# DNS: possible cache poisoning attack detected: response from 192.0.2.1#53 with TXID mismatch (expected 0x1234, got 0x5678)

- **ID:** `networking/dns-cache-poisoning-detected`
- **Domain:** networking
- **Category:** security_error
- **Verification:** ai_generated
- **Fix Rate:** 82%

## Root Cause

A DNS resolver received a response with a mismatched transaction ID, indicating a potential cache poisoning attempt where an attacker spoofs DNS responses to inject false records.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| BIND 9.16.33 | active | — | — |
| Unbound 1.17.0 | active | — | — |
| Windows Server 2022 DNS | active | — | — |

## Workarounds

1. **Enable DNSSEC validation on the resolver: `options { dnssec-validation auto; };` in BIND, or `systemd-resolved --set-dnssec=yes`.** (90% success)
   ```
   Enable DNSSEC validation on the resolver: `options { dnssec-validation auto; };` in BIND, or `systemd-resolved --set-dnssec=yes`.
   ```
2. **Configure query source port randomization to reduce predictability: `query-source address * port *;` in BIND.** (85% success)
   ```
   Configure query source port randomization to reduce predictability: `query-source address * port *;` in BIND.
   ```
3. **Use a forwarder with built-in poisoning protection, such as Cloudflare 1.1.1.1 or Google 8.8.8.8, in `/etc/resolv.conf`.** (95% success)
   ```
   Use a forwarder with built-in poisoning protection, such as Cloudflare 1.1.1.1 or Google 8.8.8.8, in `/etc/resolv.conf`.
   ```

## Dead Ends

- **** — Attackers can spoof source IPs; ignoring TXID mismatches leaves the resolver vulnerable to poisoning. (95% fail)
- **** — Longer timeouts do not prevent spoofed responses from arriving; they only delay resolution. (80% fail)
- **** — DNSSEC is the primary defense against poisoning; disabling it removes integrity checks. (90% fail)