1. Introduction

The Domain Name System (DNS) is one of the most critical components of the internet, responsible for translating human-readable domain names (like www.example.com) into IP addresses that computers use to identify each other on a network.
DNS cache poisoning, also known as DNS spoofing, is a cyberattack that exploits weaknesses in DNS to redirect users to malicious destinations without their knowledge.

This attack undermines trust in the internet’s naming system and can lead to data theft, malware distribution, phishing, and large-scale network compromise.

2. How DNS Works (Background)

To understand DNS cache poisoning, it’s important to know how DNS resolution works:

1. A user enters a domain name in a browser.
2. The request is sent to a recursive resolver (often run by an ISP or organization).
3. If the resolver has the answer cached, it returns the IP address immediately.
4. If not, it queries:
   • Root DNS servers
   • Top-Level Domain (TLD) servers (e.g., .com)
   • Authoritative DNS servers
5. The resolver caches the response for a specified Time To Live (TTL).
6. The caching process is what attackers exploit.

3. What Is DNS Cache Poisoning?

DNS cache poisoning occurs when an attacker successfully inserts a false DNS record into a resolver’s cache. Once poisoned, the resolver returns the malicious IP address to all users requesting that domain until the cache expires or is cleared.

Example

bank.com → 192.0.2.10

bank.com → 203.0.113.66 (attacker-controlled)

The user sees the correct domain name but is silently redirected.

4. How DNS Cache Poisoning Attacks Work

4.1 Core Attack Principle

DNS primarily uses UDP, which is:

• Connectionless
• Fast
• Lacking built-in verification

Attackers exploit this by forging DNS responses faster than legitimate servers.

4.2 Step-by-Step Attack Flow

1. Trigger a DNS request
   The attacker forces a resolver to query a domain (e.g., by sending traffic or embedding links).
2. Flood the resolver with fake responses
   The attacker sends spoofed DNS replies pretending to be from the authoritative server.
3. Guess transaction details
   Each DNS request includes:
   • Transaction ID
   • Source port
     If the attacker guesses these correctly, the resolver accepts the fake response.
4. Poison the cache
   The resolver stores the malicious IP address.
5. Exploit users
   All subsequent users are redirected to attacker-controlled infrastructure.

5. The Kaminsky Attack (2008)

One of the most significant DNS vulnerabilities was disclosed by Dan Kaminsky.

The Kaminsky attack highlighted how fragile DNS security was at the time.

6. Common Techniques Used in DNS Cache Poisoning

7. Consequences of DNS Cache Poisoning

DNS cache poisoning can have severe consequences:

• Phishing attacks (fake login pages)
• Malware distribution
• Credential theft
• Session hijacking
• Email interception
• Large-scale traffic redirection
• Reputation damage and legal consequences

Because DNS operates transparently, users are often unaware of the attack.

8. Detection Challenges

DNS cache poisoning is difficult to detect because:

• DNS responses appear legitimate
• HTTPS may not immediately warn users (especially if certificates are compromised)
• Users are redirected silently
• Logs often do not show obvious anomalies

Advanced monitoring is usually required.

9. Prevention and Mitigation Strategies

9.1 DNSSEC (DNS Security Extensions)

DNSSEC adds cryptographic signatures to DNS responses.

• Ensures authenticity
• Prevents forged responses
• Requires support from domain owners and resolvers

DNSSEC is the most effective defense against cache poisoning.

9.2 Source Port Randomization

Randomizing the UDP source port increases entropy, making guessing attacks impractical.

9.3 Randomized Transaction IDs

Modern resolvers use strong random values for transaction IDs.

9.4 Shorter TTL Values

Reduces the duration of poisoned entries, limiting damage.

9.5 Network Segmentation

Prevents attackers on local networks from performing MITM DNS attacks.

9.6 Encrypted DNS

• DNS over HTTPS (DoH)
• DNS over TLS (DoT)

Encrypts DNS traffic, protecting against interception and manipulation.

10. Real-World Examples

• ISP-level DNS poisoning in censorship campaigns
• Coffee shop Wi-Fi DNS spoofing attacks
• Malware modifying local DNS settings
• Enterprise breaches caused by poisoned internal DNS resolvers

11. DNS Cache Poisoning vs Related Attacks

12. Current State of DNS Security

While modern defenses have made cache poisoning much harder, it is not obsolete:

• Legacy systems still exist
• Misconfigured resolvers remain vulnerable
• DNSSEC adoption is incomplete
• Local network attacks are still viable

Security depends heavily on proper configuration and updates.

13. Conclusion

DNS cache poisoning is a powerful attack that exploits the trust-based nature of DNS. Although major improvements have significantly reduced its prevalence, it remains a critical threat when defenses are weak or outdated.

Understanding DNS cache poisoning is essential for:

• Network administrators
• Security professionals
• System architects
• Anyone responsible for internet-facing services

A secure DNS infrastructure—especially with DNSSEC and encrypted DNS—is no longer optional in modern networks.