DNS Spoofing

DNS Spoofing is one of the most common forms of cyber attack, and can be devastatingly effective against unsuspecting users.

This type of attack exploits one of the most fundamental parts of the way that the internet works, and so can be very hard to spot and avoid.

DNS Spoofing works like this. Though we humans are used to navigating to websites by typing in a URL address, the way that your devices actually find the site you are looking for is different. When you type in a URL, your router converts this into a machine-readable address. It does this by looking it up in a Domain Name Server (DNS) table, which then tells it where to look. In a DNS Spoofing attack, this table is altered, and your device will look in the wrong place. This could be a malicious website.


DNS Spoofing attacks also have a feature that makes them extra dangerous. If your router doesn’t know where to find a particular site, it will query the DNS table held by your ISP. If your ISP doesn’t know, it will ask yet another server, and so on up the chain.

You can see the problem: if an attacker manages to alter the DNS table of a relatively high level server, this incorrect information will cascade down across large sections of the internet.

This has occasionally happened by accident.

In 2010, an ISP based in Sweden accidentally populated their DNS tables with information drawn from China. Users routed through this server then received Chinese versions of many popular sites including Facebook, Twitter, and Youtube. These users noticed the mistake when the versions of the sites they received were clearly censored according to the Chinese government’s ‘Great Firewall’.

Though the mistake was quickly rectified, it reminded everyone of the danger of DNS Spoofing attacks, and just how quickly they can spread.

What is DNS (Domain Name System)?

To understand DNS Spoofing, we first need to understand what the DNS system is.

DNS is a fundamental part of how the internet works. The aim is to convert a human-readable domain name (something like example.com) into a numerical code that your computer understands. This code is called an IP address.

When you type a URL into a browser, a server will translate this into an IP. The first server that will be asked to do this is normally your WiFi router. If the router doesn’t know the IP address that corresponds to your requested URL, it will ask the server that sits ‘above’ it, which is normally a server owned by your ISP.

In order to speed up these requests, most servers will remember a set number of URLs and their corresponding IPs, and it will hold on to this information for a set period of time before checking them again. This is called a DNS cache.

The DNS cache is a great feature, because it makes looking up an IP much quicker. It can also create some problems, though. If an attacker gains access to the DNS lookup table, they can alter the IP addresses it holds. This means that, when your devices ask for an IP address for a website you want to visit, the server will tell them to look in the wrong place, and you can be re-routed to a fake site controlled by an attacker.

This is dangerous because the fake site will probably look exactly the same as the legitimate one you are looking for. You won’t notice the difference, and your device probably won’t either.

What is DNS Spoofing?

Purposefully compromising a DNS table with malicious intent is known as DNS Spoofing.

The aim of a DNS Spoofing attack is to redirect users to a website or location controlled by the attacker. They are typically hard to spot, precisely because they make use of the normal system that devices and servers use to find websites. If implemented correctly, this means that an incorrect IP address looks exactly the same as a real one, and neither user nor server will be aware that an attack as taken place.

This type of attack starts when an attacker injects a forged DNS entry into a server. Sometimes, this is done at a relatively high level, by attacking an ISP. Sometimes, it can be achieved by simply taking control of personal or corporate WiFi router. If an attacker is able to obtain the admin password for a router, perhaps by using an Evil Twin attack, altering DNS tables becomes relatively easy.

A favourite approach is therefore to attack public WiFi networks, which typically use poor security protocols, and are sometimes unreliable enough to allow attackers to hide their activities under the disguise of sketchy connections.

Once users have been redirected to an incorrect site or location, an attacker can launch further attacks aimed at stealing sensitive or confidential information, stealing money, or simply just impersonating a user.

DNS Spoofing attacks are often the first step in implementing a variety of further attacks:

  • The fake website that users are redirected to can be part of a standard phishing scam. An attacker can build a website that looks just like a legitimate one, and unsuspecting users will then enter their login details or other types of valuable data. This is one of the most common forms of attack, because it is one of the easiest to perform. It is even possible, believe it or not, to buy fully-featured kits that allow the average user to perform this type of attack.
  • A more complicated form of attack, but one that can also start by DNS Spoofing, is a man in the middle attack. In this type of attack, instead of being redirected to a fake website, the hacker intercepts information passing between the user and a server, but lets each believe they are communicating directly (and securely) with each other.
  • DNS Spoofing can also be the starting point for a Session Hijacking attack. To do this, an attacker will redirect a user to a fake website using a DNS redirect, but will also pass on any authentication information they enter to the real website. By stealing a user’s login details, an attacker can log into the real website as though they are the victim. Any information normally visible to the victim, such as credit card or banking details, is now visible to the attacker.

Whatever the attack method, though, the goals are the same. These can be to steal personal information, either to sell this or to blackmail the victim into paying the attacker. Alternatively, an attacker can seek to gain access to a victim’s online banking accounts, and simply pay himself (or herself) a fat bonus from their account.

What is DNS Cache Poisoning?

DNS Cache Poisoning is a related form of attack, and in fact this term is sometimes used interchangeably with DNS Spoofing.

Though any DNS Spoofing attack technically makes use of ‘cache poisoning’, in the industry cache poisoning is more often used to refer to large-scale, high-level DNS attacks that aim to affect many users rather than targeting a particular individual.

Cache poisoning attacks make use of a feature of the DNS system that we’ve already mentioned. If a server doesn’t know the IP address for a given URL, it will ask the server ‘above’ it for this information. If that server doesn’t know, it will ask yet another one. This process will continue until the IP is found, and this will be sent back down the chain to the user.

This means that if an attacker manages to inject incorrect DNS entries into a high-level server, this malicious information will cascade down across large sections of the internet. Each cache will be poisoned by the one above it, in other words.

