Does someone know how a dns server decides to respond based on the size of
the response it's about to send?
I'm asking this question as it doesn't seem possible for a server to switch
to tcp.
Look at this scenario :
- client behind firewall (and or NAT) sends a request via UDP.
- server "decides" to answer with tcp and creates a session with the client
Actually it can try as much as it wants :
- if the server is behind nat, it will try to create a tcp session with the
device that does the NAT
- with a firewall and no NAT, it will get blocked as no one allows session
initiation towards a client (dns here)
On Nov 3, 2012 12:10 PM, "Mike Jager"
On 3/11/12 10:59 AM, Hamish MacEwan wrote:
And I'm a bit confused, "That's a 64 byte query that resulted in a 3,223 byte response." My understanding was at a certain size of response, DNS switched to TCP to return results, but maybe the unsolicited response handshake is accepted blindly?
Presumably when the attacker sends the spoofed queries towards the DNS server, they indicate that they would very much like the response to do the EDNS0 thing - allowing the server to stick to UDP when replying.
-Mike _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog