What Is DNS poisoning? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
DNS poisoning is when attackers trick a DNS server into storing wrong address information. When you type a website name, the server sends you to a fake site instead of the real one. This can lead to stolen passwords or infected computers. It is a serious security problem that affects how the internet finds websites.
Common Commands & Configuration
dig +dnssec www.example.comQuery a DNS resolver for a domain with DNSSEC validation. The +dnssec flag requests DNSSEC records (RRSIG, DNSKEY) and shows the authentication chain. Use this to verify if a resolver is returning signed records correctly.
Appears in CompTIA Network+ and Security+ to demonstrate how to verify DNSSEC authentication and detect cache poisoning.
ipconfig /flushdnsFlush the local DNS resolver cache on Windows systems. This removes all cached entries, including potentially poisoned records. Run this as an immediate step after detecting a poisoning incident.
A+ and Network+ exams test this command as a basic troubleshooting step for connectivity issues caused by stale DNS cache.
show ip dns view default cacheOn Cisco IOS, displays the contents of the DNS resolver cache, including domain names and their resolved IP addresses. Used to inspect for suspicious or unauthorized entries.
CCNA exam question regarding verifying DNS cache entries after a suspected poisoning attack requires this command.
dnscmd /clearcacheClear the DNS cache on a Windows Server DNS role. This removes all cached records from the server's cache, requiring a fresh query to authoritative servers. Use after a poisoning event to purge bad data.
Examined in Windows Server administration contexts (MCSA, AZ-104) as a method to force a clean cache reload.
unbound-control flush_zone example.comFlush all cached records for a specific domain from the Unbound DNS resolver. Unbound is a validating, recursive resolver. This command is used when a specific domain is known to be poisoned.
Relevant for Security+ and Linux+ when discussing configuration of DNSSEC-validating resolvers.
named-checkzone -D /etc/bind/db.example.comCheck the consistency and syntax of a BIND zone file. The -D flag prints the zone in a canonical format, allowing review of all records. Use this to verify that the authoritative zone file has not been tampered with.
CCNA and Network+ exams may reference this for verifying zone file integrity after a suspected poisoning on the authoritative side.
tcpdump -ni eth0 'udp port 53'Capture DNS traffic on an interface for analysis. This allows an administrator to see all queries and responses in plain text (if not encrypted). Useful for identifying forged responses with mismatched transaction IDs.
Security+ and CySA+ exams test this as a network forensic technique to identify DNS poisoning at the packet level.
Must Know for Exams
DNS poisoning is a recurring topic across many IT certification exams, especially those focused on network security, system administration, and cloud architecture. For the CompTIA Security+ (SY0-601) exam, you will find DNS poisoning listed under Domain 1.0 (Attacks, Threats, and Vulnerabilities), specifically as an example of a man-in-the-middle attack and a type of on-path attack. You may be asked to identify the characteristics of DNS poisoning in a multiple-choice question, or to distinguish it from DNS hijacking, DNS tunneling, or DNS spoofing. The exam expects you to know that DNS poisoning corrupts a DNS resolver's cache, that it can be mitigated with DNSSEC, and that TTL values affect how long the poison persists. For the CCNA (200-301) exam, DNS poisoning appears in the context of network security fundamentals. You may encounter a scenario where a network administrator suspects DNS cache poisoning, and you need to recommend the correct troubleshooting step, such as clearing the resolver cache or verifying the validity of DNS responses. The CCNA also covers DNS spoofing as a Layer 7 attack, and you should understand how Transaction IDs and source port randomization provide basic protection.
For the CompTIA Network+ (N10-008) exam, DNS poisoning is part of the network security section. You might be given a description of an attack that redirects users to a malicious website without changing the domain name, and you need to identify it as DNS poisoning. You should be able to explain the role of a recursive resolver, authoritative server, and cache in the attack. The AWS Solutions Architect Associate (SAA-C03) exam includes DNS poisoning as a security concern when using Route 53, the AWS DNS service. You may be asked how to protect your domain from DNS cache poisoning, typically by enabling DNSSEC signing for Route 53 hosted zones. The exam also tests your understanding of how Route 53 works with third-party DNS services and the security implications. The Google Associate Cloud Engineer (ACE) exam covers DNS security in the context of Cloud DNS. You should know how to enable DNSSEC for Cloud DNS managed zones and understand that DNS poisoning is a potential threat to your domain resolution.
The Microsoft Azure Administrator (AZ-104) exam touches on DNS poisoning primarily through Azure DNS and Azure Firewall DNS settings. You may need to configure DNSSEC or understand how Azure Firewall can filter DNS traffic to block malicious queries. The CompTIA A+ (Core 2) exam briefly covers DNS poisoning as a security issue related to malware and phishing. While not tested in depth, you should know that changing DNS settings is a common technique used by malware to redirect users, and that you can check the DNS settings in the network configuration to identify tampering. Across all exams, question types can be multiple-choice, scenario-based, or performance-based (e.g., in labs where you need to configure DNSSEC). The key takeaway is to understand the difference between DNS poisoning (cache manipulation) and DNS hijacking (DNS server/configuration manipulation), and to know the primary defense: DNSSEC.
