Help me with this snort alert: Potential DNS Cache Poisoning Attempt
-
2016-11-16 20:44:11 2 UDP Attempted Information Leak 216.239.36.10 53 192.168.1.11 62464 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid
I've got pfsense 2.3.2 running snort on a small corporate network. I more or less just got it up and running and cleaned up all the obvious issues. Anyways, this alert came up last night at 9pm when I'm fairly certain no one was here (and more or less the same one popped up again at midnight-ish twice). I'm attaching the pcap (assuming I did it right). Looks like it was a google query. Alert came from my DNS server.
I'm a little confused by the SID, seems to be 3:21355 which would be https://www.snort.org/rule_docs/3-21355, but seems to match 1:21355 more closely which is https://www.snort.org/rule_docs/1-21355. But regardless, I'm confused at what automated activity might cause this. I'll turn on DNS logging to look at who/what is causing this but right now I don't have much more than this.
But anyways, curious for any insight anyone can provide.
dns_cache_poisoning.1.pcap
-
FWIW, I might have tracked it down. I found that this DNS server has its own IP address set to the DNS server rather than the loopback. This is a secondary DNS so the entry wasn't very common. But I guess I'll know in a few days if it doesn't reappear.
-
look like your machine making normal domain name queries to ns3.google.com