DNS cache poisoning (also called DNS spoofing) is a cyberattack where an attacker injects fraudulent DNS records into a resolver's cache. When you look up a domain, you receive the attacker's false IP address instead of the real one - silently redirecting you to a malicious or fake website.
How the Attack Works
- A user's device sends a DNS query to a resolver.
- The attacker sends a flood of forged DNS responses with a matching transaction ID before the legitimate response arrives.
- If the forged response wins the race, the resolver caches the fake IP address.
- All subsequent users who query this resolver for that domain are directed to the attacker's server.
- The attacker's server may serve a fake login page to steal credentials, or deliver malware.
What Makes DNS Vulnerable
- Traditional DNS uses UDP, which has no built-in authentication
- Transaction IDs are only 16 bits (65,536 possible values), making brute-force guessing feasible
- Caching means a single poisoned record affects many users
How DNS Poisoning Is Prevented
| Defense | How It Helps |
|---|---|
| DNSSEC | Digitally signs DNS records; resolvers reject unsigned or tampered records |
| DNS over HTTPS / TLS | Encrypts queries, making injection much harder |
| Source port randomization | Makes it much harder to guess the correct transaction ID + port combination |
| Short TTLs | Poisoned records expire faster |
People Also Ask
- Is DNS cache poisoning still possible?
- Yes, but it is significantly harder with modern mitigations like source port randomization, DNSSEC, and DoH. Legacy DNS infrastructure without these protections remains vulnerable.
- What are the signs of DNS hijacking?
- Being redirected to unexpected pages, SSL/TLS certificate warnings on sites you trust, and unusual DNS servers in your network settings are all red flags. Check your DNS with our DNS Lookup tool.
Related: What is DNS? | Flush DNS cache | DNS over HTTPS