DNS cache poisoning, also known as DNS spoofing, is an attack technique in which corrupt DNS data is entered into a DNS server's lookup (resolver) cache. These fake records are then given to clients and other DNS servers.

There are millions of DNS servers worldwide, but most of them do not directly manage any records. When a client needs to resolve a name, it asks its local DNS server for the IP address. If the local server does not have a record, it asks other DNS servers for the information and then caches (stores) the result in case someone else needs it. If the attacker can insert false records into the DNS server's cache, the DNS server will provide those false records to its clients. This can cause a cascading effect in which other DNS servers are poisoned by the original, passing along their corrupt records to more clients and DNS servers.

DNS cache poisoning example

Some foreign governments use DNS cache poisoning against their own DNS servers to prevent their citizens from accessing certain types of content on the Internet. If you can't directly attack the DNS server, you can also masquerade as the local DNS server, sending fake replies to clients as they try to resolve names.

Unfortunately, the trusting and open nature of DNS makes it intrinsically vulnerable to cache poisoning and spoof attacks. The Kaminsky Bug (CVE-2008-1447) underscored the challenge of trying to fix a fundamental flaw in a protocol that basically runs the Internet. DNSSEC (attaching digital signatures to DNS records) was considered to be the only real remedy, but even 10 years later it is still not widely implemented.

DNS Cache Poisoning Tools

DNS cache poisoning and spoofing tools include:

  • Metasploit auxiliary/spoof/dns/bailiwicked_host
  • ettercap with the dns_spoof plugin
  • MITMf
  • Kali Dnsspoof
  • ARPwner
  • Kali DNSchef