Gaining access to the DNS tables held by large companies might be more difficult than compromising a public WiFi router, of course, but the rewards of doing so are correspondingly greater. A successful cache poisoning attack can affect hundreds of thousands of users, at least for a short time before the attack is detected and the DNS tables are fixed.

The Risks of Being Exposed To DNS Spoofing

For the average user, exposure to a DNS Spoofing attack often comes in the form of an email. This email will encourage (or frighten) users into clicking on a URL. Once clicked, malware will be loaded onto a user’s computer, and this will be used as a starting point to poison any available DNS tables. Banner adverts are also a common attack vector for DNS Spoofing attacks, especially those on sketchy websites and those contained in unsolicited emails.

If you fall victim to a DNS Spoofing attack, you open yourself up to a variety of risks:

  • Most DNS Spoofing attacks have a simple goal, albeit a scary one: to steal personal information. This can range from login details for social media sites to more obviously sensitive data like online banking details. It might not sound like someone stealing your Facebook password would be a big deal, but it could be. This is often the first step in an attacker gaining access to the other systems you use, in order to build up a profile that will allow them to impersonate you, or simply to sell this to other criminals.

    Oh, and if you’ve used the same password for your Facebook profile as you use for your email, PayPal, or banking account, then good luck. An attacker now may also gain access to your photographs, contact list, and even money.

  • Another risk of DNS Spoofing attacks is the threat of malware. In some attacks, an attacker will create a large number of fake sites that look just like the real deal: a ‘fake internet’, in other words. A victim will then spend hours surfing between these fake sites, and this will give the hacker plenty of opportunity to infect their devices with Trojans or other forms of malware.
  • Perhaps the worst risk, though, is that some forms of DNS Spoofing attack will redirect your anti-virus program. This means that it will not download legitimate security updates. If this happens, even if a security vulnerability is isolated and patched by your anti-virus provider, you are not going to receive the fix. In the worst cases, this can keep devices infected with a horrible mix of malware and DNS rerouting for years.

If all this is starting to make you worried, then better late than ever: you’ve taken the first step to avoiding DNS Spoofing attacks. Now, let’s look at what you can do about them.

How to Prevent DNS Spoofing?

Unfortunately, there is little the average user can do to prevent high-level DNS Spoofing attacks. There is not much you can do about the security practices in place by your ISP, and if their servers are compromised there is no way you will be able to detect it. At this level, the best thing you can do is to scan the news for attacks against your ISP, and change provider if they look like they don’t take security seriously.

If you are a site owner, it is your responsibility to ensure that your visitors don’t fall victim to DNS Spoofing when they are using your site. You can do this in variety of ways, none of which are perfect, but when used together will make your visitors much more secure:

  • Implement DNS spoofing detection mechanisms. These come in a variety of flavours, but work in much the same way. By scanning the data passing between your site, your DNS provider, and your visitors, programs like XArp will detect suspicious activity. You can then repair any DNS tables that you have access to in order to defeat malicious redirects.
  • The use of encrypted data transfer protocols should be standard for any website, but sadly it is not. The best approach here is to implement an end-to-end encryption via SSL or TLS, in order to ensure that the data you are exchanging with your visitors cannot be intercepted and altered by an attacker. These protocols will also allow users to verify that servers’ digital certificates are valid, and to spot fake sites that are designed to look like legitimate ones.
  • DNSSEC is a set of security extensions that are specifically designed to defeat DNS Spoofing attacks. At the moment, these tools are still quite underdeveloped, but already offer a pretty good level of protection against the most common types of DNS Spoofing attack. They work by digitally signing a DNS table, which allows its contents to be authenticated.

These tools are great ways for site owners to limit the risk of DNS Spoofing, but what about the rest of us?

Sadly, DNS Spoofing is quite hard to avoid and detect at the level of individual users. Avoiding this type of attack should start with the same defence mechanisms that you use against all forms of cyber attack, and which we should all know by now:

  • Don’t click on sketchy-looking URLs in emails from people you don’t know.
  • Don’t connect to unsecured WiFi networks, and if you have to NEVER send sensitive information over them. And yes, that includes logging in to your Facebook profile.
  • If a website doesn’t look like it is real, it isn’t. Get out of there as quickly as you can.

Finally, if you really want to stay safe from DNS Spoofing, and in fact from all the most common cyber threats, you should really …

Get a VPN

A Virtual Private Network (VPN) provides you with protection against a variety of threats, including those posed by DNS Spoofing. At a basic level, a VPN will encrypt all of the information you send and share online. A VPN will do this end-to-end encryption - this ensures that no-one, besides you and the site you are communicating with, will be able to read it.

When it comes specifically to DNS Spoofing attacks, a quality VPN will also offer protection measures specifically designed to defeat this kind of attack. PureVPN, for instance, offers DNS leak protection. This automatically prevents your device from being diverted by compromised DNS tables.

In addition, a VPN will protect you against the type of attacks that can follow an initial DNS redirect. Because a VPN keeps all of your data encrypted, even on public WiFi networks, an attacker will never be able to read or alter this information.

Secure Your WiFi With PureVPN 31-day money-back guarantee

DNS Spoofing attacks have been around for years, but are still common. Because they exploit one of the most fundamental parts of the way the internet works, the DNS system can be very hard to detect and defeat.

Though the risks of falling victim to a DNS attack are enormous, there are also some basic things you can do to protect yourself. First and foremost, you should know what a DNS Spoofing attack looks like, and how it works. If you’ve read this far, then you should have that covered!

Beyond that, avoiding DNS Spoofing is all about vigilance. If a website looks sketchy, don’t use it. If an email looks suspicious, delete it. And always use the encryption offered by a VPN, just in case someone is listening in.

Here are some more guides on WiFi Threats: