I have ESET Smart Security installed on one of my computers and recently received a warning message that says the following:
A detected DNS cache poisoning attack was detected by ESET Personal Firewall
Oh! It definitely didn’t sound too good. DNS cache poisoning attack is basically the same as DNS spoofing, which basically means that the DNS nameserver cache has been compromised and when requesting a web page, instead of getting a real server, the request is redirected to a malicious computer that can download a spyware BY. or viruses on your computer.
I decided to run a full antivirus scan and also downloaded Malwarebytes and checked for malware. None of the scans yielded anything, so I started doing more research. If you look at the screenshot above, you can see that the “remote” IP address is actually the local IP address (192.168.1.1). This IP is actually the IP of my router! So is my router poisoning my DNS cache?
Not really! According to ESET, it can sometimes accidentally detect internal IP traffic from a router or other device as a possible threat. This was definitely the case for me because the IP was the local IP. If you receive a message and your IP address falls into one of the following ranges, then this is just internal traffic and there is nothing to worry about:
192.168.xx 10.xxx 172.16. xx at 172.31.xx
If it is not your local IP, please scroll down for further instructions. First, I’ll show you what to do if it’s a local IP address. Open ESET Smart Security and go to the Advanced Settings dialog. Expand Network, then Personal Firewall and click Rules and Zones.
Click the Configure button in the Zone and Rule Editor section and go to the Zones tab. Now click on “Address is excluded from active protection (IDS)” and click “Change”.
Then the zone configuration dialog box appears, and here you want to click “Add IPv4 Address”.
Now enter the IP address that was specified when the ESET threat was detected.
Press the OK button several times to return completely to the main program. You should no longer receive threat reports of DNS poisoning attacks originating from this local IP address. If this is not your local IP address, it means that you may actually be a victim of DNS spoofing! In this case, you need to reset the Windows Hosts file and clear the DNS cache on your system.
ESET has created an EXE file that you can simply download and run to restore the original Hosts file and clear the DNS cache.
If you don’t want to use their EXE for any reason, you can also use the following Fix It download from Microsoft to repair the Hosts file:
To manually flush the DNS cache on a Windows PC, open a command prompt and enter the following line:
ipconfig / flushdns
Usually most people never fall victim to DNS spoofing, and it might be a good idea to disable ESET firewall and just use Windows Firewall. I’ve personally found that this causes too many false positives and ends up scaring people more than it actually protects them. Enjoy!