networking security_error ai_generated partial

DNS: possible cache poisoning attack detected: response from 192.0.2.1#53 with TXID mismatch (expected 0x1234, got 0x5678)

ID: networking/dns-cache-poisoning-detected

Also available as: JSON · Markdown · 中文
82%Fix Rate
87%Confidence
1Evidence
2023-09-01First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
BIND 9.16.33 active
Unbound 1.17.0 active
Windows Server 2022 DNS active

Root Cause

A DNS resolver received a response with a mismatched transaction ID, indicating a potential cache poisoning attempt where an attacker spoofs DNS responses to inject false records.

generic

中文

DNS解析器收到事务ID不匹配的响应,表明可能存在缓存投毒攻击,攻击者伪造DNS响应以注入虚假记录。

Official Documentation

https://tools.ietf.org/html/rfc5452

Workarounds

  1. 90% success Enable DNSSEC validation on the resolver: `options { dnssec-validation auto; };` in BIND, or `systemd-resolved --set-dnssec=yes`. 
    Enable DNSSEC validation on the resolver: `options { dnssec-validation auto; };` in BIND, or `systemd-resolved --set-dnssec=yes`.
  2. 85% success Configure query source port randomization to reduce predictability: `query-source address * port *;` in BIND. 
    Configure query source port randomization to reduce predictability: `query-source address * port *;` in BIND.
  3. 95% success Use a forwarder with built-in poisoning protection, such as Cloudflare 1.1.1.1 or Google 8.8.8.8, in `/etc/resolv.conf`. 
    Use a forwarder with built-in poisoning protection, such as Cloudflare 1.1.1.1 or Google 8.8.8.8, in `/etc/resolv.conf`.

中文步骤

  1. Enable DNSSEC validation on the resolver: `options { dnssec-validation auto; };` in BIND, or `systemd-resolved --set-dnssec=yes`.
  2. Configure query source port randomization to reduce predictability: `query-source address * port *;` in BIND.
  3. Use a forwarder with built-in poisoning protection, such as Cloudflare 1.1.1.1 or Google 8.8.8.8, in `/etc/resolv.conf`.

Dead Ends

Common approaches that don't work:

  1. 95% fail

    Attackers can spoof source IPs; ignoring TXID mismatches leaves the resolver vulnerable to poisoning.

  2. 80% fail

    Longer timeouts do not prevent spoofed responses from arriving; they only delay resolution.

  3. 90% fail

    DNSSEC is the primary defense against poisoning; disabling it removes integrity checks.