What is DNS Poisoning (DNS Spoofing)?

During a DNS poisoning attack, malicious actors modify DNS records to redirect users to fraudulent destinations without their knowledge. The attack typically works like this:

• Interception: The attacker intercepts a DNS query between a user's device and the DNS resolver, or between DNS resolvers
• Forgery: The attacker sends a forged DNS response with a malicious IP address before the legitimate response arrives
• Caching: The DNS resolver caches the forged response, treating it as legitimate
• Propagation: All subsequent users querying for that domain are redirected to the attacker's server until the cache expires

Once traffic diverts to illegitimate servers, attackers can execute man-in-the-middle attacks to steal login credentials, install malware on visitor devices, or deploy worms to spread damage across connected networks.

DNS poisoning enables three major categories of attacks:

• Malware Distribution: Attackers redirect users to sites that distribute web-based malware including Fake AV Trojans, Rootkits, and other tools designed to take control of user devices and environments. Users believe they're visiting a legitimate website but are actually downloading malicious software.
• Data Theft: By controlling the flow of data, attackers can intercept sensitive information like usernames, passwords, credit card numbers, and personally identifiable information (PII). This is especially dangerous when users believe they are connected to legitimate banking or e-commerce sites.
• Phishing: The most prevalent threat — attackers create convincing replicas of legitimate websites (banks, email providers, social media) to deceive users into sharing confidential information. DNS poisoning makes phishing especially effective because the URL in the browser appears correct.

Protecting your network from DNS poisoning requires a combination of strategies:

• Use a trusted DNS resolver: Services like CleanBrowsing validate DNS responses and maintain clean caches, reducing the risk of poisoned records reaching your devices
• Enable DNSSEC: DNS Security Extensions (DNSSEC) add cryptographic signatures to DNS records, allowing resolvers to verify that responses haven't been tampered with
• Use encrypted DNS: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt DNS queries in transit, preventing attackers from intercepting or modifying them
• Keep software updated: Ensure DNS server software, operating systems, and browsers are regularly updated to patch known vulnerabilities
• Monitor for anomalies: Watch for unexpected DNS behavior such as sudden changes in DNS response times, unexpected redirects, or certificate warnings on familiar sites

CleanBrowsing's DNS security features are designed to protect against DNS-based threats including poisoning, phishing, and malware distribution — blocking malicious domains before connections are established.