Support Library
DNS Cache Poisoning
Attackers attempt to inject forged answers into resolver cache by winning the response race.
Threat Model
Attackers attempt to inject forged answers into resolver cache by winning the response race.
Attack Path
Kaminsky-style flooding guesses query entropy until spoofed responses are cached for target names.
Detection Techniques
Monitor unexpected answer-set changes, resolver disagreement, and abnormal TTL patterns.
Mitigation Strategies
Use source-port/query-ID randomization, strict bailiwick, aggressive patching, and DNSSEC validation.
Scoring Impact (tie to Panopticon scoring model)
Active poisoning signals are critical; weak resolver hardening is medium to high risk.
How DNS Panopticon Detects This
- Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
- Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
- Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
- Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.
Operator Checklist
- Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
- Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
- Document the root cause and the final fix in your runbook to shorten future incidents.