+3 votes
in Security by (242k points)
DNS spoofing: how it works and how you can protect yourself

1 Answer

+4 votes
by (1.6m points)
Best answer

Fast facts: Domain Name System (DNS)
What is DNS spoofing?
How does DNS spoofing work?
Objectives of DNS spoofing
What are the risks of DNS spoofing?
Variants of DNS spoofing
How to protect yourself from DNS spoofing
What are cybercriminals trying to do with DNS spoofing?
What are internet providers trying to do with DNS spoofing?
Variant (A): attack on client or local router
Variant (B): attack on DNS server response
Variant (C): DNS server attack
Use encryption to protect against DNS spoofing
Use a public network to resolve DNS


DNS spoofing: how it works and how you can protect yourself

Name resolution on the internet can be manipulated in different ways. One form of attack is DNS spoofing , with which IP addresses are spoofed. We tell you exactly how it happens, what its objective is, what variants exist and how you can protect yourself..

  1. Fast facts: Domain Name System (DNS)
  2. What is DNS spoofing?
  3. How does DNS spoofing work?
  4. Objectives of DNS spoofing
    1. What are cybercriminals trying to do with DNS spoofing?
    2. What are internet providers trying to do with DNS spoofing?
  5. What are the risks of DNS spoofing?
  6. Variants of DNS spoofing
    1. Variant (A): attack on client or local router
      1. DNS server spoofing on local system
      2. Handling the hosts file on the local system
      3. Hijack of the local router
    2. Variant (B): attack on DNS server response
    3. Variant (C): DNS server attack
      1. DNS cache poisoning on the server
      2. DNS server hijacking
  7. How to protect yourself from DNS spoofing
    1. Use encryption to protect against DNS spoofing
      1. Use transport encoding
      2. Encrypt DNS traffic
      3. Use a virtual private network
    2. Use a public network to resolve DNS

Fast facts: Domain Name System (DNS)

The Domain Name System (DNS) is a system established throughout the world to correlate Internet domains with their corresponding IP addresses . DNS returns the IP address linked to the domain name, a process known as name resolution.

For name resolution to work, the IP address of a DNS server must be registered on the device. The device directs its DNS request to this server, which performs name resolution and responds. If no DNS server is configured on the device, the one on the local router is used automatically..

What is DNS spoofing?

The general concept of spoofing means? Tease? or? forgery ?. The DNS spoofing refers to the different situations in which the DNS name resolution is handled . More specifically, what happens is that the IP address belonging to a domain is spoofed. Thus, the device establishes a connection with the spoofed IP address and diverts the data traffic to a fake server. Let's see an example:

  Request to DNS server Delivered IP address
Normal state 'example.com' '93 .184.216.34 '
DNS spoofing 'example.com' '' (example)

Because name resolution takes place in the background, the victim is often unaware of the tampering. One of the most dangerous features of DNS spoofing is that the browser displays the correct domain .

How does DNS spoofing work?

The term DNS spoofing describes a variety of attack scenarios . The following outline explains the principles of DNS spoofing ..

The client wants to establish a connection with the website https://ejemlo.com and is deceived in the process
  • d1: The client (for example, the device browser) first accesses from the DNS server the IP address belonging to the host called? example.com ?.
  • d2: The client receives a response to their request, which, however, contains a spoofed IP address. Therefore, the connection to the legitimate server of? Example.com? it is not carried out.
  • h1: Instead, the client's request is sent to the malicious host hiding behind the spoofed IP address.
  • h2: The malicious host delivers a legitimate-looking page to the client. However, the forged domain does not pass the security certificate, so the attack becomes clear.
  • A, B, C: Different starting points for DNS spoofing : the client or local router, the network connection or the DNS server.

Objectives of DNS spoofing

The main purpose of DNS spoofing is to carry out attacks that generally aim to collect sensitive user data . However, legitimate companies also partially resort to DNS spoofing . It is well known that some Internet Service Providers (ISPs) use this method for censorship and commercial purposes.