Simple Meaning
Think of the internet as a giant phone book for websites. When you type a name like "mybank.com" into your browser, a DNS server looks up that name and gives back the number (IP address) of the computer that hosts the bank's website. DNS poisoning is when a bad guy sneaks into that phone book and changes the number next to "mybank.com" to point to a fake bank website. When you type the real name, you end up at the fake site. The fake site might look exactly like your bank, with logos and login boxes. If you enter your username and password, the attacker grabs them and can empty your account. The scary part is that you think you are at the right place because the web address looks correct in your browser. DNS poisoning is especially dangerous because it affects many people at once. If an attacker poisons a DNS server that millions of people use, all of them could be sent to fake sites. It works because the DNS system trusts the information it receives without always double-checking that it is correct. Imagine someone calling your office and saying they are from Tech Support, and you just trust them and give them your password. That is similar to how DNS poisoning exploits trust. The attack is hard to detect because everything looks normal from your perspective. You type the right name, the site looks correct, and your connection appears secure. Only a careful check of the server or network logs might reveal that the address you reached is not the real one. To stop DNS poisoning, security experts use special protocols that add digital signatures to DNS data. These signatures prove that the address came from a trusted source and has not been changed. Without these protections, any DNS server is vulnerable to poisoning if an attacker can send it fake responses before the real ones arrive. DNS poisoning corrupts the internet's directory system to steal your information or infect your computer with malware. It is a classic man-in-the-middle attack that targets the very foundation of how we navigate online.
DNS poisoning is not the same as hacking a website directly. Instead of breaking into the bank's server, the attacker changes the directions so that you never even reach the bank. This is simpler and often harder to fix because the problem is in the middle, not at the destination. Cleaning a poisoned DNS cache takes time, and in the meantime, thousands of users could be redirected. That is why DNS poisoning is considered a serious threat by security professionals.
To visualize it better, imagine you live in a city and you want to visit a friend named Alice. Her address is 123 Oak Street. DNS is like the city directory that tells you how to get there. DNS poisoning is like someone erasing 123 Oak Street from the directory and writing 456 Maple Street instead. So you show up at 456 Maple Street, which is a stranger's house. The stranger pretends to be Alice, asks for your personal information, and you give it willingly because you think you are at the right place. The entire visit feels normal, but you have been tricked. That is exactly what happens in DNS poisoning: the directions are corrupted, and you end up somewhere you did not intend to go.
Full Technical Definition
DNS poisoning, also known as DNS cache poisoning or DNS spoofing, is a type of attack that exploits vulnerabilities in the Domain Name System (DNS) protocol to inject fraudulent DNS resource records into the cache of a DNS resolver. The DNS is a hierarchical, distributed naming system that translates human-readable domain names (e.g., www.example.com) into machine-readable IP addresses (e.g., 192.0.2.1). Under normal operation, when a DNS resolver receives a query for a domain name it does not have cached, it recursively queries authoritative DNS servers, starting from the root zone, then the top-level domain (TLD) servers, and finally the authoritative nameserver for the domain. The response contains one or more DNS resource records, including A records (IPv4 address), AAAA records (IPv6 address), NS records (nameserver delegation), CNAME records (canonical name aliases), and others. The resolver caches these records for a period defined by the Time To Live (TTL) value in the response, so it can answer future queries faster without consulting authoritative servers again.
DNS poisoning attacks target the caching mechanism. The classic attack, known as the Kaminsky attack (discovered by security researcher Dan Kaminsky in 2008), sends a flood of DNS queries for non-existent subdomains of a target domain (e.g., random123.example.com). For each query, the attacker simultaneously sends forged DNS responses that claim to be from the authoritative nameserver for example.com. These forged responses contain a fraudulent A record for the target domain (e.g., www.example.com) pointing to an attacker-controlled IP address, and they also contain a spoofed NS record delegating authority for example.com to a malicious nameserver. The DNS resolver assigns a transaction ID (TXID) to each query, and the attacker must guess this TXID in the forged response to have it accepted. In the Kaminsky attack, the attacker sends many forged responses with different TXIDs and also uses multiple queries to increase the chance of a collision. Because the resolver caches the entire response, including the spoofed NS delegation, the poisoning persists even after the original cache entry expires. Modern DNS implementations have added defenses such as randomized source ports, TXID randomization, and query-specific nonces to make guessing the TXID more difficult. However, poisoning can still occur through other vectors, such as compromising the network path between the resolver and authoritative servers (e.g., via ARP spoofing or IP spoofing) or exploiting vulnerabilities in DNS software itself.
A related variation is DNS hijacking, where an attacker modifies the DNS configuration on a client or router to use a malicious DNS server. This is different from cache poisoning because it changes the resolver itself rather than corrupting its cache. Pharming is another term sometimes used interchangeably with DNS poisoning, though pharming often refers to user-level DNS redirection via malicious software (malware) that changes the hosts file on a user's computer. DNS poisoning specifically targets the resolver's cache, which can affect all users sharing that resolver (e.g., all employees of a company using the same internal DNS server, or all customers of an ISP using the same ISP DNS server). The impact can be wide-reaching.
