My firewall log shows 3 instances where it says DNS cache poisoning attack. Can someone clarify what it means? Is it a bug?

204389

11/29/2008 9:45:38 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:62114 UDP
11/29/2008 9:45:38 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55440 UDP
11/29/2008 9:45:28 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:49338 UDP
11/29/2008 9:45:28 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:60008 UDP
11/29/2008 9:35:03 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:34:58 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:34:53 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:34:48 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:33:49 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50625 UDP
11/29/2008 9:22:56 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:51905 UDP
11/29/2008 9:19:55 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:19:50 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:19:45 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:19:41 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
11/29/2008 9:19:02 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59513 UDP

I guess, it is a bug.

i contact eset support and they say send us wireshark log's so i send them log
i think they will fix this bug

Thanks a lot. :)

27/11/2008 08:27:58 p.m. Incorrect IP packet checksum 0
27/11/2008 05:36:46 p.m. Incorrect IP packet checksum 0
27/11/2008 05:36:46 p.m. Incorrect IP packet checksum 0
27/11/2008 03:56:06 p.m. Detected DNS cache poisoning attack 200.4.225.146:53 92.168.1.215:56864 UDP
27/11/2008 03:17:33 p.m. Incorrect IP packet checksum 0
27/11/2008 03:17:33 p.m. Incorrect IP packet checksum 0
27/11/2008 02:49:59 p.m. Detected DNS cache poisoning attack 200.48.225.130:5 192.168.1.215:63823 UDP
26/11/2008 09:39:10 p.m. Incorrect IP packet checksum 0
26/11/2008 09:39:10 p.m. Incorrect IP packet checksum 0
26/11/2008 08:14:22 p.m. Incorrect IP packet checksum 0
26/11/2008 08:14:22 p.m. Incorrect IP packet checksum 0
26/11/2008 06:47:23 p.m. Incorrect IP packet checksum 0
26/11/2008 06:47:23 p.m. Incorrect IP packet checksum 0
26/11/2008 03:18:55 p.m. Incorrect IP packet checksum 0
26/11/2008 03:18:55 p.m. Incorrect IP packet checksum 0
26/11/2008 01:41:15 p.m. Incorrect IP packet checksum 0
26/11/2008 01:41:15 p.m. Incorrect IP packet checksum 0
26/11/2008 08:04:23 a.m. Incorrect IP packet checksum 0
26/11/2008 08:04:23 a.m. Incorrect IP packet checksum 0
25/11/2008 01:19:20 p.m. Detected unexpected data in protocol192.168.1.215:14817 1.0.0.0 UDP
25/11/2008 01:18:55 p.m. Detected unexpected data in protocol192.168.1.215:56439 1.0.0.0 UDP
25/11/2008 01:17:12 p.m. Detected unexpected data in protocol 192.168.1.215:44082 1.0.0.0 UDP

Whats weird in my case is that I use to get TONS of DNS cache poisoning attacks detected when I had ESS 3, I've been trying out the beta, and when I look through all the logs, theirs nothing their that's been detected in v4 in the personal firewall log.

I am also experiencing this.

as has been said this issue is with v3 also, eset's reply to me was it was because i was using a router, either ignore it or disable dns poisoning detection in settings as the router does it anyway.

Always had it and always ignored it, it doesn't really matter. I can't understand people who get so hyped up and worried about it, I've even seen people remove ESS because of it. Ridiculous.

This is bug or not?
-{ Quote: "
30.11.2008 г. 15:35 ч. Detected covert channel exploit in ICMP packet 213.167.3.114 124.39.226.52 ICMP
30.11.2008 г. 15:35 ч. Detected covert channel exploit in ICMP packet 213.167.3.114 124.39.226.52 ICMP
30.11.2008 г. 15:30 ч. Detected Port Scanning attack 151.64.43.6:55311 213.167.3.114:80 TCP
30.11.2008 г. 15:24 ч. Detected DNS cache poisoning attack 213.167.0.250:53 213.167.3.114:53172 UDP" }-

Well I had the same problem with v3 so I started a thread: http://www.wilderssecurity.com/showthread.php?t=187648 and after some testing with wireshark logs they sent me this answer:

"Hello,
thank you for the log. Could you please create a new one with DNS poisoning attack detection turned off - first have a look at the ESS firewall log to be sure that it is constantly filled with DNS poisoning attack messages, then turn the DNS p. a. detection off and run wireshark for a while. According to the existing investigation, it seems that something is wrong with your router, however, from the next log we will be able to obtain more info. Thank you.
Matus Smid"

Which was later followed by another email that I'm sory to say got deleted, but in the end they confirmed that the problem was my router and not ESS, and in fact I changed the router (I have a wireles TP-Link now) and I rarely see those DNS cache poisoning attacks and when I do see then they come from the internet and are directed to my eMule ports so they really are attacks..

Kudos Eset. Hope this is the same issue and not something else.

-{ Quote: "...in the end they confirmed that the problem was my router and not ESS, and in fact I changed the router (I have a wireles TP-Link now) and I rarely see those DNS cache poisoning attacks and when I do see then they come from the internet and are directed to my eMule ports so they really are attacks..
" }-
If that is the case perhaps everyone getting these messages should list what router & firmware they are using so we can find out what ESS is & isn't compatible with.

BTW
My experience is ESS is incompatible with Windows 2000, Billion 7402vgp combination.

Edit
After installing ESS 4 beta, it appears to have improved from when I last tested it
http://www.wilderssecurity.com/showpost.php?p=1260447&postcount=17
http://www.wilderssecurity.com/showthread.php?p=1239069#post1239069

Now I can leave "DNS poison attack" enabled and only get a few "attacks" from my router each day.
(I run a full scan using Nod32 or ESS on all computers on the network each week).

i have ESS v4
OS:VISTA
Router:Shiro DSL805E

I have the same problem, started happening a few days before christmas, and has resulted in no WAN connection whenever firewall is active.

ESS v4 beta
OS WinXP SP3
Router: None, direct link to my ISP through ethernet-plug in apartment:

2009-01-03 16:31:43 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:61356 UDP
2009-01-03 16:31:40 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:56475 UDP
2009-01-03 16:31:40 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:59752 UDP
2009-01-03 16:31:25 Detected DNS cache poisoning attack 195.54.122.200:53 83.226.237.220:49219 UDP
2009-01-03 16:31:25 Detected DNS cache poisoning attack 195.54.122.200:53 83.226.237.220:56070 UDP
2009-01-03 16:31:10 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:50867 UDP
2009-01-03 16:31:10 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:49800 UDP

I got plenty of these logs lol - using v3.0.684.0

Can we get an update on this soon? I haven't been able to turn on firewall without totaly loosing WAN connection since somewhere around christmas, it's getting rather annoying :)

What i know, the problem with DNS poisoning attack could be solved by creating on your PC the DNS server(i hope you know how its works) or you can configure your modem to do that if it supported or you could even try to set up different DNS server addresses. Try OpenDNS https://www.opendns.com

I get this thing tooo and a lot

Ruben

Followin patch's suggestion: ESS v4 Beta1 working flawlesly here on Windows7 Ultimate Beta and a TP-Link 54m Wireless Router.

The only DNS cache poisoning attack alets I get come from the web triyng to acces my eMule ports... so I guess Eset is doing it's job blocking them.