我在其中一台 PC 上安装了ESET Smart Security,最近收到一条警报消息,内容如下:
Detected DNS Cache Poisoning Attack is detected by the ESET personal firewall
哎呀!这绝对听起来不太好。DNS缓存中毒攻击与DNS欺骗基本相同,这基本上意味着DNS名称服务器缓存已被破坏,并且在请求网页时,请求被重定向到可以下载间谍软件的恶意计算机,而不是获取真实服务器或病毒到计算机。
我决定执行完整的防病毒扫描,还下载了 Malwarebytes 并扫描了恶意软件。扫描都没有提出任何结果,所以我开始做更多的研究。如果您查看上面的屏幕截图,您会看到“远程”IP 地址实际上是本地 IP 地址 (192.168.1.1)。该IP地址实际上恰好是我的路由器IP地址!所以我的路由器毒害了我的DNS缓存?
并不真地!根据ESET的说法,它有时会意外地将来自路由器或其他设备的内部 IP 流量检测为可能的威胁。这对我来说绝对是这种情况,因为 IP 地址是本地 IP。如果您收到消息并且您的 IP 地址属于以下这些范围中的一个,那么这只是内部流量,无需担心:
192.168.x.x
10.x.x.x
172.16.x.x to 172.31.x.x
如果它不是本地 IP 地址,请向下滚动以获取更多说明。首先(First),我将向您展示如果它是本地 IP 该怎么办。继续并打开ESET Smart Security程序并转到“高级设置”(Advanced Settings)对话框。展开网络(Network),然后是个人防火墙(Personal Firewall ),然后单击规则和区域(Rules and zones)。
单击区域和规则编辑器下的(Zone and rule editor)设置(Setup)按钮,然后单击区域(Zones)选项卡。现在单击从主动保护 (IDS) 中排除的地址(Address excluded from active protection (IDS) ),然后单击编辑(Edit)。
接下来将出现一个区域(Zone) 设置(setup)对话框,在这里您要单击添加 IPv4 地址(Add IPv4 address)。
现在继续输入ESET检测到威胁时列出的 IP 地址。
单击确定(Click OK)几次以返回主程序。您不应再收到来自该本地 IP 地址的有关DNS中毒攻击的任何威胁消息。(DNS)如果它不是本地 IP 地址,则意味着您实际上可能是DNS欺骗的受害者!在这种情况下,您需要重置Windows 主机(Hosts)文件并清除系统上的DNS缓存。
ESET的人员创建了一个EXE文件,您只需下载并运行该文件即可恢复原始 Hosts 文件并刷新DNS缓存。
https://support.eset.com/kb2933/
如果您出于某种原因不想使用他们的EXE文件,您还可以使用以下Fix It 下载Microsoft来恢复 Hosts 文件:
https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
要手动清除Windows PC 上的(Windows)DNS缓存,请打开命令提示符并键入以下行:
ipconfig /flushdns
通常,大多数人永远不会成为DNS欺骗的受害者,禁用(DNS)ESET防火墙并仅使用Windows防火墙可能是个好主意。我个人发现它带来了太多的误报,最终吓坏了人们,而不是真正保护了他们。享受!
Fix Detected DNS Cache Poisoning Attack Message
I have ESET Smart Security installed on onе of my PCs and I recently got an alert message saying the following:
Detected DNS Cache Poisoning Attack is detected by the ESET personal firewall
Whoops! That definitely didn’t sound too good. A DNS cache poisoning attack is basically the same thing as DNS spoofing, which basically means the DNS name server cache has been compromised and when requesting a webpage, instead of getting the real server, the request is redirected to a malicious computer that can download spyware or viruses to the computer.
I decided to perform a full anti-virus scan and also downloaded Malwarebytes and did a scan for malware too. Neither scan came up with anything, so then I started doing a little bit more research. If you look at the screenshot above, you’ll see that the ‘remote’ IP address is actually a local IP address (192.168.1.1). That IP address actually happens to be my router IP address! So my router is poisoning my DNS cache?
Not really! According to ESET, it can sometimes accidentally detect internal IP traffic from a router or other device as a possible threat. This was definitely the case for me because the IP address was a local IP. If you get the message and your IP address falls in an of these ranges below, then it’s just internal traffic and there is no need to worry:
192.168.x.x
10.x.x.x
172.16.x.x to 172.31.x.x
If it’s not a local IP address, scroll down for further instructions. First, I’ll show you what to do if it’s a local IP. Go ahead and open up the ESET Smart Security program and go to the Advanced Settings dialog. Expand Network, then Personal Firewall and click on Rules and zones.
Click on the Setup button under Zone and rule editor and click on the Zones tab. Now click on Address excluded from active protection (IDS) and click Edit.
Next a Zone setup dialog will appear and here you want to click on Add IPv4 address.
Now go ahead and type in the IP address that it listed when ESET detected the threat.
Click OK a couple of times to go all the way back to the main program. You should no longer get any threat messages about DNS poisoning attacks coming from that local IP address. If it’s not a local IP address, that means you might actually be a victim of DNS spoofing! In that case, you need to reset your Windows Hosts file and clear the DNS cache on your system.
The folks at ESET created an EXE file that you can just download and run to restore the original Hosts file and flush the DNS cache.
https://support.eset.com/kb2933/
If you don’t want to use their EXE file for whatever reason, you can also use the following Fix It download Microsoft to restore the Hosts file:
https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
To manually clear the DNS cache on a Windows PC, open the command prompt and type in the following line:
ipconfig /flushdns
Normally most people will never be victims of DNS spoofing and it may be a good idea to disable the ESET firewall and just use the Windows firewall. I personally have found that it brings up too many false positives and ends up scaring people more than actually protecting them. Enjoy!