nerdexam
GIAC

GCIH · Question #437

A systems administrator notices an increase in errors in a DNS server log. Further investigation determines the errors are related to incoming DNS packets with incorrect query ID's. What type of activ

The correct answer is D. A cache poisoning attack in progress. DNS packets arriving with incorrect query IDs are a hallmark indicator of a DNS cache poisoning attack, where an attacker attempts to inject forged responses.

Incident Response & Cyber Kill Chain

Question

A systems administrator notices an increase in errors in a DNS server log. Further investigation determines the errors are related to incoming DNS packets with incorrect query ID's. What type of activity is the likely cause of these errors?

Options

  • AClients browsing to blocked websites
  • BUnauthorized zone transfer requests
  • CBot command and control traffic
  • DA cache poisoning attack in progress

How the community answered

(45 responses)
  • A
    9% (4)
  • B
    4% (2)
  • C
    4% (2)
  • D
    82% (37)

Why each option

DNS packets arriving with incorrect query IDs are a hallmark indicator of a DNS cache poisoning attack, where an attacker attempts to inject forged responses.

AClients browsing to blocked websites

Clients browsing blocked websites generate NXDOMAIN responses or policy-based redirects, not a flood of packets with mismatched query IDs.

BUnauthorized zone transfer requests

Unauthorized zone transfer requests use AXFR or IXFR DNS record types directed at the authoritative server, which would not produce query ID mismatch errors.

CBot command and control traffic

Bot command and control traffic typically uses legitimate DNS queries with valid, matching query IDs to resolve C2 domain names, not malformed packets.

DA cache poisoning attack in progressCorrect

DNS cache poisoning attacks work by flooding a DNS resolver with forged response packets bearing spoofed source IPs and guessed or predicted transaction (query) IDs, hoping one matches an outstanding query before the legitimate response arrives. When the attacker's guesses are wrong, the DNS server logs errors due to mismatched query IDs on incoming packets. A high volume of these errors strongly indicates an active poisoning attempt targeting the resolver's cache.

Concept tested: DNS cache poisoning detection via query ID mismatches

Source: https://www.cisa.gov/news-events/alerts/2008/07/08/multiple-dns-implementations-vulnerable-cache-poisoning

Topics

#DNS cache poisoning#query ID spoofing#DNS attacks#network analysis

Community Discussion

No community discussion yet for this question.

Full GCIH Practice