The primary defense against DNS poisoning is DNSSEC (DNS Security Extensions). DNSSEC adds digital signatures to DNS data using public-key cryptography. The authoritative nameserver signs its DNS records with a private key, and the resolver verifies the signature using the corresponding public key, which is obtained through a chain of trust starting from the root zone. With DNSSEC, a resolver can reject any forged response that does not have a valid signature. Other defenses include limiting the amount of non-authoritative data that can be added to a cache, using short TTLs for critical records, and deploying DNS response rate limiting (RRL) to mitigate brute-force guessing attacks. Network segmentation and monitoring for unusual DNS traffic patterns can also help detect poisoning attempts.
In terms of protocols and standards, DNS poisoning primarily exploits the User Datagram Protocol (UDP) transport of DNS queries and responses. Since UDP is connectionless and does not provide authentication, it is inherently vulnerable to spoofing. TCP-based DNS queries are more secure because they establish a connection and can use TLS (DNS over TLS, DoT) or HTTPS (DNS over HTTPS, DoH) for encryption and authentication. However, most DNS traffic still uses UDP for performance reasons. Real-world implementations often use a combination of network-level access control lists (ACLs), firewall rules, and security information and event management (SIEM) systems to log and alert on anomalous DNS activity. Professionals studying for exams like Security+, CCNA, or AWS SAA need to understand the difference between DNS cache poisoning, DNS hijacking, and DNS spoofing, as well as the role of DNSSEC, transaction IDs, and source port randomization in mitigating these attacks.
Real-Life Example
Imagine you are going to visit a new doctor for the first time. You do not know the address, so you look up the doctor's office in the city directory. The directory lists the address as 500 Main Street. You drive to 500 Main Street, and there is a building with a sign that says "Medical Center." You walk in, talk to the receptionist, and give them your personal information. Later, you find out that this was not the real doctor's office. The real office was at 500 Oak Street, but someone had gone into the city directory and changed the address listing. They put up a fake medical center at 500 Main Street to collect people's sensitive information. That is exactly how DNS poisoning works. You trust the directory (the DNS server) to give you the correct address, but someone has tampered with the directory, so you end up at a fake location.
In this analogy, the city directory is the DNS resolver's cache. The attacker (the person who changed the directory) has poisoned the cache by inserting a false address. The fake medical center is the attacker's server, which looks legitimate and may even have a convincing website. You (the user) are the victim. You type in the domain name (the doctor's name) and the DNS server returns the fake IP address (the fake street address). Your browser takes you to the attacker's server, which may present a login page or request personal details. Everything seems normal because you saw the sign "Medical Center" (the website looks authentic) and you interacted with a person (the server) that pretended to be the real office. The biggest danger is that you have no reason to suspect anything is wrong because the process felt exactly the same as always.
To continue the analogy, the real doctor's office might realize that patients are not showing up. They might check the directory and discover the false listing. At that point, they contact the directory publisher to correct the address. This is like the DNS administrator clearing the poisoned cache and waiting for the TTL to expire before the correct records are fetched again. However, even after the directory is corrected, some people might have maps or notes with the wrong address from before. Similarly, DNS entries have TTL values: even after the cache is cleaned, if a client's device had cached the wrong address (because it uses its own local DNS cache), it might still go to the fake site until that local cache expires or is flushed. This highlights why DNS poisoning can be so persistent and hard to fully eradicate.
Another everyday example is GPS navigation. You enter the name of a restaurant into your GPS. The GPS looks up the address from its internal database. If someone hacked the GPS database and changed the restaurant's address to a different location, you would drive to the wrong place. The GPS screen would show the restaurant's name, but you would end up at an empty lot or a different business. You might not realize you were at the wrong place until you looked closely at the surroundings. DNS poisoning works the same way: the name looks correct, but the underlying address has been swapped.
Why This Term Matters
DNS poisoning matters because it undermines the trust that the entire internet relies on. Every time you visit a website, send an email, or connect to a cloud service, your device performs a DNS lookup. If that lookup gives a false answer, you can be redirected to malicious servers without any visible warning. This attack can be used for credential theft, malware distribution, ransomware delivery, and even interception of encrypted communications (if combined with fake SSL certificates). In an enterprise context, DNS poisoning can lead to data breaches, financial loss, and reputational damage. For IT administrators, dealing with a DNS poisoning event often requires flushing DNS caches across multiple servers, investigating the scope of the compromise, patching vulnerabilities, and potentially implementing DNSSEC. The attack can also be used as part of a larger campaign, such as phishing or spear-phishing, where the goal is to steal credentials or gain unauthorized access to internal systems.
On a practical level, DNS poisoning is difficult to detect without proper monitoring. Users may not notice anything unusual because the browser still loads a page with the correct domain name in the address bar. The connection may even show a padlock icon (HTTPS) if the attacker obtains a certificate for the fake site (through certificate misissuance or by using the real site's certificate if the attacker can proxy the connection). This is why security teams treat DNS as a critical control point. They monitor logs for unusual DNS resolution patterns, such as many queries for the same domain from different clients or responses with unexpected IP addresses. They also use threat intelligence feeds to block known malicious IPs and domain names.