What are cybercriminals trying to do with DNS spoofing?

Cybercriminals use DNS spoofing for phishing and pharming attacks. The main objective is to obtain the user's sensitive data. In DNS spoofing , the victim is made to believe that they have reached a legitimate domain and, using their trust in the spoofed domain, malicious software is transmitted to them. The person unintentionally installs this malware on the computer and infects their own system with it.

What are internet providers trying to do with DNS spoofing?

Most of the people use, without being aware of it, a DNS server of their Internet provider that is usually pre-installed on the local router. In this way, any DNS query is subject to control by the internet provider.

ISPs can deliberately manipulate your DNS tables to enforce state censorship . In this way, in many countries, user access to pornography or file-sharing domains is frustrated. If the user tries to access one of these blocked domains, they are redirected to a warning page. However, these blocks can easily be bypassed by using an uncensored DNS server.

This same trick of diverting user access to a certain domain and taking it to another page is also used to collect user data for commercial purposes . Thus, Internet providers use DNS hijacking to divert a user looking for a non-existent domain or misspelling it to a certain page. Such a page displays advertising, for example, or creates a user profile that sells for profit.

What are the risks of DNS spoofing?

DNS is a fundamental technology on the Internet: in all connection establishments, name resolution is used. For this reason, DNS spoofing can affect each and every client connection . It doesn't matter if the victim accesses a web page or sends an email: if the IP address of the affected server has been tampered with, the attacker can access the data.

These are the risks of DNS spoofing :

  • Theft of confidential data: via the attacks spear phishing and pharming sensitive data is stolen, such as passwords, which are often used to enter computer systems or perform various fraudulent activities.
  • System infection with malware : The victim installs malicious software on his own system unintentionally, which favors other attacks and spying by the attacker.
  • Interception of a full user profile: The intercepted personal data is sold or used for other spear phishing attacks .
  • Persistent threat risk: If a malicious DNS server is installed on the system, communication is compromised. Also, temporarily spoofed DNS responses can remain in the cache and cause corruption for a long time.

A concrete example : in the context of the COVID-19 pandemic, a wave of DNS spoofing attacks occurred in the spring of 2020. They consisted of router hijacking attacks , in which a malicious IP address was registered for the DNS server on routers with insecure administrator access. The victim received an alleged notice from the World Health Organization inviting him to immediately install an information application on COVID-19. In reality, the software was a Trojan. If installed by a gullible person, the Trojan searched their local system and tried to capture sensitive data in order to create a complete profile and use it in other spear phishing attacks against the victim. The stolen data included the following:

  • Cookies (browser)
  • Browser history
  • Payment details (browser)
  • Saved access data (browser)
  • Saved form data (browser)
  • Cryptocurrency wallets
  • All kinds of text files on the device
  • Databases for two-factor authentication (2FA)

Variants of DNS spoofing

The next three attack variants refer to the scheme (AC) presented at the beginning.

Variant (A): attack on client or local router

In this variant of DNS spoofing attack , the local device or router is maliciously manipulated . In principle, for the victim, everything is apparently normal: the device connects without problem to the DNS server. However, malicious IP addresses are returned to the requested hostname .

The threat of these attacks persists until anti-tampering measures are taken. The cybercriminal needs an attack vector to carry out the intrusion, which can be a technical aspect, an open administrator access or a weak password. The attacker can also convince you through social engineering to make the change yourself without perceiving the threat.

DNS server spoofing on local system

In local hijack , another known form of DNS spoofing attack , the IP address of the DNS server is configured with a malicious value in the network settings of the local device.

The victim can easily notice the alteration and correct it. The problem is that manipulation is often combined with malware that re-falsifies the victim's corrected data.


Use the online tool WhoismyDNS to check if you have been a victim of this type of DNS spoofing attack .

Handling the hosts file on the local system

Most operating systems use the so-called hosts file to enable the resolution of names of certain domains on the local system. If a malicious entry is placed in this file, the data traffic is diverted to a server that is in the attacker's hands.

