Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort showing many DNS cache poisoning alerts

    pfSense Packages
    2
    6
    10.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Deadringers
      last edited by

      Hey all,

      Just have seen this in my alerts loggs and blocked list for snort:

      1 8.8.8.8
      BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:37:09
      2 216.239.32.10
      BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-16:36:28
      3 208.78.71.100
      BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:41:30
      4 205.251.193.59
      BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:40:18

      05/13/13-15:40:22 2 UDP Attempted Information Leak 23.74.25.32  53 MYIP* 39090 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
      05/13/13-15:40:18 2 UDP Attempted Information Leak 205.251.193.59 53 MYIP* 17452 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
      05/13/13-15:40:17 2 UDP Attempted Information Leak 80.190.225.144 53 MYIP* 2030 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
      05/13/13-15:39:42 2 UDP Attempted Information Leak 80.239.171.207 53 MYIP* 29724 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
      05/13/13-15:37:15 2 UDP Attempted Information Leak 207.123.33.51 53 MYIP* 60546 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
      05/13/13-15:37:09 2 UDP Attempted Information Leak 8.8.8.8 53 MYIP* 47667 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid

      Now I don't know of the other IPs there but I know 8.8.8.8 is Google's DNS server…
      Surely they can't be providing these "bad traffic" DNS requests to me?

      This has just started today - have not seen it before.

      Any ideas where I can inspect these logs further?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @Deadringers:

        Hey all,

        Just have seen this in my alerts loggs and blocked list for snort:

        
        1	 8.8.8.8	 
        BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/13/13-15:37:09	 
         05/13/13-15:37:09	2	UDP	Attempted Information Leak	8.8.8.8	53	*MY*IP*	47667	 3:21355:2 
        
        

        Now I don't know of the other IPs there but I know 8.8.8.8 is Google's DNS server…
        Surely they can't be providing these "bad traffic" DNS requests to me?

        This has just started today - have not seen it before.

        Any ideas where I can inspect these logs further?

        I have the same Google DNS server configured in my Home network, but I do not have any of those alerts in my logs.  I just checked today a few minutes ago.  Most likely these are false positives, and they could have been triggered by a temporarily misconfigured or malfunctioning host at Google's DNS farm.  Are you still getting the alerts, or have they quieted down?  If you convince yourself they are false positives, you can add the GID:SID to the Suppress List for Snort and that will stop the alerts.

        Bill

        1 Reply Last reply Reply Quote 0
        • D
          Deadringers
          last edited by

          Thanks for the feedback - they have been showing all day so no idea why…
          I'll keep the DNS alerts off for now but will re-instate them tomorrow and see what happens.

          1 Reply Last reply Reply Quote 0
          • D
            Deadringers
            last edited by

            Hey all.

            Still getting these alerts…are there any further logs that I can enable or look at?

            it is weird that I am getting these and no one else is?

            05/14/13-12:07:09 2 UDP Attempted Information Leak 69.147.237.99 53 213.123.237.9 60119 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
            05/14/13-12:06:34 1 UDP Attempted User Privilege Gain 8.8.8.8  53 213.123.237.9 48522 3:19187:2 BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt
            05/14/13-12:05:24 2 UDP Attempted Information Leak 95.211.9.35  53 213.123.237.9 56707 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
            05/14/13-12:04:37 2 UDP Attempted Information Leak 65.19.178.10 53 213.123.237.9 41518 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
            05/14/13-12:04:37 2 UDP Attempted Information Leak 213.254.245.7 53 213.123.237.9 36354 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
            05/14/13-12:04:37 2 UDP Attempted Information Leak 109.74.194.10 53 213.123.237.9 53521 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
            05/14/13-12:04:37 2 UDP Attempted Information Leak 96.7.49.64 53 213.123.237.9 28315 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid
            05/14/13-12:04:36 2 UDP Attempted Information Leak 69.171.239.11 53 213.123.237.9 6915 3:21355:2 BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid

            1 8.8.8.8
            BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:02:37
            BAD-TRAFFIC TMG Firewall Client long host entry exploit attempt - 05/14/13-12:06:34
            2 95.211.9.35
            BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:05:24
            3 69.147.237.99
            BAD-TRAFFIC potential dns cache poisoning attempt - mismatched txid - 05/14/13-12:07:09
            3 items listed.

            1 Reply Last reply Reply Quote 0
            • D
              Deadringers
              last edited by

              hmm I think I may have found out what it was…

              so I upgraded my ESXI guests yesterday to use the VMXNET 3 adapters rather than the e1000

              With this meant I had to re apply the config on my 2008r2 DC to the new adapter - here I referenced that the DNS server my DC should use was it's actual IP rather than it's loopback.

              I think this was some how producing an in correct result as far as snort was concerned?

              Because now I have changed it to 127.0.0.1 and I am getting no DNS errors.

              1 Reply Last reply Reply Quote 1
              • bmeeksB
                bmeeks
                last edited by

                @Deadringers:

                hmm I think I may have found out what it was…

                so I upgraded my ESXI guests yesterday to use the VMXNET 3 adapters rather than the e1000

                With this meant I had to re apply the config on my 2008r2 DC to the new adapter - here I referenced that the DNS server my DC should use was it's actual IP rather than it's loopback.

                I think this was some how producing an in correct result as far as snort was concerned?

                Because now I have changed it to 127.0.0.1 and I am getting no DNS errors.

                Yep…I don't know all the super secret details of Microsoft AD servers, but I do know the domain controllers want themselves (the loopback address) for DNS.  Glad you got it sorted out.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.