What is DNS cache poisoning?
DNS cache poisoning is a technique that targets DNS resolvers directly, manipulating cached data to redirect users to malicious websites without their knowledge.
How DNS caching works
The Domain Name System (DNS) translates human-readable domain names into IP addresses, allowing users to reach websites using names like "example.com." DNS caching temporarily stores these translations on DNS resolvers for a set duration called Time to Live (TTL). This reduces the number of queries sent to other DNS servers and speeds up domain name resolution.
How a DNS cache poisoning attack works
An attacker exploits vulnerabilities in a DNS resolver to corrupt its cached data. The process follows a consistent pattern:
Identifying the target: The attacker locates a vulnerable DNS resolver serving a specific domain. This could be a public DNS server or one operated by an organization or ISP.
Gathering information: The attacker collects details about the resolver, including the software it runs (such as BIND), its version, and known vulnerabilities, then uses that information to craft a targeted attack.
Exploiting vulnerabilities: The attacker manipulates the resolver's cache, often by taking advantage of weak randomization in how the resolver generates transaction IDs.
The Kaminsky exploit
In 2008, security researcher Dan Kaminsky discovered a flaw in the DNS system that made cache poisoning practical at scale. The attack worked as follows:
The attacker sends a DNS query to the targeted resolver for a non-existent subdomain of the target domain, such as fake.example.com. This forces the resolver to query the authoritative DNS server for that domain. While the resolver waits for a response, the attacker floods it with a large volume of forged DNS responses, each containing a different transaction ID and a fake IP address for the target domain. Given enough forged responses, one will match the correct transaction ID. When the resolver accepts that response, it caches the forged IP address.
From that point, any user querying the compromised resolver gets directed to the attacker's site instead of the legitimate one, where they may encounter phishing pages, malware downloads, or other threats. Attackers can extend the damage by continuously re-poisoning the cache or exploiting other vulnerabilities in the targeted infrastructure.
Why DNS poisoning is dangerous
DNS cache poisoning carries significant consequences across four areas:
Loss of user trust occurs when users are repeatedly redirected to fraudulent sites, damaging confidence in affected organizations and the broader internet.
Data breaches result from users entering credentials on convincing fake sites, giving attackers access to sensitive accounts and information.
Malware distribution happens when redirected sites silently push malicious software onto visitor devices.
Disruption of critical services can occur at scale, with large poisoning campaigns taking down essential internet infrastructure and causing measurable economic damage.
How to protect against DNS cache poisoning
DNS Security Extensions (DNSSEC) is the most direct defense. It uses cryptographic signatures to verify the integrity and authenticity of DNS data, making forged responses detectable. DNSSEC alone is not sufficient, and organizations should pair it with the following:
Regular software updates and patching keeps DNS software like BIND current and closes known vulnerabilities before attackers can exploit them.
Network segmentation and access controls limit exposure to critical DNS infrastructure and reduce the available attack surface.
Monitoring and auditing DNS activity through regular log review and traffic analysis lets organizations detect and respond to suspicious patterns early.
Multi-layered security combines firewalls, intrusion detection systems, and strong authentication to protect DNS infrastructure from cache poisoning and related threats like man-in-the-middle attacks.
