GCIH · Question #437
A systems administrator notices an increase in errors in a DNS server log. Further investigation determines the errors are related to incoming DNS packets with incorrect query ID's. What type of activ
The correct answer is D. A cache poisoning attack in progress. DNS packets arriving with incorrect query IDs are a hallmark indicator of a DNS cache poisoning attack, where an attacker attempts to inject forged responses.
Question
A systems administrator notices an increase in errors in a DNS server log. Further investigation determines the errors are related to incoming DNS packets with incorrect query ID's. What type of activity is the likely cause of these errors?
Options
- AClients browsing to blocked websites
- BUnauthorized zone transfer requests
- CBot command and control traffic
- DA cache poisoning attack in progress
How the community answered
(45 responses)- A9% (4)
- B4% (2)
- C4% (2)
- D82% (37)
Why each option
DNS packets arriving with incorrect query IDs are a hallmark indicator of a DNS cache poisoning attack, where an attacker attempts to inject forged responses.
Clients browsing blocked websites generate NXDOMAIN responses or policy-based redirects, not a flood of packets with mismatched query IDs.
Unauthorized zone transfer requests use AXFR or IXFR DNS record types directed at the authoritative server, which would not produce query ID mismatch errors.
Bot command and control traffic typically uses legitimate DNS queries with valid, matching query IDs to resolve C2 domain names, not malformed packets.
DNS cache poisoning attacks work by flooding a DNS resolver with forged response packets bearing spoofed source IPs and guessed or predicted transaction (query) IDs, hoping one matches an outstanding query before the legitimate response arrives. When the attacker's guesses are wrong, the DNS server logs errors due to mismatched query IDs on incoming packets. A high volume of these errors strongly indicates an active poisoning attempt targeting the resolver's cache.
Concept tested: DNS cache poisoning detection via query ID mismatches
Source: https://www.cisa.gov/news-events/alerts/2008/07/08/multiple-dns-implementations-vulnerable-cache-poisoning
Topics
Community Discussion
No community discussion yet for this question.