For individual users, DNS poisoning can be just as damaging. If your home router's DNS settings or the DNS server provided by your ISP is compromised, every device on your network could be affected. The attacker could redirect your banking sessions, intercept your emails, or inject malware into web pages you visit. Because the attack works below the application layer, antivirus or firewall software may not catch it. That is why it is important to use secure DNS services (like Cloudflare's 1.1.1.1 or Google's 8.8.8.8) and to ensure your router firmware is up to date. DNS poisoning matters because it attacks the fundamental infrastructure of the internet, it can affect many users simultaneously, and it is hard to detect without specialized tools.
How It Appears in Exam Questions
DNS poisoning appears in exam questions through various patterns. One common pattern is scenario-based: you are given a description of a network attack where users are redirected to a fake website even though they typed the correct URL, and the website shows their name in the address bar. The question asks you to identify the type of attack. The correct answer is DNS poisoning (or DNS cache poisoning). Another pattern is troubleshooting: a system administrator notices that internal users cannot access a critical website, and a packet capture shows DNS responses with an unexpected IP address. The question may ask you to interpret the capture or recommend a fix, such as flushing the DNS cache or implementing DNSSEC.
A third pattern is comparison: the question asks for the difference between DNS poisoning and DNS hijacking. You might need to choose the answer that says DNS poisoning corrupts the cache of a DNS resolver, while DNS hijacking changes the DNS configuration on a client or router. A fourth pattern is defense: the question asks which technology prevents DNS cache poisoning, and the options include DNSSEC, TLS, SSH, or IPsec. The correct answer is DNSSEC (DNS Security Extensions). For cloud exams like AWS SAA, you may see a question about securing Route 53: you want to ensure that responses from your nameservers are not tampered with. The answer involves enabling DNSSEC signing for the hosted zone. There may also be questions about TTL values: if you set a very long TTL, what is the risk? The risk is that if a DNS record is poisoned, the incorrect entry will remain cached longer, affecting more users. Setting a short TTL reduces the window of exposure but increases DNS query load.
Performance-based questions (PBQs) are also possible, especially in CompTIA Security+ and Network+. For example, you might be given a network diagram and a log file, and asked to identify which server is likely poisoned. Or you may be asked to configure a firewall rule to block outbound DNS queries to a specific IP address that is known to be serving poisoned responses. In AWS SAA, you might be given a scenario where an application needs high availability and secure DNS resolution, and you must design a solution that includes DNSSEC for a Route 53 private hosted zone. The exam expects you to integrate security best practices automatically.
Finally, some questions test your understanding of the attack mechanism: the attacker sends a forged DNS response with a spoofed source IP (the authoritative server) and a guessed transaction ID. The question might ask about the role of the transaction ID or why source port randomization is an effective defense. You need to know that without randomization, the attacker only needs to guess a 16-bit transaction ID, which is feasible with enough queries. Source port randomization adds another 16 bits of entropy, making the attack much harder.
Practise DNS poisoning Questions
Test your understanding with exam-style practice questions.
Example Scenario
A company called TechCorp uses an internal DNS server that all employees use to access both internal and external websites. One day, an employee named Sarah tries to go to the company's HR portal at hr.techcorp.internal. She types the address into her browser, and the browser loads a page that looks exactly like the HR portal. She logs in with her employee ID and password. However, nothing happens. She tries again, and still nothing. She calls IT support. Meanwhile, another employee, Mark, tries to access the company's banking website to process payments. He types www.mybank.com, and the website loads normally. He logs in and transfers money as instructed. Later, the IT team discovers that the internal DNS server has a poisoned cache. For hr.techcorp.internal, the DNS server is returning the IP address of an attacker's server inside the company network. The attacker captured Sarah's credentials when she tried to log in. For www.mybank.com, the DNS server is returning a fraudulent IP address that points to a fake bank website, which recorded Mark's banking credentials and the transfer details. The attacker then used those credentials to initiate unauthorized transactions from the company's bank account.
In this scenario, the DNS server was poisoned because an attacker from outside the network sent a large number of fake DNS responses to TechCorp's DNS resolver, guessing the transaction IDs correctly. The resolver cached the false records, affecting all employees. The IT team realized something was wrong when they noticed that the logs showed a spike in DNS queries for random-looking subdomains, which is a telltale sign of a Kaminsky-style attack. They immediately flushed the DNS cache, changed the administrative passwords for the DNS server, and implemented response rate limiting to prevent future attacks. They also started planning to deploy DNSSEC. This scenario demonstrates the real-world impact of DNS poisoning: it can compromise sensitive credentials and financial data, and it requires a coordinated response from IT security.
Common Mistakes
Thinking DNS poisoning only affects the user who initiates the query.
DNS poisoning affects the DNS resolver's cache, which serves all users of that resolver. One poisoned entry can redirect an entire organization or ISP's customers.
Understand that poisoned caches are shared, so the scope of impact is much larger than a single user.
Confusing DNS poisoning with DNS hijacking.
DNS hijacking changes the DNS server configuration on a client or router, while DNS poisoning corrupts the cache of the DNS resolver itself. They are different attack vectors with different symptoms and countermeasures.
Remember: hijacking = changing where you look up addresses; poisoning = corrupting the address book that the lookup returns.
Assuming HTTPS fully protects against DNS poisoning.
HTTPS encrypts the communication between the browser and the server, but it does not verify that the server is the intended one. If an attacker obtains a valid SSL certificate for the fake domain (through certificate misissuance or by using a domain they control), the browser will show a padlock icon. The user is still on a fake site.
