GEN:SID 1:253
Message DNS SPOOF query response PTR with TTL of 1 min. and no authority
Summary This event is generated when a specific DNS response. In this case, there are no DNS authority records for the queried pointer record and has a DNS time-to-live value of one minute.
Impact Ranges from harmless to severe.  A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host).
Detailed Information This is presumably from an attacker engaged in a race condition to respond to a legitimate DNS query.  An attacker may sniff a DNS query requesting an address record and attempt to respond before an actual DNS server can.  The spoofed response is atypical because it does not include the authoritative DNS servers in the returned record.  A legitimate DNS response will likely return the names of the authoritative DNS servers.  The response associated with this traffic has a DNS time-to-live value of one minute.  It is suspected that the TTL is set to expire quickly to eliminate any evidence of the spoofed response.
Affected Systems Any DNS server not using DNSSEC.
Attack Scenarios An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.  The forged host name can direct a user to a potentially hostile host.
Ease of Attack Moderate. The attacker has to be able to sniff DNS queries and generate spoofed responses before the actual DNS server.
Corrective Action Consider using DNSSEC where appropriate.
Additional References