What Is DNS Poisoning? Spoofing Signs & Examples | DNSFilter

What is DNS Poisoning?

DNS poisoning, also known as DNS cache poisoning or DNS spoofing, is a type of cyberattack in which false DNS data is inserted into a resolver’s cache. This malicious data causes users to be unknowingly redirected to fraudulent or compromised websites, even when they type in the correct URL.

The attack targets a foundational assumption of the Domain Name System: that the information returned by a DNS resolver is accurate and trustworthy. By corrupting that trust, attackers can reroute traffic to phishing pages, malware servers, or surveillance infrastructure, often without raising immediate suspicion.

For a deeper technical breakdown of this attack vector and how it has evolved, read our DNS Poisoning blog post.

How DNS Poisoning Works

DNS poisoning occurs during the resolution process, when a recursive DNS resolver queries other servers to resolve a domain name. Attackers exploit weaknesses in DNS caching to insert forged responses into the resolver’s cache.

Once the fake IP address is cached, every user querying that domain through the compromised resolver is redirected to the attacker’s destination—until the cache is manually flushed or the time-to-live (TTL) expires.

Poisoned DNS entries can persist for minutes or hours, depending on cache settings, making the window for exploitation significant. Sophisticated attackers may also chain this with SSL spoofing or TLS stripping to increase the likelihood of successful credential theft or malware delivery.

What is the DNS attack?
DNS poisoning is a form of DNS attack in which corrupted DNS data is used to misdirect users to illegitimate destinations without their knowledge.

What Are the Signs of DNS Poisoning?

DNS poisoning is often invisible to end users, but there are red flags to watch for:

• Being redirected to unfamiliar or visually “off” websites.
  
  
• Inability to access trusted domains even when entering the correct URL.
  
  
• Receiving browser security warnings about certificates or unsafe content.
  
  
• Unexpected login pages or password prompts on known sites.
  
  
• Increase in phishing messages or malware alerts tied to known safe domains.

What are two symptoms that indicate DNS spoofing may have occurred?

1. Consistent redirects to suspicious or irrelevant sites.
   
   
2. Intermittent loss of access to normally reliable domains.

Common Methods of DNS Poisoning

While the goal remains consistent—corrupt DNS resolution—the techniques used to execute DNS poisoning vary:

1. Cache Poisoning

Inserting forged responses into a DNS resolver’s cache, tricking it into associating a domain name with a malicious IP address.

2. Man-in-the-Middle (MITM) DNS Interception

Intercepting DNS queries in transit on insecure networks, such as public Wi-Fi, and injecting malicious responses before the legitimate server can reply.

3. Compromising Authoritative Servers

Gaining control of the DNS infrastructure itself by exploiting vulnerabilities in authoritative servers, enabling persistent manipulation of DNS responses for targeted domains.

DNS Poisoning vs. DNS Spoofing

DNS spoofing is the broader category of attacks in which DNS data is faked to mislead clients. DNS poisoning is a specific type of spoofing focused on corrupting the resolver’s cache.

Example of DNS spoofing:
Redirecting visitors from www.example.com to a visually identical phishing site hosted by an attacker.

How to Prevent DNS Poisoning

Effective prevention requires both protocol-level protections and proactive security strategies. These include:

• DNSSEC (DNS Security Extensions): Digitally signs DNS records, ensuring the integrity and authenticity of DNS responses.
  
  
• Protective DNS (PDNS): Evaluates DNS queries using threat intelligence and blocks or redirects requests to known malicious domains.
  
  
• Regular Patching and Updates: Keeping DNS resolver software up to date prevents exploitation of known vulnerabilities.
  
  
• Encrypted DNS Protocols (DoH and DoT): Secure DNS queries in transit, reducing the risk of man-in-the-middle injection.
  
  
• Anomaly Detection and Monitoring: Alerting on abnormal query patterns or response mismatches can surface ongoing poisoning attempts.

Examples of DNS Poisoning

Real-World Examples

• The Kaminsky Exploit (2008): Security researcher Dan Kaminsky revealed a flaw in the DNS protocol that allowed attackers to predict transaction IDs and poison caches at scale. This disclosure led to a global security overhaul and accelerated DNSSEC adoption.
  
  
• Brazilian ISP Hijacks (2011): Attackers poisoned DNS settings on routers used by Brazilian ISPs, redirecting users to phishing sites masquerading as banking portals.
  
  
• Stuxnet Malware (2010): While better known for its SCADA attacks, Stuxnet used DNS spoofing techniques to mask its command-and-control infrastructure.

Related Terms

• DNS
• DoT (DNS over TLS)
• DoH (DNS over HTTPS)
• Protective DNS (PDNS)
• DNS Filtering
• DNSSEC

Protect your users from deceptive redirects, phishing infrastructure, and DNS-level attacks. Start your free trial of DNSFilter and experience proactive DNS security that detects and blocks poisoning attempts before they reach your network.