HTTPS prevents eavesdropping on the data, but it does not prevent DNS poisoning. Use DNSSEC to ensure you are reaching the correct server.
Believing that TTL has no impact on security.
TTL determines how long a cached record remains valid. A long TTL means that a poisoned entry stays in the cache longer, affecting more users. Short TTLs reduce the persistence of the attack but increase network overhead.
Use appropriate TTL values that balance performance with security. For critical domains, consider using shorter TTLs.
Thinking that enabling DNSSEC is a one-click fix with no operational impact.
DNSSEC requires key management, regular signing of zone data, and careful handling of key rollovers. If not properly implemented, it can cause resolution failures. It also adds computational overhead.
Plan your DNSSEC deployment carefully: generate keys, configure signing in your DNS software, and test thoroughly before production rollout.
Assuming that DNS poisoning is only possible from outside the network.
An attacker who has already gained access to the internal network can perform DNS poisoning from within, often more easily because internal DNS traffic may be less monitored.
Apply the principle of least privilege to DNS query sources. Use network segmentation and monitor internal DNS traffic for anomalies.
Exam Trap — Don't Get Fooled
{"trap":"In a question, a user reports that they are redirected to a malicious site when they type a legitimate URL. The browser shows the correct domain name in the address bar. The answer choices include 'DNS poisoning,' 'DNS hijacking,' 'Pharming,' and 'ARP spoofing.'
Many learners choose 'DNS hijacking' because they know it causes redirection.","why_learners_choose_it":"Learners often confuse DNS poisoning and DNS hijacking because both involve unwanted redirection. They remember that hijacking changes DNS settings, which feels like a more direct cause of redirection.
They may not realize that cache poisoning also causes redirection, but with the domain name remaining correct in the browser.","how_to_avoid_it":"Focus on the key indicator: the domain name in the address bar stays the same. That means the URL resolution itself was not changed (hijacking would change the resolver), but the IP address associated with that domain was altered in the DNS cache.
If the resolver was hijacked, the user would likely see a different URL or a search page. Also, pharming often involves modifying the hosts file on the client, not the server cache. So the correct answer in this scenario is DNS poisoning."
Commonly Confused With
DNS hijacking changes the actual DNS server configuration (e.g., your router's DNS setting) to point to a malicious resolver. In DNS poisoning, the resolver itself is legitimate, but its cache contains false data. Hijacking redirects queries entirely; poisoning gives false answers from a trusted resolver.
Hijacking: Someone changes your router to use Google's 8.8.8.8 but a fake version. Poisoning: Your normal ISP DNS server has a corrupted cache entry.
DNS spoofing is often used interchangeably with DNS poisoning, but it usually refers to the attacker sending a forged DNS response to a single query. DNS poisoning is the outcome of repeated spoofing attempts that corrupt the cache. Spoofing can happen without cache poisoning (e.g., in a man-in-the-middle attack on a single connection).
Spoofing: An attacker intercepts a single DNS query and sends a fake response to that specific user. Poisoning: The fake response gets stored in the server cache and affects all users.
Pharming is a broader term that includes DNS poisoning but also includes other methods like modifying the local hosts file on a user's computer or using malware to change DNS settings. DNS poisoning specifically targets the caching mechanism of a DNS resolver, not the client.
Pharming: Malware on your computer changes the hosts file so that 'www.bank.com' points to a fake IP. Poisoning: The company DNS server's cache has the false entry.
A MITM attack intercepts and potentially alters communication between client and server in real time. DNS poisoning is a specific technique to facilitate a MITM attack by redirecting the user to the attacker's server first. However, not all MITM attacks involve DNS; they can use ARP spoofing or rogue access points.
MITM: You connect to a fake Wi-Fi hotspot, and the attacker intercepts all your web traffic. Poisoning: The attacker changes the DNS record so your banking app connects to a fake server, which then acts as a MITM.
DNS tunneling uses DNS queries and responses to encapsulate non-DNS traffic (like SSH or HTTP data) to bypass network security controls. It does not corrupt caches but exploits the DNS protocol for data exfiltration or command and control. DNS poisoning is about injecting false data; tunneling is about hiding data.
Tunneling: An attacker exfiltrates stolen data by encoding it in DNS queries to a controlled server. Poisoning: An attacker changes a DNS record to redirect users to a fake site.
Step-by-Step Breakdown
User initiates a DNS query
The user types a domain name (e.g., www.example.com) into their browser. The operating system sends a DNS query to the configured DNS resolver (e.g., the company's internal DNS server or an ISP server).
Resolver checks its cache
The DNS resolver first checks its local cache to see if it already has a resource record for www.example.com. If found and the TTL has not expired, it returns the cached IP address directly to the client. If not cached, it proceeds to query authoritative servers.
Resolver begins recursive resolution
The resolver sends a query to a root nameserver to find the TLD nameserver for the .com domain. The root server returns a referral to the .com TLD servers. The resolver then queries the .com TLD server for the authoritative nameserver for example.com.
Authoritative nameserver responds
The resolver queries the authoritative nameserver for example.com, which responds with the correct IP address (e.g., 192.0.2.1) in an A record. The resolver caches this record with the given TTL value.
Attacker monitors or triggers queries
The attacker may send many DNS queries for non-existent subdomains of example.com to the same resolver (e.g., random1.example.com, random2.example.com). This forces the resolver to send iterative queries to the authoritative server for each subdomain, which gives the attacker more opportunities to inject forged responses.
Attacker sends forged DNS responses before the real responses arrive
For each query, the attacker sends a forged UDP packet spoofing the source IP of the authoritative nameserver. The forged response contains a false A record (pointing to the attacker's IP) and a spoofed NS record that delegates the entire example.com zone to an attacker-controlled server. The attacker must guess the correct transaction ID (TXID) and source port of the resolver's query.
Resolver accepts the forged response
If the forged response arrives before the legitimate response from the authoritative server and has a matching TXID and source port, the resolver accepts it as valid and caches the false records. The attacker's IP address replaces the legitimate one.
Cache serves poisoned records to all subsequent users
All users who query the same resolver for www.example.com will receive the attacker's fake IP address until the TTL expires or the cache is manually flushed. This can affect thousands of users within the TTL period.
Attacker's server responds with malicious content
When users connect to the attacker's server, they may see a replica of the legitimate website. The attacker can now capture credentials, deliver malware, or perform further attacks such as session hijacking.
Mitigation performed by system administrator
Upon detection, the administrator flushes the DNS cache (using commands like ipconfig /flushdns on Windows or systemd-resolve --flush-caches on Linux), implements response rate limiting, and enables DNSSEC to verify the authenticity of DNS responses. They may also change the resolver software or increase source port entropy.
Practical Mini-Lesson
DNS poisoning is not just a theoretical attack; it is a practical threat that IT professionals must understand, detect, and mitigate in real-world environments. In practice, DNS poisoning often targets internal DNS resolvers used by organizations. These resolvers typically sit behind the firewall and serve hundreds or thousands of employees. The first line of defense is to ensure that your DNS resolver software (like BIND, Unbound, or Windows DNS Server) is configured with proper security settings. This includes enabling source port randomization, implementing transaction ID randomization, and using DNS cookies if available. Source port randomization is critical because it adds entropy to the query, making it exponentially harder for an attacker to guess both the port and the TXID. In BIND, you can configure this with the 'use-query-port-pool' option. In Windows DNS Server, source port randomization is enabled by default starting from Windows Server 2012 R2. Another practical measure is to set restrictive ACLs on your DNS server to only accept recursive queries from internal IP ranges, preventing external attackers from using your server as a reflection target or from easily sending queries that they can spoof responses to.
Next, DNSSEC is the gold standard for preventing DNS poisoning, but it requires careful planning. You need to generate a Zone Signing Key (ZSK) and a Key Signing Key (KSK) for each signed zone. The ZSK signs individual records, and the KSK signs the ZSK. The public KSK is published in the DS (Delegation Signer) record at the parent zone. You must regularly roll over keys to maintain security. For exam purposes, you should know that DNSSEC creates a chain of trust from the root zone down to your domain. If you are using Route 53, enabling DNSSEC is done through the console with a few clicks, and AWS handles key management for you. In on-premises environments, you might use tools like dnssec-keygen and dnssec-signzone to manually sign zones. Incorrect DNSSEC configuration can lead to resolution failures, so always test in a lab environment first.
Monitoring is also part of the practical defense. Set up logging to capture all DNS queries and responses, and use a SIEM to alert on anomalies such as a sudden spike in NXDOMAIN responses (which may indicate a poisoning attempt) or responses from unexpected IP addresses. You can also use tools like dnstop or tcpdump to analyze DNS traffic in real time. For example, a large number of DNS queries for non-existent subdomains is a red flag. If you notice that, you may be witnessing a Kaminsky-style attack. In that case, you would temporarily block the source IPs and flush the cache. Finally, train users to be cautious even when the browser seems normal. Explain that a padlock icon does not guarantee you are on the real site if the DNS is compromised. This practical understanding of DNS poisoning-from configuration to detection to response-is exactly what IT certifications expect from candidates, and it is what you need to protect your production environment.
How DNS Cache Poisoning Overwrites Recursive Resolvers
DNS cache poisoning, also known as DNS spoofing, is an attack that corrupts the cache of a DNS resolver by injecting false address records. The fundamental mechanism exploits the stateless nature of DNS and the predictability of transaction IDs in older implementations. When a recursive resolver sends a query to an authoritative server, it expects a single response containing a matching transaction ID. An attacker can forge multiple responses with guessed transaction IDs before the legitimate response arrives. If one of these forged responses matches the open query, the resolver caches the fraudulent mapping, redirecting users to a malicious IP address.
The attack typically targets the resolution of fully qualified domain names (FQDNs) by poisoning the A (address) or AAAA (IPv6) records. More sophisticated variants poison NS (nameserver) records, causing the resolver to query a rogue authoritative server for an entire domain zone. This can lead to widespread redirection of all subdomains. Defenses include randomized transaction IDs, source port randomization, and DNS Security Extensions (DNSSEC), which cryptographically signs responses to verify authenticity. In exam contexts, understanding the attacker's window of opportunity between the query and the valid response is critical for identifying vulnerability windows in network architectures.
The attack vector often begins with a local network compromise, such as ARP spoofing, allowing the attacker to intercept and modify DNS traffic in transit. Alternatively, remote cache poisoning can occur if the DNS server is configured to forward queries to untrusted resolvers. The poisoning persists until the cached entry's TTL (time to live) expires, making short TTLs a mitigating factor. For the AWS SAA exam, candidates must understand how Route 53 Resolver integrates with VPCs and how to enforce DNSSEC validation to protect against poisoning. In CCNA, the focus is on configuring Cisco routers to block unnecessary DNS traffic and use secure DNS. A+ and Network+ exams test foundational knowledge of DNS record types and the poisoning process. Security+ emphasizes attack identification and mitigation strategies, including DNSSEC deployment. Google ACE and Azure AZ-104 examine cloud-specific DNS security features such as Azure DNS Private Resolver with conditional forwarding to on-premises servers.
Real-World Consequences of DNS Poisoning on Network Operations
The impact of a successful DNS poisoning attack extends far beyond mere misdirection, often leading to credential theft, malware distribution, and complete loss of trust in network services. When a bank's domain is poisoned, users typing the correct URL end up on a phishing site that captures login credentials and two-factor authentication codes. Similarly, poisonings of software update domains (e.g., update.microsoft.com) can serve trojanized updates to thousands of endpoints, creating a persistent botnet foothold. For operations teams, the first sign of poisoning is often an increase in failed logins or reports of unusual website behavior, but by then the damage is done.
From an operational perspective, remediation requires flushing the DNS cache on all affected resolvers and manually correcting the zone records. In large enterprise environments, this can take hours, during which all dependent services are compromised. The financial cost includes incident response team overtime, potential regulatory fines for data breaches, and reputational damage. For cloud architects, the impact is compounded by the fact that cloud services often rely on internal DNS for service discovery. A poisoned record pointing to a different availability zone can cause cascading failover events and latency spikes.
In exam contexts, the Security+ and Network+ exams present scenarios where users are redirected to a fake login page after accessing a legitimate URL. The correct answer often involves inspecting the DNS cache or enabling DNSSEC. The CCNA exam may ask about the impact on redundant DNS configurations, where poisoning of a primary server affects failover behavior. For AWS SAA, the impact on Route 53 alias records and health checks is a common theme, with the candidate needing to configure private hosted zones with strict ACLs. The Google ACE exam tests the ability to configure Cloud DNS with DNSSEC and logging to detect anomalies. In all cases, understanding that the impact scale is proportional to the popularity of the poisoned domain and the TTL of the cached record is essential for accurate risk assessment.
Mitigation Strategies and DNSSEC Deployment for DNS Poisoning
Preventing DNS poisoning requires a layered approach that combines protocol-level defenses, network segmentation, and continuous monitoring. The most robust defense is DNSSEC (DNS Security Extensions), which adds cryptographic signatures to DNS records. With DNSSEC, each zone signs its records with a private key, and resolvers verify the signature using a public key obtained from the parent zone through a chain of trust. If an attacker forges a response, the signature will not match, and the resolver discards the record. Deployment involves generating a Zone Signing Key (ZSK) and a Key Signing Key (KSK), publishing the DS (Delegation Signer) record in the parent zone, and configuring resolvers to perform validation.
Additional prevention techniques include source port randomization, where the resolver uses a random UDP source port for each query, making it exponentially harder for an attacker to guess the full five-tuple (source IP, source port, destination IP, destination port, protocol). Transaction ID randomization, now standard in all compliant resolvers, adds another layer. Administrators should also restrict recursive queries to trusted clients only, preventing external attackers from poisoning the cache. Network segmentation with separate DNS resolvers for internal and external queries reduces the attack surface. Regular cache audits and TTL minimization ensure that poisoned records expire quickly.
For cloud environments, AWS Route 53 Resolver supports DNSSEC validation at the VPC level, and Azure DNS Private Resolver can forward queries to on-premises servers with validation enabled. Google Cloud DNS allows enabling DNSSEC per managed zone. In exam scenarios, the most tested concept is understanding that DNSSEC does not prevent poisoning of the resolver itself but prevents the resolver from accepting forged data. The AZ-104 exam may ask about using Azure Firewall DNS Proxy to inspect DNS traffic. Security+ explicitly tests the distinction between DNSSEC and DNS over HTTPS (DoH), where DoH encrypts the query but does not provide authenticity. Deploying both together is considered best practice. Network+ candidates should know that disabling recursion on authoritative-only servers is a fundamental prevention step.
Detecting DNS Poisoning Through Logs and Anomalies
Detecting DNS poisoning is challenging because the symptoms are often subtle and overlap with other network issues. However, systematic monitoring of DNS query logs and cache behavior can reveal telltale signs. The most direct detection method is comparing the resolved IP address against a known baseline. For example, if the legitimate IP for www.example.com is 203.0.113.1 and users are consistently routed to 198.51.100.2, poisoning is likely. Administrators can automate this by configuring DNS servers to log all cache insertions and periodically comparing against a trusted authoritative source. Tools like DNSViz and dig can verify DNSSEC chain compliance.
Another detection indicator is an unusually high number of NXDOMAIN responses for known-valid domains, which may suggest the resolver is caching incorrect records that point to non-existent hosts. Anomalous query patterns, such as a sudden spike in queries to a single domain or repeated queries for similar domain names with slight typos, can indicate active reconnaissance for poisoning targeting. If a resolver responds to a query with an IP address that is clearly outside the expected geographic region or belongs to a known malicious ASN, the record should be investigated. In corporate networks, using a dedicated DNS security monitoring solution that integrates with SIEM platforms can provide real-time alerts.
From an exam perspective, the Security+ and CySA+ exams frequently present log samples showing a resolver returning an IP address that differs from the authoritative source. The correct action is to check the DNSSEC validation status and flush the cache. The CCNA exam may include a scenario where a router's DNS cache is inspected via show commands, and the candidate must identify a poisoned entry by comparing the IP to a known valid list. For AWS SAA, understanding that CloudWatch Logs for Route 53 Resolver can capture queries and responses is critical for the detection domain. Azure AZ-104 emphasizes using Azure Monitor with DNS analytics. In all cases, the key exam clue is that detection relies on having a trusted baseline, and without DNSSEC, the resolver cannot cryptographically differentiate between legitimate and forged responses.
Troubleshooting Clues
Users redirected to phishing site after visiting legitimate URL
Symptom: Browser shows a familiar website, but login credentials fail and users report unauthorized transactions. The domain resolves to an IP that is not the known legitimate IP.
DNS cache poisoning has replaced the legitimate A record with a malicious IP. The resolver returns the forged IP, and the user is served a fake site.
Exam clue: In Security+ exams, this scenario is used to test the candidate's ability to identify DNS poisoning as the root cause and recommend DNSSEC implementation.
Random domains intermittently fail to resolve
Symptom: Users report that some websites load fine while others show 'server not found', but the domains are known to be operational. Querying the resolver shows NXDOMAIN for valid domains.
Partial poisoning where the attacker only targeted specific records. The resolver serves forged NXDOMAIN responses for some domains, causing failures for those targets.
Exam clue: Network+ exam questions often present this pattern, asking the candidate to check the DNS cache and compare against a known good list.
DNS server returns different IPs than authoritative source
Symptom: Using dig to query the resolver shows one IP, but querying the authoritative server directly shows a different, correct IP. The resolver's response does not match.
The resolver's cache has been poisoned. The attacker's response with a different IP has been accepted and cached, overriding the legitimate authoritative response.
Exam clue: CCNA exam tests this as a key indicator of cache poisoning, requiring the candidate to flush the cache and verify recursor settings.
DNSSEC validation failure reported by resolver
Symptom: The resolver logs 'validation failure' for certain domains, and those domains become unreachable even though other resolvers can reach them.
The attacker may have attempted to poison the DNSSEC chain but produced invalid signatures. The resolver correctly refuses to cache the forged data, but the domain is temporarily unavailable.
Exam clue: Security+ and AZ-104 exams present this as a positive detection scenario, showing DNSSEC working as designed to prevent poisoning.
High latency on all DNS queries
Symptom: DNS resolution time increases dramatically across the network. Users experience slow page loads. Ping to the DNS server is normal.
A mass poisoning attack may cause the resolver to send many queries to authoritative servers to refresh poisoned entries. Alternatively, the resolver may be performing many validations. High query volume can strain the resolver.
Exam clue: AWS SAA and Google ACE exams test this as a symptom of a DNS attack that impacts cloud application performance, leading to scaling or failover considerations.
Cache contains entries from unrelated domains with same IP
Symptom: Listing the DNS cache reveals multiple unrelated domains (e.g., finance.example.com and medical.example.org) resolving to the same suspicious IP address.
The attacker poisoned multiple records pointing to a single malicious server, often used for hosting phishing pages for different brands.
Exam clue: This pattern is a classic exam clue in Network+ and Security+ for identifying widespread cache poisoning beyond a single target.
Multiple users report abnormal certificate warnings when visiting company website
Symptom: Browsers show 'Your connection is not private' or certificate name mismatch errors. The website's SSL/TLS certificate does not match the resolved IP.
The poisoned resolver returns an IP address that does not host the legitimate certificate. The attacker cannot provide a valid cert, triggering browser warnings.
Exam clue: CompTIA A+ and Security+ use this to explain how DNS poisoning indirectly causes SSL errors, and the solution involves clearing the DNS cache.
Memory Tip
Think of DNS poisoning as a 'poisoned directory', the phone book contains the wrong address, so even if you dial the right name, you end up in the wrong place.
Learn This Topic Fully
This glossary page explains what DNS poisoning means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →SY0-701CompTIA Security+ →ACEGoogle ACE →AZ-104AZ-104 →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →SOA-C02SOA-C02 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Quick Knowledge Check
1.Which of the following is the most effective cryptographic defense against DNS cache poisoning?
2.A user reports being redirected to a fake banking website after typing the correct URL. The DNS server returns an IP address that differs from the authoritative server. What is the most likely cause?
3.An administrator wants to immediately remove all potentially poisoned DNS entries from a Windows client. Which command should be used?
4.What is the primary difference between DNS over HTTPS (DoH) and DNSSEC in the context of DNS poisoning?
5.During a security audit, you notice that the DNS resolver cache contains multiple different domains all resolving to the same IP address, which is not a legitimate web server. What is the most likely explanation?