DNS cache poisoning attack

Discussion in 'ESET Smart Security' started by diffy, Jun 9, 2008.

Thread Status:
Not open for further replies.
  1. diffy

    diffy Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    31
    Location:
    LI, NY, USA
    Our ESET remote console is reporting a critical warning "Detected DNS cache poisoning attack" from 192.33.4.12:53 (which is c.root-servers.net) against my server.

    It's not really an attack, is it? What do I need to tell ESET Smart Security Business Edition (v3.0.650) ?
     
  2. ASpace

    ASpace Guest


    I have clients asking me similar questions very often . And I still can't understand people what worries them when they see that the firewall they have paid for is doing its job . Why do you think it is not real attack ? If you think it is not real attack and you absolutely trust your router (that is supposed to guard the network) , then why you have installed software firewall on the workstations?

    I would relax, take it easier and only worry if this starts to happen pretty often
     
  3. stratoc

    stratoc Guest

    i have about 2 entries each day, i wouldnt worry about it, im guessing it's either a false positive or a bug, i didnt have any firewall for 4 years and still don't on 2 pc's, im beginning to wonder if they are needed if you have a router.
    online games give me my entries out of interest, world of warcraft and conan seem to be the culprits.
     
  4. diffy

    diffy Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    31
    Location:
    LI, NY, USA
    I suspected it was doing too much, i.e. blocking communication in, and therefore communication out so my DNS server is blocked.

    However, a little research showed that a root server would not initiate communications with us.

    OK, you guys are right, I will
     
  5. ASpace

    ASpace Guest

    If you have further questions about suspicious attacks , you can contact ESET Technical Support and provide them with some log files so that deeper investigation is carried out . This way they can understand if it was real attacked blocked or something else blocked - false positive (for e.g.)
     
  6. Dramastic

    Dramastic Registered Member

    Joined:
    Jun 5, 2008
    Posts:
    7
    This causes intermittent problems loading webpages in at least IE. Sometimes you have to refresh the website 3 or 4 times before it works. Disabling in IDS settings resolves this.

    When I contacted ESET about this issue, I received this reply:

    >>

    This is usually caused due to the way some routers assign DNS through DHCP. If possible, either set the DNS server settings manually on the workstations and disable the router from sending out DNS server settings through DHCP, or you can just disable the alert of DNS cache poisoning since the router is in place and handling this. You can do that by opening the ESET Smart Security window, press F5, click on Personal Firewall > IDS and Advanced options, uncheck the detection of DNS cache poisoning.

    <<

    What I have not figured out yet is why two very nearly identical systems on our network exhibit different behavior on this. One is full of entries while the other has none.

    Dramastic
     
Thread Status:
Not open for further replies.