DNS spoofing, also known as DNS cache poisoning, is an attack that manipulates the Domain Name System to redirect users from legitimate websites to attacker-controlled servers. By corrupting the DNS resolution process, an attacker can cause a domain name like bank.example.com to resolve to a malicious IP address, directing victims to a convincing phishing site or intercepting their traffic without their knowledge.
How It Works
When a user's device needs to resolve a domain name to an IP address, it queries a DNS resolver, which may query additional DNS servers up the hierarchy. The resolver caches the response for a period defined by the record's TTL (Time to Live) value. DNS spoofing targets this process at various points.
In a classic cache poisoning attack, the attacker sends forged DNS responses to a resolver, racing against the legitimate response. If the forged response arrives first with a matching transaction ID and source port, the resolver accepts it and caches the malicious record. All subsequent queries to that resolver for the poisoned domain will receive the attacker's IP address until the cache entry expires. Successful poisoning of a popular DNS resolver can redirect thousands of users.
Local network DNS spoofing occurs when an attacker on the same network intercepts DNS queries through ARP spoofing or by compromising the local DNS server. This is particularly effective on public Wi-Fi networks where the attacker can position themselves between users and the DNS resolver. The attacker intercepts DNS queries and responds with malicious IP addresses before the legitimate resolver can reply.
DNSSEC (DNS Security Extensions) provides cryptographic signing of DNS records, allowing resolvers to verify the authenticity of responses. However, DNSSEC adoption remains incomplete, and many domains and resolvers do not enforce validation, leaving them vulnerable to spoofing attacks.
Why It Matters
DNS spoofing undermines the foundational trust model of the internet. If users cannot trust that a domain name resolves to the correct server, every online interaction becomes suspect. Security assessments evaluate DNS configurations, DNSSEC implementation, and an organization's resilience to DNS-based attacks that could redirect users to malicious infrastructure or intercept sensitive communications.
Need your application tested? Get in touch.