Your IP: Unknown · Your Status: Unprotected Protected


Blog In Depth

All you need to know about DNS spoofing

Apr 20, 2020 · 5 min read

All you need to know about DNS spoofing

Every time you visit a webpage, you expect your browser to take you straight there. However, it could land you in a scam site – and you might not even notice it. It happens when someone uses a DNS spoofing attack to compromise DNS records and redirect users from real websites to fake ones. Read on to know what it is, how it works, and what you can do to protect yourself from it.

How do DNS servers work?

First to understand how DNS spoofing works, we need to understand what DNS servers do.

When you tell your spouse that you’re going to visit a friend, you say, “I’m going to Taylor’s,” not “I’m going to 135 Court St, West Eaton.” Similarly, all websites have domain names and IP addresses. We prefer to use the former when navigating the internet since it would be too difficult to remember numerous IP addresses of eight and more digits. DNS (Domain Name System) servers help us by converting domain names into IP addresses. Think of it as translating human language into computer language. Here’s how it works.

When you type www.nordvpn.com into your browser, it has to look up NordVPN domain’s IP address first. Your browser finds it by contacting the DNS server that stores the domain name records. The DNS server finds the IP address, sends the information back to your browser, and the page is displayed on your screen.

The server usually belongs to your ISP, but it can’t hold every IP address of every website on the internet. Local DNS servers usually only have addresses that are most used in their local network. If the DNS server has the address your browser is looking for, it will send it back right away. Otherwise, it will need to forward the inquiry to another DNS server. Once your local servers send the address to your browser, it will store the address temporarily in its cache in case you need it again.

What is DNS spoofing?

DNS spoofing is a cyberattack used to redirect internet users to fake or malicious websites. It’s done by replacing the real IP address with another one. Hackers use these attacks to spy on people, install malware, and steal their data, like login credentials or banking information. It’s hard for victims to spot attacks as they don’t normally see what happens in the background while they browse.

Types of DNS spoofing attacks

Attackers use different tactics to spoof DNS addresses and redirect internet users to their fake websites. They may create copies of real websites, fill them with malware, or simply show a message that the real one was “hacked.”

It can also be used to perform DDoS attacks. If a hacker manages to replace IP addresses of multiple domains with one belonging to the website they’re targeting, all users will be redirected to it. The site won’t be able to handle so many requests and will crash.

There are three ways to spoof a DNS record:

Breaking in

This method is the most obvious one, but it’s also the most difficult one. Attackers need to obtain credentials from a user with access to the DNS server they want to target. To get these credentials, hackers might use various phishing techniques or keylogging malware. Once they have them, they can log in and change the records in the DNS server.

It’s a more complicated attack than cache poisoning, but has a longer lasting effect. The fake IP address will stay in the server until someone notices and changes it back. It will also spread to other DNS servers that send inquiries and will remain in their caches for a short time.

Poisoning the cache

Cache poisoning is the most popular DNS spoofing tactic. It’s easier than breaking in, but the results don’t last as long. Similarly, it allows the fake IP address to spread to other DNS servers’ caches.

This is how it works. The attacker sends a query to the DNS server, asking for an IP address. The DNS server sends out a query to the nameserver, and the attacker, pretending to be an authoritative DNS nameserver, responds to it himself. Since there is no verification in place, the hacker can plant a fake IP address in the DNS servers’ cache.

Once the faulty record is there, it’s sent out to other DNS servers who have also requested it. Even though caches expire every few hours, the fake DNS entry might still spread significantly, depending on how popular the domain is.

Performing a man-in-the-middle attack

If you’re using an unsafe connection, like public Wi-Fi, you might be vulnerable to a man-in-the-middle attack. If a hacker intercepts your connection, they’ll be able to see everything you do online and use that information against you. So, whenever your browser sends a request to a DNS server, the attacker might respond with any IP address they want.

As DNS spoofing is usually part of a larger attack scheme, the hacker will try to lead you to a fake website. These might look exactly like the real thing – popular online stores or social networks. They are used to trick people into revealing their login credentials, credit card information, and other sensitive data. If you’re not careful and don’t know how to spot a fake website, you might not even notice that something is off and unknowingly reveal your sensitive information.

How to prevent DNS spoofing

Since there is no way to check whether you got a real IP address, there’s not much you can do to stop it. If it redirects you to a random page, don’t click on anything, leave immediately, and notify your ISP about the possibly compromised DNS record.

You should also use a VPN to avoid man-in-the-middle attacks. NordVPN’s CyberSec feature will enhance your security even further by notifying you if the page you’re about to visit is known to contain malware. However, if you suspect that a webpage you were redirected to might have installed malware on your device, use an anti-malware tool to scan it.

The one thing you must look out for the most is copies of real websites. Luckily there’s more than one way to spot a fake, and once you get the hang of it you won’t be easily tricked:

  1. Check the URL. If it’s not the same one you entered, it’s a huge red flag. If the attacker created a replica of an existing website, they needed to register it with a similar domain name. So, some letters might be changed or missing – this way, “youtube.com” might become “youlube.com.”
  2. Look for the little padlock next to the URL. If it’s open or crossed out, it means that the page doesn’t have a valid TLS/SSL certificate, so all the traffic between you and the website is unencrypted. If you’re visiting the website of your local newspaper, it’s not that surprising. But if it’s a major platform with millions of users, you should investigate it further before doing anything else.
  3. Look for typos and obvious grammar mistakes. If the words are capitalized randomly, there are commas in weird places, and the content altogether seems weird, the website may be fake.
  4. Pay attention to the website's design. It’s something you may not notice every time, but people can usually tell if something is not right. If your bank usually uses dark purple, you’re likely to notice if their webpage is the wrong color or the logo is skewed. Trust your instincts, and if it looks suspicious, carefully check for other signs before continuing.

To learn more about cybersecurity, subscribe to our monthly blog newsletter below!


Anna Rasmussen
Anna Rasmussen successVerified author

Anna is a content writer at NordVPN. As a young tech enthusiast, she helps readers explore what makes the internet run and how to stay safe.


Subscribe to NordVPN blog