ESET / OpenDNS / Cache poisoning attack?

Discussion in 'ESET Smart Security' started by jameslothian1, Sep 25, 2012.

Thread Status:
Not open for further replies.
  1. jameslothian1

    jameslothian1 Registered Member

    Joined:
    Sep 25, 2012
    Posts:
    3
    Location:
    Scotland
    Setup:
    Windows 7 64-bit ultimate. Broadband internet access via
    ADSL & Netgear router. I use OpenDNS server 208.67.222.222.
    Nothing else is connected to the router.
    ESET Smart Security 5.2.9.1.

    For the past few days, I've been seeing 'Detected DNS Cache
    Poisoning attack' alerts from ESET. The Personal Firewall log
    in ESET shows about ten of these per day, all originating from
    208.67.222.222:53 (this is the OpenDNS server). These suddenly
    started appearing on 18/09/2012. Prior to that, I had never seen
    this message from ESET. I'm not aware of any local configuration
    changes (windows, ESET &c) that might have caused this. ESET is
    fully up to date.

    So, a couple of questions:

    1) Is there any way of getting ESET to log the contents of the
    DNS responses that it believes are attacks, so that I can tell
    whether to worry about this or not?

    2) Any ideas in general what might be going on here? If I know
    these alerts are spurious, I know I can suppress them. But it's
    very odd that something like this should start happening suddenly
    out of the blue.

    James Lothian
     
  2. jameslothian1

    jameslothian1 Registered Member

    Joined:
    Sep 25, 2012
    Posts:
    3
    Location:
    Scotland
    *bump*

    Any ideas? In particular, is there any way of logging the DNS responses
    that ESET regards as an attack, so that I can see their content and
    decide how worried I should be? This would make it easier for me to tell
    whether I should raise this with OpenDNS.

    Thanks,
    James
     
  3. dwomack

    dwomack Eset Staff Account

    Joined:
    Mar 2, 2011
    Posts:
    588
    1. The ESET Firewall Log should include any detections of DNS Cache Poisoning Attack BUT
    2. The issue could be caused by a few legit things, including repeated pings of the network by the router or server, sending/receiving data in any non-standard way, or a few other possibilities. What firewall module do you currently have installed?

    The following KB article gives a bit more information and a couple of possible solutions:

    DNS Cache Poisoning Attack
     
  4. jameslothian1

    jameslothian1 Registered Member

    Joined:
    Sep 25, 2012
    Posts:
    3
    Location:
    Scotland
    ESET firewall version is 1090 (20120824). The ESET log shows the address
    from which the 'attacks' are coming, and the local address /port combination
    to which they are directed. However, unless I'm missing something, there
    doesn't seem to be any way of getting more detailed information on the
    content of the DNS response packets.

    Thanks,
    James
     
Thread Status:
Not open for further replies.