What is DNS cache poisoning?
DNS cache poisoning is a type of cyberattack in which false information is inserted into a DNS server’s cache. When that happens, the server starts returning the wrong IP address for a domain name, directing users to a fake website controlled by attackers.
The goal of a DNS cache poisoning attack is to redirect traffic away from legitimate websites to sites designed to steal data, install malware, or intercept user activity.
What is DNS?
The Domain Name System (DNS) is an internet protocol that translates human-readable domain names into numerical IP addresses. It operates as a naming system that links identification strings to the corresponding computers, services, and resources connected to the internet.
DNS is intended to help users access the websites they want without having to type long and complex numerical IP addresses. And that’s essentially what the meaning of DNS captures: it is a service that makes the internet practical and functional by turning what can be easily memorized domain names into machine-level identifiers.
What is DNS caching?
DNS caching is the process of temporarily storing DNS query results on a device or server. When you visit a website, the DNS resolver retrieves its IP address and keeps it in a cache for a set period of time. This allows future visits to the same website to load faster because the resolver can use the stored record instead of repeating the lookup process.
Each cached record has a time to live (TTL) value — a countdown that determines how long the information remains valid. Once the TTL expires, the DNS resolver removes the record and fetches a fresh one from an authoritative DNS server.
How does DNS caching work?
Let’s define our terminology. What is DNS, and how does DNS caching work? DNS stands for “domain name system.” It’s a process that allows domains to be matched with the right IP addresses.
When you type www.google.com (for example) into your browser, your internet gateway (your router, in most cases) has to determine what IP address is associated with that domain. So your device sends a lookup request directly to a DNS server, and this server then tries to work out what IP address is being used for www.google.com at that moment.
The DNS server then sends the IP address back to your router, and you are able to load Google’s homepage. The whole process takes a matter of milliseconds, but it can be even faster thanks to caching.
To speed up this process, the DNS server saves Google’s IP address in its DNS cache for a limited period of time. If someone else wants to open www.google.com during this period, the DNS server already has the IP address saved and doesn’t need to go through the process of finding it for them. This conserves time and processing power for the server.
Most DNS servers maintain a cache of IP addresses, linked with specific domain. This is useful but can also leave them vulnerable to cache poisoning.
How does DNS cache poisoning work?
Cache poisoning occurs when a hacker tricks a DNS server into saving the wrong IP address in its cache. To see how it happens, let’s go back to our Google example.
- 1.Your device sends a lookup request to a DNS server to find the IP address linked to the domain www.google.com.
- 2.The DNS server starts querying other servers to get the correct record and tags its request with a unique numerical identifier (for example, 1,100). The reply from the responding server will carry the same number.
- 3.While this process runs, an attacker bombards the DNS server with thousands of fake responses, each carrying a guessed identifier and a forged IP address that points to the attacker’s server.
- 4.If one of those forged replies happens to match the correct identifier, the DNS server accepts it as genuine.
- 5.The false record is stored in the DNS cache, and from that point on, anyone requesting www.google.com will be directed to the attacker’s server instead of the real one.
This type of DNS cache poisoning attack can last until the poisoned record expires or the cache is cleared, exposing users to a dangerous server full of malware and producing effects similar to a man-in-the-middle (MITM) attack.
Examples of DNS cache poisoning
A DNS cache poisoning attack can be carried out at the client or server level. Many devices, including routers, have a DNS cache built into their operating systems, which can be exploited by cybercriminals. A DNS server is no less an ideal target — real incidents have shown how attackers can manipulate DNS servers to redirect users or disrupt online services. Over the years, several high-profile incidents have shown how damaging DNS cache poisoning can be.
The Kaminsky attack
Security researcher Dan Kaminsky demonstrated that predictable transaction IDs and port numbers made many DNS servers vulnerable to cache poisoning. His research showed how an attacker could inject forged DNS records into caches at scale, which led to emergency patches and stronger randomization defenses across the DNS ecosystem.
Brazil ISP incident
In 2011, millions of internet users in Brazil were exposed to malware after attackers poisoned the DNS caches of several internet service providers (ISPs). By inserting false records into ISP-level DNS servers, the attackers redirected users to servers they controlled.
When users tried to visit popular websites, they were shown fake warnings prompting them to install supposed “security software.” The downloads turned out to be banking trojans.
The attack demonstrated how dangerous a poisoned DNS cache can be when it affects a major ISP. With a single breach, cybercriminals could redirect vast numbers of users to malicious sites, bypassing individual device security measures entirely.
SAD DNS
Researchers uncovered a new variant called SAD DNS (a side-channel attack), which exploited predictable packet fragment fields in the Internet Control Message Protocol (ICMP) responses to guess randomized ports used by modern resolvers. The flaw revived cache poisoning risks even after earlier defenses had been strengthened. Major DNS providers patched their systems to close the loophole.
These cases show the evolution of DNS cache poisoning, that is from exploiting predictable identifiers to abusing side channels, all while the attacker’s objective remains the same: corrupt resolver data to redirect traffic to attacker-controlled servers.
How can you detect DNS cache poisoning?
Detecting a DNS cache poisoning attack can be difficult because it alters where your traffic goes, not how your device behaves. Still, there are several signs and checks that can help you spot a compromised DNS cache.
For everyday users:
- Unexpected redirects. Trusted websites suddenly load unfamiliar layouts, languages, or ask for credentials when they usually don’t.
- Browser security warnings. HTTPS errors or certificate mismatch alerts appear when visiting known, legitimate sites.
