DNS Cache Poisoning Attack

KB Solution ID: SOLN2933|Last Revised: September 22, 2014

Issue

  • "DNS Cache poisoning attack" is detected by the ESET Personal firewall
  • "Detected ARP cache poisoning attack" is detected by the ESET Personal firewall
  • ESET Customer Care directed you to this article to flush your DNS cache and restore the MS Hosts file

 

Details

For more information about event names in the ESET Smart Security firewall log, see the following ESET Knowledgebase article:

 

Solution

If the ESET Personal firewall is detecting a threat to your system from DNS cache poisoning, there are two possible solutions to resolve this issue. Please begin with solution 1 and only continue on to solution 2 if the issue is not resolved.

Solution 1: Create an exception for internal IP traffic

In some cases, the ESET Personal firewall will detect internal IP traffic from a network peripheral such as a router or printer as a possible threat. Follow the step-by-step instructions below to determine if a threat is being caused by internal traffic and resolve this issue.

  1. Determine if the IP address detected in the notification is a number that falls within the following range (where "x" is 0-255):
    • 172.16.x.x - 172.31.x.x
    • 192.168.x.x
    • 10.x.x.x 
  2. Only add an IP address to the trusted zone if you know it is safe.


     
  3. If the IP address detected is within the safe range listed above, open the main program window by double-clicking the ESET icon  in your Windows notification area or by clicking Start All Programs ESET ESET Smart Security. Skip to step 4 and continue with solution 1.

  4. If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by Personal firewall is located on a public network and could be a threat to your system. See solution 2 to download the ESET DNS-Flush tool and use it to repair files which may have been damaged by DNS cache poisoning.
     
  5. Press the F5 key on your keyboard to access the Advanced setup window.
     
  6. Expand Network Personal firewall and then click Rules and zones.
     
  7. In the Zone and rule editor pane, click Setup.

Figure 1-1
Click the image to view larger in new window

  1. Click the Zones tab, select Addresses excluded from active protection (IDS) and then click Edit.

Figure 1-2
Click the image to view larger in new window

  1. In the Zone setup window, click Add IPv4 address.

Figure 1-3

  1. Select Single address, and then enter the IP address of the device being incorrectly detected as a threat.

Figure 1-4

  1. Click OK four times to exit the Advanced setup tree and save your changes. You should no longer see any messages about attacks coming from an internal IP address that you know to be safe. If you continue to experience this issue, proceed to solution 2 below.

Solution 2: Run the DNS Flush tool

You can use the ESET DNS Flush tool to flush your DNS cache . Follow the step-by-step instructions below to download and run the DNS Flush tool:

  1. Download the DNS-Flush.exe tool and save the file to your Desktop.
     
  2. Once the download is complete, navigate to your Desktop and double-click DNS-Flush.exe (if you are prompted to continue click Yes).
     
  3. The tool will automatically flush and register your DNS cache. When the tool is finished running, your computer will restart automatically.

  4. After your computer restarts, open your ESET product and run a Computer scan. For assistance, refer to the following Knowledgebase articles:

The Computer scan performed in step 4 should complete without detecting an infection. If no threat is detected, you are finished.

If you are still unable to resolve your issue, please contact ESET Customer Care.

Rate this article:
1 2 3 4 5
Please comment on your rating...
We cannot respond to feedback from this form. Requests for assistance should be submitted through your normal support channel.
5 - Definitely
4 - Mostly
3 - Somewhat
2 - Not Really
1 - Not At All