What is DNS Spoofing?

DNS spoofing, commonly called DNS cache poisoning, is an attack that injects a false answer into the DNS resolution process. Instead of compromising your account or your zone, the attacker targets a resolver and convinces it that a domain points to an address they control. The forged answer gets cached, so visitors are sent to the attacker's server even though the domain they typed is entirely correct.

When a recursive resolver looks up a name it does not already have cached, it queries an authoritative server and waits for a reply. The attack is a race:

1. The attacker triggers a lookup for a target name and floods the resolver with forged responses.
2. Each forged response guesses the query transaction ID and the source port the resolver used.
3. If a forged reply matches before the genuine answer arrives, the resolver accepts and caches it.
4. The poisoned record is then served to every client behind that resolver until its TTL expires.

In 2008 researcher Dan Kaminsky demonstrated that this race was far more practical than assumed, because an attacker could keep retrying across many fake subdomains and even poison an entire zone. The disclosure drove the industry-wide adoption of source-port randomization as a stopgap and accelerated interest in DNSSEC.

• Traffic redirection — users are routed to a clone site built to capture credentials, payment details, or session cookies.
• Wide blast radius — one poisoned cache can affect every user of that resolver, not just a single victim.
• Email and update tampering — spoofed mail or update endpoints can divert messages or deliver malicious software.
• Hard to spot — the domain looks correct, so there is little to tip off the user without certificate or monitoring signals.

• Sign your zone with DNSSEC — DNSSEC adds cryptographic signatures so a resolver can verify an answer is authentic and reject forged ones. Read more in what is DNSSEC.
• Use source-port randomization — modern resolvers randomize the source port and transaction ID, making the spoofing race vastly harder to win.
• Encrypt queries in transit — DNS over HTTPS and DNS over TLS protect the path between client and resolver, blocking on-path tampering.
• Pick trustworthy resolvers — use resolvers that validate DNSSEC and apply these protections by default.

Spoofing is hard to catch from inside a single browser, so the practical defense is to validate that your zone is correctly signed and that your authoritative answers match what you published. ZoneWatcher monitors your records and DNSSEC signatures continuously and alerts you if signing breaks or an authoritative answer drifts from what you expect. A related and broader threat is DNS hijacking, which redirects resolution through compromised accounts rather than a poisoned cache.