DNS Spoofing - Cache Poisoning and Redirection
About 2 min read
DNS spoofing is an attack that falsifies the responses of the DNS (Domain Name System) to redirect users to a fake site prepared by an attacker rather than the legitimate site. Also known as DNS cache poisoning, it connects users to a fake site even when they enter the correct URL, making it harder to detect than phishing. As of 2025, the adoption of DNS over HTTPS (DoH) is advancing, but DNS cache poisoning within corporate networks is still reported as an effective attack method.
Real-World Use Cases
"The cache of our internal DNS server was poisoned, and the login page of the groupware our employees accessed had been swapped for a fake site. We did not notice it for three days, by which time the credentials of about 50 people had been stolen."
The DNS Spoofing Flow
DNS Spoofing Techniques
Attackers use cache poisoning to inject a fake IP address into a DNS server's cache, DNS hijacking to intercept DNS responses on the local network, and techniques that rewrite a device's DNS settings with malware. The Kaminsky attack discovered in 2008 exploited a fundamental vulnerability in the DNS protocol and affected the entire internet.DNS security books on Amazon let you learn the technical details.
Real Damage Scenarios
When connected to public Wi-Fi, there are cases where an attacker falsifies DNS responses to redirect a user to a fake online banking site and steal login credentials. Because the correct URL is shown in the browser's address bar, it is difficult for the user to notice that it is a fake site. However, with an HTTPS connection, a warning is displayed due to a certificate mismatch, so checking the SSL/TLS certificate is important. The DNS security article explains detailed countermeasures.
Countermeasures
Introducing DNSSEC (DNS Security Extensions) allows the authenticity of DNS responses to be verified cryptographically. Using DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts the DNS queries themselves to prevent tampering. At the individual level, it is effective to use a trustworthy DNS server (Google Public DNS, Cloudflare DNS) and to also use a VPN on public Wi-Fi. Protect your router's admin panel with a strong random password to prevent tampering with DNS settings.network defense guides (Amazon) are also helpful references.
Was this article helpful?