> > > I know of no such feature. What do you mean by "spoofed" anyway? How > > > would you expect named to detect "spoofing", and is that its job? > > > > It seems (not tested by me) that Nominum CNS does that: when many > > responses arrive which do not match (src IP address, query ID, etc) > > any pending answer, it switches to TCP, assuming someone tries to > > poison it. > > > > This is supposed to be a protection against the Kaminsky attack. > > Interesting. "Switches" by what means? Returns TC responses to all UDP > queries? Just for particular clients or particular domains? Is this > documented at all (yes, I'm too lazy to Google :-) ).
According to the Nominum CNS manual, "When a single query ID mismatch is detected in the expected DNS response, CNS switches the recursive query to the more reliable TCP protocol ..." So it is definitely documented - though I'm sure there are details of the implementation which are *not* documented in the regular user manual. Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
