LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is DNS Spoofing (also called DNS Cache Poisoning), and how does it differ from ARP poisoning?

DNS spoofing sends forged DNS responses so the victim resolves a domain to the attacker's IP. ARP poisoning operates on Layer 2 (MAC), DNS spoofing on Layer 7 (name resolution).

A forged DNS response poisoning a resolver's cache.

* Attacker races a forged reply to poison the DNS cache., CC BY-SA 4.0, via Wikimedia Commons. *

The attack flow:

1. Victim asks DNS: "What's the IP of mycampus.hslu.ch?"
2. Attacker (MitM or rogue DNS) replies first: "It's 192.168.1.99 (attacker's IP)"
3. Victim accepts and connects to attacker's server
4. Attacker presents fake login page → captures credentials

Two ways to do it:

Method Where it works
In-path Already MitM via ARP → intercept and forge DNS replies
Cache poisoning Attack the DNS resolver itself (Kaminsky 2008) — forge responses for the recursive resolver to cache, then everyone using it gets the bad answer

Why DNS is vulnerable:

  • Default DNS is unauthenticated UDP on port 53
  • Responses are matched by 16-bit query ID + question
  • An attacker who can see (or guess) the query ID can race to forge a reply
  • Once a forged response is accepted, it's cached for the TTL → many victims affected

The two-step combo:

Step 1: ARP poisoning  → traffic flows through attacker
Step 2: DNS spoofing   → attacker rewrites DNS answers in transit

ARP poisoning is the vehicle (gets you onto the path); DNS spoofing is the payload (what you do once on the path).

Defenses:

Defense How it helps
DNSSEC Cryptographically signs DNS responses → forged answers fail validation
DoH / DoT Encrypts DNS queries to a known resolver → MitM can't even see the queries
HTTPS + cert validation Even if DNS lies, the cert won't match → browser blocks
HSTS Browser refuses to downgrade to HTTP for known sites

Tip: DNSSEC adoption is uneven (~30% of top sites). DoH/DoT is rolling out — Firefox enabled DoH-by-default in the US in 2020. These mitigations don't help if the local OS still uses plain DNS for non-browser apps.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026