networking
security_error
ai_generated
partial
DNS: Cache poisoning detected, response from 192.0.2.1 for example.com does not match expected source
ID: networking/dns-cache-poisoning
85%Fix Rate
85%Confidence
1Evidence
2024-06-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| BIND 9.16+ | active | — | — | — |
| Unbound 1.17+ | active | — | — | — |
| dnsmasq 2.89+ | active | — | — | — |
Root Cause
DNS cache poisoning occurs when a malicious actor injects forged DNS records into a resolver's cache, causing clients to be redirected to fraudulent servers.
generic中文
DNS 缓存投毒发生在恶意行为者向解析器缓存注入伪造的 DNS 记录时,导致客户端被重定向到欺诈服务器。
Official Documentation
https://www.icann.org/resources/pages/dnssec-2012-02-25-enWorkarounds
-
90% success Enable DNSSEC validation on the resolver: In BIND, add 'dnssec-validation auto;' to named.conf. In Unbound, set 'auto-trust-anchor-file: /var/lib/unbound/root.key'.
Enable DNSSEC validation on the resolver: In BIND, add 'dnssec-validation auto;' to named.conf. In Unbound, set 'auto-trust-anchor-file: /var/lib/unbound/root.key'.
-
75% success Flush the resolver cache and restart the DNS service: rndc flush && systemctl restart named
Flush the resolver cache and restart the DNS service: rndc flush && systemctl restart named
-
85% success Implement source port randomization in the resolver to make poisoning harder: In BIND, set 'query-source address * port *;' in options.
Implement source port randomization in the resolver to make poisoning harder: In BIND, set 'query-source address * port *;' in options.
中文步骤
Enable DNSSEC validation on the resolver: In BIND, add 'dnssec-validation auto;' to named.conf. In Unbound, set 'auto-trust-anchor-file: /var/lib/unbound/root.key'.
Flush the resolver cache and restart the DNS service: rndc flush && systemctl restart named
Implement source port randomization in the resolver to make poisoning harder: In BIND, set 'query-source address * port *;' in options.
Dead Ends
Common approaches that don't work:
-
90% fail
仅刷新 DNS 缓存(例如 ipconfig /flushdns)会移除被投毒的条目,但如果解析器仍然存在漏洞,则无法防止再次投毒。
-
70% fail
更换到不同的公共 DNS 解析器(例如 8.8.8.8)可能绕过被投毒的缓存,但无法解决网络路径上的根本攻击。
-
95% fail
禁用 DNSSEC 验证会降低安全性,并允许在不验证的情况下接受伪造响应。