2 Nov
2012
2 Nov
'12
5:09 a.m.
On 3/11/12 10:59 AM, Hamish MacEwan wrote:
And I'm a bit confused, "That's a 64 byte query that resulted in a 3,223 byte response." My understanding was at a certain size of response, DNS switched to TCP to return results, but maybe the unsolicited response handshake is accepted blindly?
Presumably when the attacker sends the spoofed queries towards the DNS server, they indicate that they would very much like the response to do the EDNS0 thing - allowing the server to stick to UDP when replying. -Mike