# DNS：检测到可能的缓存投毒攻击：来自192.0.2.1#53的响应事务ID不匹配（期望0x1234，收到0x5678）

- **ID:** `networking/dns-cache-poisoning-detected`
- **领域:** networking
- **类别:** security_error
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

DNS解析器收到事务ID不匹配的响应，表明可能存在缓存投毒攻击，攻击者伪造DNS响应以注入虚假记录。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| BIND 9.16.33 | active | — | — |
| Unbound 1.17.0 | active | — | — |
| Windows Server 2022 DNS | active | — | — |

## 解决方案

1. ```
   Enable DNSSEC validation on the resolver: `options { dnssec-validation auto; };` in BIND, or `systemd-resolved --set-dnssec=yes`.
   ```
2. ```
   Configure query source port randomization to reduce predictability: `query-source address * port *;` in BIND.
   ```
3. ```
   Use a forwarder with built-in poisoning protection, such as Cloudflare 1.1.1.1 or Google 8.8.8.8, in `/etc/resolv.conf`.
   ```

## 无效尝试

- **** — Attackers can spoof source IPs; ignoring TXID mismatches leaves the resolver vulnerable to poisoning. (95% 失败率)
- **** — Longer timeouts do not prevent spoofed responses from arriving; they only delay resolution. (80% 失败率)
- **** — DNSSEC is the primary defense against poisoning; disabling it removes integrity checks. (90% 失败率)