# DNS: Cache poisoning detected, response from 192.0.2.1 for example.com does not match expected source

- **ID:** `networking/dns-cache-poisoning`
- **Domain:** networking
- **Category:** security_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

DNS cache poisoning occurs when a malicious actor injects forged DNS records into a resolver's cache, causing clients to be redirected to fraudulent servers.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| BIND 9.16+ | active | — | — |
| Unbound 1.17+ | active | — | — |
| dnsmasq 2.89+ | active | — | — |

## Workarounds

1. **Enable DNSSEC validation on the resolver: In BIND, add 'dnssec-validation auto;' to named.conf. In Unbound, set 'auto-trust-anchor-file: /var/lib/unbound/root.key'.** (90% success)
   ```
   Enable DNSSEC validation on the resolver: In BIND, add 'dnssec-validation auto;' to named.conf. In Unbound, set 'auto-trust-anchor-file: /var/lib/unbound/root.key'.
   ```
2. **Flush the resolver cache and restart the DNS service: rndc flush && systemctl restart named** (75% success)
   ```
   Flush the resolver cache and restart the DNS service: rndc flush && systemctl restart named
   ```
3. **Implement source port randomization in the resolver to make poisoning harder: In BIND, set 'query-source address * port *;' in options.** (85% success)
   ```
   Implement source port randomization in the resolver to make poisoning harder: In BIND, set 'query-source address * port *;' in options.
   ```

## Dead Ends

- **** — 仅刷新 DNS 缓存（例如 ipconfig /flushdns）会移除被投毒的条目，但如果解析器仍然存在漏洞，则无法防止再次投毒。 (90% fail)
- **** — 更换到不同的公共 DNS 解析器（例如 8.8.8.8）可能绕过被投毒的缓存，但无法解决网络路径上的根本攻击。 (70% fail)
- **** — 禁用 DNSSEC 验证会降低安全性，并允许在不验证的情况下接受伪造响应。 (95% fail)