"DNS Cache poisoning attack"

Discussion in 'ESET NOD32 Antivirus' started by Michael in SJ, Apr 3, 2012.

Thread Status:
Not open for further replies.
  1. Michael in SJ

    Michael in SJ Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    1
    Location:
    United States
    I am getting this notice on an infrequent basis. I did a search for an answer but everything I found relates to internal addresses.

    The "DNS Cache poisoning attack" is being reported for my ISP's (Comcast) DNS addresses 75.75.75.75 and 75.75.76.76.

    Any thoughts?
     
  2. Here is more background information concerning this.

    Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijacking program, or other malware can be downloaded to the user's computer from the rogue location.
    Cache poisoning can be transmitted in a variety of ways, increasing the rate at which rogue programs are spread. One tactic is the placement of compromised URLs within spam e-mail messages having subject lines that tempt users to open the message (for example, "Serious error in your tax return"). Images and banner ads within e-mail messages can also be vehicles by which users are directed to servers that have been compromised by cache poisoning. Once an end user's computer has been infected with the nefarious code, all future requests by that user's computer for the compromised URL will be redirected to the bad IP address -- even if the "victim" server resolves the problem at its site. Cache poisoning is particularly dangerous when the targets are well-known and trusted sites, such as those to which browsers are pointed when automatic virus-definition updates are performed.
    Cache poisoning differs from another form of DNS poisoning, in which the attacker spoofs valid e-mail accounts and floods the inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning. In URL poisoning, also known as location poisoning, Internet user behavior is tracked by adding an identification (ID) number to the location line of the browser that can be recorded as the user visits successive pages on the s

    Please consider OPENDNS
    at http://www.opendns.com/home-solutions/
     
  3. foneil

    foneil Eset Staff Account

    Joined:
    Dec 7, 2010
    Posts:
    255
    Location:
    San Diego
    Did you follow the instructions in the Knowledgebase article, step 3:
    • If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, see solution 2.
    If the "DNS Flush tool" (solution 2) does not work, please let us know or open a case with Customer Care.
     
  4. To flush DNS cache in Microsoft Windows (Win XP, Win ME, Win 2000):-- Start -> Run -> type cmd
    - in command prompt, type ipconfig /flushdns
    - Done! You Window DNS cache has just been flush.


    How To Flush The DNS Cache In Windows 7

    Step 1 – Launch cmd
    Click the Windows Start Menu Orb and Type cmd into the search box. Right-Click the cmd link that appears under the Programs list and Select Run as administrator.

    Step 2
    In the command line, type in the following command:


    ipconfig /flushdns

    Done!
    Your cache of resolved DNS’ should now be cleaned out! This is really handy if you were making changes to the HOSTS file in Windows or messing around with your web server, but there are plenty of other uses as well.
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Flush your DNS - reboot, this is assuming you are not running a Hosts file then you would have to fully enable DNS in Services, follow instructions as requested by ESET.

    Code:
    ipconfig /flushdns
     
  6. foneil

    foneil Eset Staff Account

    Joined:
    Dec 7, 2010
    Posts:
    255
    Location:
    San Diego
    Thanks for answering this question so quickly. Regarding the code
    Code:
     
    ipconfig /flusdns 
    ipconfig /registerdns
    
    the DNS-Flush.exe hosted on the ESET Knowledgebase runs the same commands with elevated rights and creates a log file to “All Users Desktop”\CC Support Logs\DNS.log." It then brings back all previously minimized windows.

    We found that this tool is easier for users to run rather than performing each command.
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You're welcome, foneil, I was not aware of the new ESET KB Article. This helps in these situations.

    Regards,
     
Thread Status:
Not open for further replies.