What is DNS Spoofing (also called DNS Cache Poisoning), and how does it differ from ARP poisoning?
DNS spoofing sends forged DNS responses so the victim resolves a domain to the attacker's IP. ARP poisoning operates on Layer 2 (MAC), DNS spoofing on Layer 7 (name resolution).

* Attacker races a forged reply to poison the DNS cache., CC BY-SA 4.0, via Wikimedia Commons. *
The attack flow:
1. Victim asks DNS: "What's the IP of mycampus.hslu.ch?"
2. Attacker (MitM or rogue DNS) replies first: "It's 192.168.1.99 (attacker's IP)"
3. Victim accepts and connects to attacker's server
4. Attacker presents fake login page → captures credentials
Two ways to do it:
| Method | Where it works |
|---|---|
| In-path | Already MitM via ARP → intercept and forge DNS replies |
| Cache poisoning | Attack the DNS resolver itself (Kaminsky 2008) — forge responses for the recursive resolver to cache, then everyone using it gets the bad answer |
Why DNS is vulnerable:
- Default DNS is unauthenticated UDP on port 53
- Responses are matched by 16-bit query ID + question
- An attacker who can see (or guess) the query ID can race to forge a reply
- Once a forged response is accepted, it's cached for the TTL → many victims affected
The two-step combo:
Step 1: ARP poisoning → traffic flows through attacker
Step 2: DNS spoofing → attacker rewrites DNS answers in transit
ARP poisoning is the vehicle (gets you onto the path); DNS spoofing is the payload (what you do once on the path).
Defenses:
| Defense | How it helps |
|---|---|
| DNSSEC | Cryptographically signs DNS responses → forged answers fail validation |
| DoH / DoT | Encrypts DNS queries to a known resolver → MitM can't even see the queries |
| HTTPS + cert validation | Even if DNS lies, the cert won't match → browser blocks |
| HSTS | Browser refuses to downgrade to HTTP for known sites |
Tip: DNSSEC adoption is uneven (~30% of top sites). DoH/DoT is rolling out — Firefox enabled DoH-by-default in the US in 2020. These mitigations don't help if the local OS still uses plain DNS for non-browser apps.
Go deeper:
DNS spoofing / cache poisoning (Wikipedia) — why unauthenticated UDP DNS is forgeable, the cache-poisoning variants, and DNSSEC/HTTPS mitigations.