DNS poisoning, also known as DNS spoofing, is one of the most common domain name system (DNS) attacks out there today. The attack is used by hackers looking to infiltrate enterprises of all sizes and gain access to sensitive data, including user login credentials, financial details, and email exchanges. Clearly, it’s crucial that managed services providers (MSPs) understand how this threat typically occurs, and the steps they can take to prevent DNS poisoning. To fully understand how DNS spoofing occurs and ways to protect against it, it’s important to first understand DNS as a whole.

What is DNS?

The domain name system, or DNS, is a hierarchical naming system for computers, services, and other internet resources. Essentially, it’s the phonebook of the internet. For every domain name there’s a corresponding set of 10 or so numbers that comprise the domain name’s IP address. Straightforward, reader-friendly domain names were created so users wouldn’t have to remember complicated IP addresses for every website they visit. It is the responsibility of the DNS to pair domain names with internet IP addresses so users can access websites. Here’s how the process works:

  1. Every time you enter a domain name, your browser will first search its own domain to see if the website you are searching for is hard-coded into its system. For example, if you work for Google, gmail.com would already be coded into your system. This would make your system the authoritative name server for that particular address. More often than not, you are searching for IP addresses outside of your domain.
  2. Next the DNS resolver will check its own cache of IP addresses for a match. Think of the cache as a historical database of previously searched domain names and IP addresses. Cached addresses typically have a limited lifespan of a few hours. This is called a time to live, or TTL.
  3. When no address is found in the cache, the DNS resolver queries other DNS servers to see if they can identify the correct IP address or locate the authoritative name server for that particular domain. Communication between DNS servers is constant and results in the quick identification of IP addresses, allowing users to navigate the web with little interruption.

What is a DNS poisoning attack?

A DNS poisoning attack, also known as a DNS spoofing attack, is when attackers infiltrate the DNS query process to redirect users to fake websites. These fake websites are run by the attacker and can often look remarkably like the real thing, luring unsuspecting users to enter highly sensitive data, like credit card numbers and login credentials, or inadvertently download viruses and other forms of malware.

This type of attack is considered a DNS cache poisoning because the illegitimate IP address lives in the cache of the server. Attackers can even manipulate the TTL so that their fake websites live in the cache beyond the typical cache lifespan of a few hours. The risk involved with cache poisoning goes beyond the DNS server that was originally infected. Any DNS server that queries the infected server and receives the imitation IP address for a specific website is at risk.

For example, if a DNS server starts unknowingly directing its customers to a fake banking website using a scam IP address it picked up, other DNS servers who pick up the IP address of the bank from the poisoned DNS server will also receive the corrupted address, thus exposing their customers to the attackers.

Can DNS be hacked?

Your DNS server is considered hacked when an attacker has found their way into your router and gained control of your DNS settings. This is known as a form of man-in-the-middle attack and can happen if a user unknowingly downloads malware.

A hacker with control of your DNS settings is able to manipulate your system so that, instead of querying secure DNS servers, it queries the hacker’s server and leads you to a host of imitation sites. Similar to DNS poisoning, this can lead users to unwittingly put their banking details or login and password credentials in the hands of attackers.

A hacker with control of your DNS settings also has the ability to redirect users to fake sites that convince the user they have downloaded a virus, even if they actually haven’t, and trick them into buying the hacker’s software to remove it. The scariest part about all of this? By the time a user realizes their DNS server has been compromised by an attacker, it’s often too late.

How does a DNS attack work?

Attackers prey on DNS vulnerabilities and take advantage of the constant communication between DNS servers to execute an attack. The goal of a DNS attack is to direct users to an IP address of the hacker’s choosing. Sometimes it’s to an imitation website, as is the case of DNS spoofing. Other times it’s to a targeted website that the attacker knows is unprepared to handle a large, sudden increase in traffic. This unexpected onslaught of visitors causes the targeted website to crash—a form of a distributed denial of service (DDoS) attack.

There are a number of ways an attacker can find their way into your DNS system, including:

  • Forged Responses: Attackers will often develop imposter DNS servers that attempt to submit the IP address of a fake website in response to a query before a legitimate DNS server has the opportunity to do so. If their address is accepted first, the user is then led to the hacker’s server and imitation websites.
  • Weak Passwords: A U.K. study of 2,205 people found that a shocking 82% had never changed the default password on their wireless router. The use of default password, or passwords with little-to-no variation, including numbers, unique characters, and letters, provide attackers the opportunity to easily crack into a router and gain access to the DNS server.
  • Spam Emails: Attackers will send spam emails laden with fear-inducing language designed to manipulate users into clicking on certain URLs. When these infected URLs are clicked it allows the hacker to infect the system with a code that sends the DNS server to untrustworthy websites.
  • Banner Ads and Images: Just like in spam emails, an attacker can use fake banner ads and images on websites to trick users into clicking on them, thus opening the door for DNS poisoning to occur.

