networking
security_error
ai_generated
partial
DNS:检测到可能的缓存投毒攻击:来自192.0.2.1#53的响应事务ID不匹配(期望0x1234,收到0x5678)
DNS: possible cache poisoning attack detected: response from 192.0.2.1#53 with TXID mismatch (expected 0x1234, got 0x5678)
ID: networking/dns-cache-poisoning-detected
82%修复率
87%置信度
1证据数
2023-09-01首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| BIND 9.16.33 | active | — | — | — |
| Unbound 1.17.0 | active | — | — | — |
| Windows Server 2022 DNS | active | — | — | — |
根因分析
DNS解析器收到事务ID不匹配的响应,表明可能存在缓存投毒攻击,攻击者伪造DNS响应以注入虚假记录。
English
A DNS resolver received a response with a mismatched transaction ID, indicating a potential cache poisoning attempt where an attacker spoofs DNS responses to inject false records.
官方文档
https://tools.ietf.org/html/rfc5452解决方案
-
Enable DNSSEC validation on the resolver: `options { dnssec-validation auto; };` in BIND, or `systemd-resolved --set-dnssec=yes`. -
Configure query source port randomization to reduce predictability: `query-source address * port *;` in BIND.
-
Use a forwarder with built-in poisoning protection, such as Cloudflare 1.1.1.1 or Google 8.8.8.8, in `/etc/resolv.conf`.
无效尝试
常见但无效的做法:
-
95% 失败
Attackers can spoof source IPs; ignoring TXID mismatches leaves the resolver vulnerable to poisoning.
-
80% 失败
Longer timeouts do not prevent spoofed responses from arriving; they only delay resolution.
-
90% 失败
DNSSEC is the primary defense against poisoning; disabling it removes integrity checks.