > queries?  Just for particular clients or particular domains?  Is this 
> > documented at all (yes, I'm too lazy to Google :-) ).
> According to the Nominum CNS manual,
> "When a single query ID mismatch is detected in the expected DNS
> response, CNS switches the recursive query to the more reliable TCP
> protocol ..."
> So it is definitely documented - though I'm sure there are details of
> the implementation which are *not* documented in the regular user
> manual.

Oh, I see. It's the other way round from what I had (wrongly) assumed - 
if the response to a query looks suspect then CNS will retry the query 
using TCP to try to protect against spoofed answers coming back.  Seems 


More information about the bind-users mailing list