Protecting against a DNS attack

There are a number of DNS security best practices out there to help you ward off attackers and keep your customers’ systems safe and secure. Since DNS servers are in constant communication with one another, the more companies that implement these best practices, the greater protection there is as a whole. Here are the most important steps you should be taking to prevent DNS poisoning:

  • Security Extensions: The Internet Engineering Task Force (IETF) developed DNS Security Extensions (DNSSEC) to address security threats against DNS. This is widely considered one of the greatest measures of defense out there. DNSSEC relies on digital signatures and complex encryption methods to verify the validity and authenticity of a DNS request.
  • Active Monitoring: It’s important to monitor DNS data and keep an eye out for new patterns, like the appearance of a new external host, that could indicate the presence of an attacker.
  • Patches: DNS servers are subject to vulnerabilities. Staying on top of the latest patches can safeguard against attackers looking to exploit these well-known vulnerabilities.
  • DNS Updates: Updated versions of DNS come equipped with port randomization and cryptographically secure transaction IDs to help prevent against DNS attackers. Always make sure the server you are using is up to date.
  • Password Policies: Convincing your customers to implement password protection policies is of utmost importance. A weak router password could put every device and user within their company in jeopardy.
  • HTTPS Indicators: The HTTPS indicator should be in the browser address bar at all times. This lets you know that the site is valid. If the appearance of the HTTPS indicator is in flux, it could signal the beginning of an attack.

DNS poisoning, man-in-the-middle schemes, and DDoS tactics are just a few of the many DNS attacks out there. It’s important to stay on top of these cybersecurity threats and the latest risk-mitigation techniques.


Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination.

Once there, users are prompted to login into (what they believe to be) their account, giving the perpetrator the opportunity to steal their access credentials and other types of sensitive information. Furthermore, the malicious website is often used to install worms or viruses on a user’s computer, giving the perpetrator long-term access to it and the data it stores.

Methods for executing a DNS spoofing attack include:

  • Man in the middle (MITM) – The interception of communications between users and a DNS server in order to route users to a different/malicious IP address.
  • DNS server compromise – The direct hijacking of a DNS server, which is configured to return a malicious IP address.

DNS server compromise attack.

DNS cache poisoning example

The following example illustrates a DNS cache poisoning attack, in which an attacker (IP intercepts a communication channel between a client (IP and a server computer belonging to the website www.estores.com (IP

In this scenario, a tool (e.g., arpspoof) is used to dupe the client into thinking that the server IP is At the same time, the server is made to think that the client’s IP is also

Such a scenario would proceed as follows:

  1. The attacker uses arpspoof to issue the command: arpspoof This modifies the MAC addresses in the server’s ARP table, causing it to think that the attacker’s computer belongs to the client.
  2. The attacker once again uses arpspoof to issue the command: arpspoof, which tells the client that the perpetrator’s computer is the server.
  3. The attacker issues the Linux command: echo 1> /proc/sys/net/ipv4/ip_forward. As a result, IP packets sent between the client and server are forwarded to the perpetrator’s computer.
  4. The host file, estores.com is created on the attacker’s local computer, which maps the website www.estores.com to their local IP.
  5. The perpetrator sets up a web server on the local computer’s IP and creates a fake website made to resemble www.estores.com.
  6. Finally, a tool (e.g., dnsspoof) is used to direct all DNS requests to the perpetrator’s local host file. The fake website is displayed to users as a result and, only by interacting with the site, malware is installed on their computers.

DNS spoofing mitigation using domain name server security (DNSSEC)

DNS is an unencrypted protocol, making it easy to intercept traffic with spoofing. What’s more, DNS servers do not validate the IP addresses to which they are redirecting traffic.

DNSSEC is a protocol designed to secure your DNS by adding additional methods of verification. The protocol creates a unique cryptographic signature stored alongside your other DNS records, e.g., A record and CNAME. This signature is then used by your DNS resolver to authenticate a DNS response, ensuring that the record wasn’t tampered with.

While DNSSEC can help protect against DNS spoofing, it has a number of potential downsides, including:

  • Lack of data confidentiality – DNSSEC authenticates, but doesn’t encode DNS responses. As a result, perpetrators are still able to listen in on traffic and use the data for more sophisticated attacks.
  • Complex deployment – DNSSEC is often misconfigured, which can cause servers to lose the security benefits or even deny access to a website altogether.
  • Zone enumeration – DNSSEC uses additional resource records to enable signature validation. One such record, NSEC, is able to verify the non-existence of a DNS zone. It can also be used to walk through a DNS zone to gather all existing DNS records—a vulnerability called zone enumeration. Newer versions of NSEC, called NSEC3 and NSEC5, publish hashed records of hostnames, thereby encrypting them and preventing zone enumeration.


