Does someone know how a dns server decides to respond based on the size of the response it's about to send?

I'm asking this question as it doesn't seem possible for a server to switch to tcp.
Look at this scenario :
- client behind firewall (and or NAT)� sends a request via UDP.
- server "decides" to answer with tcp and creates a session with the client

Actually it can try as much as it wants :
- if the server is behind nat, it will try to create a tcp session with the device that does the NAT
- with a firewall and no NAT, it will get blocked as no one allows session initiation towards a client (dns here)

On Nov 3, 2012 12:10 PM, "Mike Jager" <mike@mikej.net.nz> wrote:

On 3/11/12 10:59 AM, Hamish MacEwan wrote:

> And I'm a bit confused, "That's a 64 byte query that resulted in a
> 3,223 byte response." �My understanding was at a certain size of
> response, DNS switched to TCP to return results, but maybe the
> unsolicited response handshake is accepted blindly?

Presumably when the attacker sends the spoofed queries towards the DNS
server, they indicate that they would very much like the response to do
the EDNS0 thing - allowing the server to stick to UDP when replying.

-Mike
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog