What is DNS cache poisoning?

What is DNS cache poisoning? DNS cache poisoning is a serious online threat that targets the Domain Name System (DNS). DNS is the layer that turns domain names into IP addresses. When criminals trick a DNS resolver into accepting a forged response, it stores the fake record in its cache. After that, every request sends the user to a malicious website instead of the real one.

A poisoned DNS cache is a form of DNS spoofing that can be exploited to launch DNS hijacking attacks. When this happens, you think you are logging in safely, but you are actually entering information on a cloned site controlled by a criminal. These malicious redirects are often used for phishing, malware delivery, or large-scale data theft. As a result, anything you type (logins, personal details, payment info) could be stolen.

Many modern cyberattacks rely on DNS cache poisoning and DNS spoofing. When criminals tamper with the DNS resolution process, the impact can be severe. If they poison the Query ID or forge a record with an extended Time to Live (TTL), the fake DNS entry could stay active for hours. During that time, every visit to that domain goes to the attacker’s server instead of the real service. The result is stolen logins, exposed personal data that can be used for fraud or ID theft, and a higher risk of malware infections.

In this guide, we break down how DNS cache poisoning works, how DNS spoofing attacks happen, and how to flush your DNS cache to strengthen your defences.

DNS Spoofing explained

DNS cache poisoning is a class of cyberattacks in which hackers trick your DNS resolver into caching false address data. As a result of the poisoned DNS cache, the resolver sends the wrong IP address to users. This means you will be directed to a fake or cloned version of the website you intended to visit, controlled by cybercriminals to carry out phishing, malware infections, and other dangerous attacks.

DNS cache poisoning is one form of DNS spoofing. DNS spoofing refers to any attack where false DNS information is inserted into the system. When this happens, DNS queries return incorrect responses, and visitors are redirected to the wrong domain.

How does DNS cache poisoning work?

The internet is built on IP addresses. These are the numerical identifiers that the World Wide Web uses to send your data to the website or service you want to reach.

Want to log in to Facebook? You type www.facebook.com, but what you may not realise is that the URL is simply a user-friendly label that maps to the underlying IP address. This IP address allows your device to deliver requests to the website in question.

The DNS resolver’s cache is a temporary list of addresses that the system keeps loaded to speed up the process of delivering requests to their intended destination. When the resolver’s DNS cache is poisoned, the address stored in the system is incorrect. As a result, the DNS resolver sends users to the wrong destination.

Unfortunately, there is no built-in real-time verification system that allows DNS resolvers to confirm that the data in their caches is still valid.

If a hacker successfully poisons the DNS cache, it will continue to send people to the malicious destination until the Time to Live (TTL) expires or until the bogus address is manually updated.

How do hackers poison DNS caches?

DNS cache poisoning occurs when a hacker injects a fake DNS reply into a resolver before the real one arrives. To pull this off, the attacker sends a forged response that pretends to come from the legitimate DNS server. If the resolver accepts that fake reply, it stores the bad information in its cache.

This works because classic DNS has no built-in authentication. DNS queries and replies use UDP, which does not verify who the response really came from. This allows hackers to take advantage by:

• Guessing the request’s details (such as the Query ID and source port)
• Flooding the resolver with forged responses
• Trying to time their fake reply so it arrives before the genuine one

If one of their forged responses matches the resolver’s expectations closely enough, the resolver accepts it and updates its cache with the wrong IP address. From then on, every user of that resolver is redirected to the attacker’s domain until the TTL expires or the cache is manually corrected.

Why is DNS cache poisoning possible?

The current DNS system was built for a much smaller Internet and relies heavily on trust. When hackers interfere with the DNS process, they expose these underlying weaknesses and can cause people to be redirected to the wrong website. Unfortunately, this means end users must stay alert and monitor the website addresses they visit to ensure they have actually arrived at the correct destination.

What is being done to stop DNS cache poisoning?

Systems like DNSSEC were created to strengthen the ageing DNS system and improve the security of DNS lookups by preventing spoofing and malicious redirects. That said, DNSSEC is still in the process of being widely adopted, which is why, for now, you will still need to protect yourself against unwanted redirects to malicious websites.

How does DNSSEC help fix DNS spoofing and cache poisoning?

Domain Name System Security Extensions (DNSSEC) adds cryptographic signatures to DNS records so resolvers can verify that the information they receive is legitimate and has not been tampered with. This makes the DNS lookup process significantly more secure and takes the pressure off users, who gain a greater level of confidence over where they are being directed.

However, DNSSEC will not fully resolve the problem until it has been widely adopted, and at the time of writing, that day still is not in sight. Adoption has been slow across both DNS providers and website owners, which means that large sections of the internet still do not benefit from DNSSEC protection.

Until DNSSEC becomes the default everywhere, users will need to continue relying on tools like DoH, HTTPS, secure DNS resolvers, and VPN DNS protection to guard against spoofing and cache poisoning attacks.

How can I protect against DNS Cache Poisoning?

You can use tools like DNSSEC and DNS over HTTPS (DoH) to validate DNS responses. You can also monitor for the HTTPS padlock in your URL bar, which prevents attackers from tampering with data once you reach the real website.

Learning how to use these tools, as well as adopting a Zero Trust mindset, will help you protect yourself against suspicious redirects. But what does that mean in practice?

At Comparitech, we want to help you stay protected online. This is why we have provided clear steps you can follow to stay safer while browsing the web.

Use a DNS resolver that supports DNSSEC

DNSSEC protects you by verifying that the DNS record you receive has not been altered and truly comes from the legitimate domain owner. The good news is that you don’t need to configure DNSSEC manually. Instead, you can get the benefit of this technology by switching to a DNS provider that already uses it.

Reliable DNSSEC-enabled DNS services include:

• Cloudflare (1.1.1.1)
• Google Public DNS (8.8.8.8)
• Quad9 (9.9.9.9)
• OpenDNS (208.67.222.222)

How do I change my DNS resolution service?

You can change your DNS resolver simply by changing the DNS address on your device. Choose one of the DNSSEC-enabled providers above (or any other popular provider that you trust) and enter the DNS address manually:

• Windows: Network & Internet > Adapter properties > IPv4 settings
• Mac: System Settings > Network > DNS
• iPhone/Android: Wifi > your network > DNS settings

Turn on DNS over HTTPS (DoH)

DNS over HTTPS (DoH) encrypts your DNS requests, preventing them from being intercepted or modified in transit by an attacker. This helps prevent unwanted redirects and improves the privacy of your DNS lookups. However, bear in mind that DoH does not fix a compromised or poisoned DNS resolver. This is why it is critical to use a trusted provider with DNSSEC support.

You can enable DoH by following these steps:

• Chrome: Settings > Privacy and security > Use secure DNS
• Firefox: Settings > Network Settings > Enable DNS over HTTPS
• Windows 11: Settings > Network & Internet > DNS settings > Use encrypted DNS

Most public DNS services (Cloudflare, Google, Quad9) support DoH. It is also worth noting that you can use a VPN to encrypt all of your DNS requests and make sure the VPN’s own DNS servers handle them. This protects your DNS traffic from tampering and ensures you are using a resolver that follows a strict no-logs policy.

Always check for HTTPS

HTTPS is the secure version of HTTP and protects the data you send to a website. It uses Transport Layer Security (TLS) to encrypt any data sent between your device and the websites you visit. When HTTPS is enabled, attackers cannot intercept or read the information you send in transit. This protects sensitive data such as logins, payment details, and personal information.

Here is how to monitor for HTTPS:

• Check for the padlock icon in the address bar
• Always check that the URL for the website you are visiting starts with https://
• Check that the domain you are visiting is spelt correctly. Cloned websites may look correct at a glance, but often have subtle differences that reveal them as fake.

Why it’s critical to monitor URLs and HTTPS

If a site loads as HTTP, close it immediately. A poisoned DNS redirect cannot impersonate the real HTTPS version of a legitimate site. This is because attackers cannot forge a valid HTTPS certificate for the real domain.

Instead, hackers will usually redirect you to a different domain that is designed to look identical (a cloned version of the real website) but that has been created to steal your data.

Important: DNS cache poisoning can also redirect you to a fake website that uses its own HTTPS certificate. For example, DNS spoofing could redirect you to: https://www.nikee.com (which is not the same domain as https://www.nike.com).

These redirects can be hard to spot, which is why you must double-check both the URL and the HTTPS padlock. This is especially important anytime you plan to enter payment details; always double-check the address in the URL bar before completing a purchase, as this helps reduce the chances of entering sensitive information on a fake website.

Use a VPN that forces encrypted DNS

Leading VPN services like NordVPN and Surfshark route your traffic through private DNS servers. They also send your DNS requests through the encrypted VPN tunnel, which prevents anyone on the network from intercepting or reading them. This also stops attackers from tampering with your DNS requests in transit.

The best VPNs for privacy and security process all of your DNS lookups using their own encrypted DNS resolvers. A major benefit of using a reliable VPN is that everything happens automatically in the background. All you need to do is subscribe to a trusted provider, install the app, and connect.

Once the VPN is active, you get the following protections:

• No one can inject fake DNS responses into your traffic.
• You always use secure DNS, even on public wifi.
• DNS tampering becomes extremely difficult for attackers.

Adopt a simple Zero Trust mindset

Zero Trust is a security mindset that many businesses use to keep their networks secure against hackers.

As a home internet user, you don’t need a deep understanding of Zero Trust frameworks or enterprise tools. Instead, you can apply simple Zero Trust principles to improve your protection against DNS-based attacks.

In this context, Zero Trust means “don’t assume the first page you land on is safe.”

Here is how to use Zero Trust principles to stay safer online:

• Do not trust links sent over email, SMS, or social media (these could send you to dodgy websites designed for phishing or malware).
• If a website takes you somewhere suspicious or unexpected, close the page and check the website address carefully before trying again. Just remember that if your DNS provider’s cache has been poisoned, you may be redirected to the fake site again, and the problem can sometimes last for hours until the cache resets.
• Always type sensitive URLs yourself (banks, email, shopping).
• Bookmark important services so you never need to rely on search results.
• If you ever see a certificate warning or browser alert, leave the website immediately.

What is DNS cache poisoning? FAQs

Other DNS articles:

• How to change your DNS settings
• Test for DNS leaks
• VPNs with Private DNS