What Is DNS Poisoning and Spoofing? Detecting and Preventing Poisoned Caches

Domain Name System (DNS) poisoning, sometimes referred to as DNS hijacking, redirection, spoofing, or cache poisoning, is a type of cyberattack where traffic is maliciously diverted from a legitimate site to a fake site.

Attackers take advantage of device or server vulnerabilities to replace a target site’s IP address with a spoofed IP address. When a user tries to navigate to the target site, they are unknowingly redirected to another site. The copycat site can phish sensitive information or infect a user with malware. A common DNS poisoning example involves replicating a site with login requirements, so attackers can harvest passwords.

A successfully poisoned cache is difficult to detect, but there are several tools and processes that can help prevent it from happening in the first place.

Learn how DNS poisoning and spoofing work, what it looks like, how to detect it, and how to prevent it.

How Does DNS Poisoning Work?

When you navigate to a website, you type the domain name into a web browser press enter. This sends a DNS request to a DNS server. The DNS server translates the domain name in the query into an IP address. The DNS server resolves the request by sending the IP address associated with the domain name back to the user. The browser navigates to the domain and loads up the site you were looking for.

What if the DNS server returns an incorrect IP address? That’s exactly what happens when a DNS is poisoned and spoofed.

Consider this scenario: you’re searching for a street, but all the street signs have been swapped. You think you’re on 42nd, but you’re actually on 52nd. To make matters worse, your GPS has also been tricked.

Replace the street signs with domain IP addresses and your GPS with your DNS server. That’s how DNS poisoning or spoofing works:

  • A hacker alters IP addresses attached to domains in a DNS server with a fake DNS entry.

  • A user attempts to navigate to a specific domain, and the DNS server sends them to the IP address associated with that domain.

  • The hacker has altered the IP address in the DNS server, so the user is unknowingly sent to an incorrect IP address.

  • The IP address returns a domain that looks like the users intended site.

  • The user interacts with the copycat site and attempts to login, unknowingly sharing their password and username with the hacker.

There are a few methods to conduct DNS poisoning and spoofing, including:

  • Compromising a DNS server: An attacker directly hijacks a DNS server to reroute traffic from legitimate sites to other IP addresses.

  • Man in the middle attacks: An attacker positions themselves between your browser and a DNS server to route you from to a malicious IP address.

Regardless of the method, the end result is the same: redirecting web traffic away from its intended destination.

DNS Poisoning Attack Examples

In 2018, a hacker compromised an ISP to reroute traffic from Amazon’s Route 53 DNS service. Users of cryptocurrency site MyEtherWallet were specifically targeted.

When users attempted to access MyEtherWallet, they were instead redirected to a copycat phishing site hosted on a Russian server. If they entered their login credentials, the hacker could access their account.

The hacker stole at least $150,000 worth of crypto, and the DNS hijack lasted for two hours before being noticed.

It’s not just hackers. China’s Great Firewall uses DNS filtering and spoofed responses to geoblock, censor, and restrict access to certain websites. Some ISPs rely on DNS hijacking to display ads or block access to illegal websites.

How To Detect and Prevent DNS Poisoning

As the MyEtherWallet example shows, detecting a DNS spoof is not instantaneous. It’s extremely difficult to detect manually, but security protocol and DNS spoof detection tools can help.

Detecting Spoofed Domains

Detect DNS Poisoning

You can potentially detect DNS poisoning through these signs:

  • A large change in DNS activity on a domain. This includes DNS activity from a single source to single domains or multiple domains.

  • A sudden, inexplicable drop in web traffic.

If you suspect your site is a victim of DNS spoofing, test it out. Access your site using a VPN or a computer you don’t normally use. If you’re redirected to an unfamiliar site, your cache may be poisoned.

Prevent DNS Poisoning

Detecting DNS spoofing is a reactive measure. Ideally, you’ll have safeguards in place to prevent DNS poisoning from happening in the first place. These safeguards include:

  • Enable DNSSEC for your domain

  • Use a secure hosting service and CMS with SSL authentication

  • Regularly update your DNS software

  • Require HTTPS for all incoming traffic

  • Adopt zero trust configuration for other DNS servers

DNS Poisoning vs. DNS Spoofing

While the terms DNS poisoning and DNS spoofing are used interchangeably, there’s a difference between the two.

  • DNS Poisoning is the method attackers use to compromise and replace DNS data with a malicious redirect.

  • DNS Spoofing is the end result, where users are redirected to the malicious website via a poisoned cache.

In short, DNS poisoning is the route and DNS spoofing is the goal: hackers poison a DNS cache to spoof a DNS.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo