Read about DNS cache poisoning, want to know if the SMB setup is vulnerable
DNS cache poisoning tricks a resolver into caching a forged answer. Since the 2008 Kaminsky attack, modern resolvers are largely hardened with source-port randomization, but DNSSEC and modern transport (DoT, DoH) remain the real lock.
Try this first
- 1Do not run outdated DNS software in the office (old BIND, old Windows DNS). Patches close Kaminsky-class vulnerabilities.
- 2Enable DNSSEC for your own domain at the registrar, which protects clients with validating resolvers from forged answers about your zone.
- 3Have clients use a resolver that validates DNSSEC (1.1.1.1, 9.9.9.9, or your own Unbound), not just one that forwards.
- 4Consider DNS over HTTPS (DoH) or DNS over TLS (DoT) for laptops off the network, so a man-in-the-middle on Wi-Fi cannot intercept DNS.
- 5Disable open recursive resolvers on your firewall/router, those are both poisoning and DDoS-amplifier targets.
When to bring us in
If you want a review of your DNS chain from client to authoritative, with DNSSEC and DoH where it makes sense, we can plan it.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.