- IP mismatch. Use a tool like nslookup, dig, or an online DNS checker to compare the IP address your DNS server returns with the one shown by a trusted public DNS service.
- Suspicious pop-ups or downloads. Legitimate pages prompt unexpected software updates or file downloads.
For network administrators:
- Unusual DNS logs. Sudden changes in DNS records, repeated lookups for the same domain, or abnormal time-to-live (TTL) resets.
- Mismatched responses. The IP addresses returned by your organization’s DNS servers differ from those of trusted public DNS services.
- Frequent cache resets. DNS cache entries are repeatedly cleared or replaced without a clear reason.
- Traffic anomalies. Network monitoring tools show inconsistent DNS query-and-response patterns.
- Cross-checking results. Compare domain lookups between your internal DNS servers and secure public ones (such as Google Public DNS or Cloudflare DNS) to confirm accuracy.
If you suspect your DNS cache has been poisoned, flush the DNS cache on your device or network equipment and temporarily switch to a trusted DNS service. If the issue persists, investigate for possible network compromise or misconfiguration.
DNS cache poisoning prevention
You can’t stop every DNS attack yourself, but there are steps you can take to make DNS cache poisoning far less likely.
- Turn on DNSSEC validation. Domain Name System Security Extensions (DNSSEC) is a security framework that adds authentication to DNS. It uses digital signatures to verify that DNS data comes from the correct source and hasn’t been altered during transfer.
- Use a DNS service. Choose a DNS provider that validates DNSSEC and has built-in protection against cache poisoning. Large, well-managed DNS networks can respond quickly to queries and are less vulnerable to manipulation.
- Enable encrypted DNS traffic. Protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt DNS requests between your device and the DNS server, making it harder for attackers to intercept or alter responses.
- Review your DNS configurations. If you manage a private DNS server, ensure it’s securely configured and doesn’t accept recursive queries from external sources.
- Flush your DNS cache periodically. You can flush DNS caches manually to clear outdated or corrupted entries that might cause your device to connect to incorrect IP addresses.
- Monitor for DNS irregularities. Unexpected redirects, mismatched IP addresses, or repeated resolution failures can signal a poisoned cache.
How will DNSSEC help prevent DNS cache poisoning?
DNSSEC directly addresses the fundamental security issue that makes DNS cache poisoning possible, which is that traditional DNS lookups lack a built-in authentication process.
In a standard DNS lookup, servers trust that the response they receive is legitimate and that’s exactly the weakness attackers exploit to inject false information into a DNS cache. DNSSEC addresses this issue by signing DNS records with private keys and enabling servers to validate them using public keys. If the signature doesn’t match, the data is rejected before it can be stored or served to users.
In other words, DNSSEC doesn’t encrypt DNS traffic or make it confidential. Instead, it ensures that what a DNS server receives and stores is authentic. By confirming that each DNS record comes from its real source, DNSSEC helps prevent forged responses that lead to DNS cache poisoning attacks.
But despite this, DNSSEC isn’t yet deployed by all domains and providers. The good news is that adoption is growing as more public DNS services and registries enable DNSSEC validation by default.
Can a VPN help you stay safer?
A VPN can boost your security and online privacy, but NordVPN offers special features that can help you with the specific problem of malware infection. NordVPN’s Threat Protection Pro™ blocks access to websites that are known to host malware, so even if you’re redirected, you can still protect your device.
Threat Protection Pro™ also functions as an ad blocker and shields you from trackers, allowing you to stay safer and more secure while browsing online.
DNS spoofing vs. DNS cache poisoning
DNS spoofing and DNS cache poisoning are closely related but describe different stages of the same attack process.
DNS spoofing refers to the act of forging or “spoofing” a DNS response to make it appear as if it came from a legitimate source. Attackers do this by sending fake DNS replies that contain incorrect IP addresses. The goal is to deceive a DNS server or device into accepting the false information as genuine.
DNS cache poisoning, on the other hand, is the result of a successful spoofing attempt. When a DNS server accepts and stores a forged response in its cache, that false information becomes part of the data it uses to answer future queries. Every user who depends on that server for name resolution will then be redirected to the attacker’s destination until the cache is cleared or expires.
The two terms are regularly used in place of one another. But they shouldn’t be because they describe distinct roles in the same attack chain. One initiates the deception, and the other sustains it. You can think of the difference in terms of:
| Term | DNS spoofing | DNS cache poisoning |
|---|---|---|
| Definition | The act of sending forged DNS responses that contain false IP addresses. | The condition created when forged DNS data is saved in a DNS cache. |
| Role in the cyberattack | The method used to inject fake data into DNS communication. | The outcome when the fake data is stored and reused from the cache. |
| Intent | To deceive a DNS server or client into accepting falsified information. | To make the falsified information persist, and redirect users repeatedly. |
| Duration | Ends once the forged response is rejected or accepted. | Lasts until the cache entry expires or is manually cleared. |
| Scope | Affects a single DNS query or response. | Affects all users who rely on the poisoned cache. |
| Example | An attacker sends a fake DNS reply claiming that www.google.com resolves to their IP address. | The DNS server saves that fake IP in its cache, redirecting users to the attacker’s server. |
To make this real simple: DNS spoofing is the technique, and DNS cache poisoning is the lasting effect. Spoofing initiates the attack, and poisoning sustains it. If you’re interested in how these tactics compare to other DNS threats, take a look at our comparison on domain hijacking vs. DNS poisoning.
Online security starts with a click.
Stay safe with the world’s leading VPN
