Kaminsky Defence ================ A typical Kaminsky attack is to attack a domain, say www.example.com by asking a series of questions .www.example.com and sending spoof referral responses ( "Phantom Referrals" ) with a delegation to a machine controlled by the attacker, e.g. www.example.com NS a.evil.com The true response will be NxDomain, normally with a SOA record example.com SOA ...... To defend, when we get a NxDomain response, the resolver marks all the domains in the Question strictly below the Bailiwick ( the Owner of the NS record that was used to select the name server for the query ) with a NZ flag ("Not a Zone"). If unexpectedly we later get a NS record for a NZ domain, we reject the response, clear the NZ flag, and retry the query. Complete Acceptance rules ========================= When reading a response, only the following records are accepted : 1. Records in the Answer section of an Authoritative response (AA=1) that have Owner = QNAME ( the domain of the Question ). 2. NS records in the Authority section that have an Owner name meeting all of the the tests 2.1 to 2.3 2.1 The Owner Name NZ flag must be clear. 2.2 The Owner Name must be strictly below the Bailiwick. 2.3 The Owner Name must be equal to or an ancestor of the Query Name. 3. A / AAAA records in the Additional section that resolve an accepted NS record. Here is a table of attack queries, spoof NS records that are rejected, and the rule that causes rejection. The Bailiwick in each case is example.com, which is assumed to have no sub-zones. Attack query Spoof record Rule ------------ ------------ ---- .www.example.com www.example.com NS a.evil.com 2.1 .www.example.com example.com NS a.evil.com 2.2 .example.com www.example.com NS a.evil.com 2.3 There is an assumption that the attacker can inject spoof responses, but cannot stop most genuine responses getting through.