The tampering has no expiration date, although a computer-savvy victim can easily spot it. A simple modification of the hosts file is enough to solve the problem.

Hijack of the local router

The default IP address of a DNS server of the Internet provider is configured on the local router. During a hijack attack on the router, it is replaced by a malicious value. The attack threatens all data traffic passing through the router . As in any home or office it is common for several devices to use the router to connect, the victims of this attack can be several.

Many users forget that they can configure the router themselves, so this attack tends to remain hidden for a long time . If problems appear, victims generally blame the device itself and not the router. Therefore, you should also think of the router as a source of error when rare failures occur.


Use F-Secure Router Checker to check if you have been a victim of this type of DNS spoofing attack .

Variant (B): attack on DNS server response

This variant of DNS spoofing consists of a man-in-the-middle attack . The attacker impersonates the victim's DNS server and issues a malicious response. The attack works because DNS traffic relies on the unencrypted User Datagram Protocol (UPD ). For the victim, the authenticity of DNS responses cannot be guaranteed.

Other forms of attack, such as ARP spoofing and MAC spoofing, can be used as a gateway to the local network. The application of encryption technologies protects against many man-in-the-middle attacks .

Variant (C): DNS server attack

This form of attack DNS spoofing is directed against a legitimate DNS server and, therefore, can affect many users. This is a high-level attack, because many security mechanisms typically have to be overcome to crack the server.

DNS cache poisoning on the server

DNS servers are hierarchically arranged and communicate with each other. A cybercriminal can use IP spoofing to impersonate one of them. In this case, the attacker convinces the server to accept a fake IP address for a domain, and the server caches the malicious entry : thus, the cache is "poisoned".

Once the cache is poisoned, each request made to the server responds to the victim with a malicious entry. The threat remains active until the entry is removed from the cache. As a server protection mechanism, there is the DNSSEC extension, with which the security of the communication processes of the servers within the DNS can be guaranteed.


Use the IONOS domain protection service to protect your domain from tampering.

DNS server hijacking

This form of threat, known as rogue hijack , represents a fairly complex attack on DNS. With it, the attacker takes control of a legitimate DNS server. Once compromised, even the latest DNS ciphers don't protect it . However, by encrypting the content, the victim can at least become aware of the attack.

How to protect yourself from DNS spoofing

As we have seen, DNS spoofing poses a serious danger. Fortunately, there are a number of simple measures that offer effective protection against DNS spoofing .

Use encryption to protect against DNS spoofing

Typically, encryption methods offer two main benefits:

  1. The data is protected against access by unauthorized third parties.
  2. The authenticity of the parts of the communication is guaranteed.

The second point is an especially critical factor in the fight against DNS spoofing : if the attacker impersonates a legitimate host , this generates a certificate error on the user's page. In this way, the attempted fraud is exposed.

Use transport encoding

For a basic level of protection , the security of as many connections as possible should be ensured by the usual methods of transport encryption. Preferably, you should go to web pages over HTTPS . The famous HTTPS Everywhere browser plug-in allows you to connect securely to web pages that deliver content over both HTTP and HTTPS. Also, you should use configured connections (IMAP, POP3 and SMTP) and secure protocols such as TLS and SSL in your email programs.

If your connections are protected by transport encryption, you will at least be aware of DNS spoofing attacks : since the malicious host does not have the security certificate of the real host , the browser and the email program warn when the connection is established . This way, you have the opportunity to interrupt the connection and take other security measures.

Encrypt DNS traffic

Transport encryption protects the transmission of data, but does not solve the vulnerability of the connection with the DNS server, so that it becomes the weakest link in the chain. However, the user can take steps to encrypt DNS queries . Some noteworthy ones are especially DNSCrypt, DNS over HTTPS (DoH) and DNS over TLS (DoT). All of these technologies protect from dangerous man-in-the-middle attacks, although none of them are built into the most popular operating systems. Also, the DNS server must support the corresponding technology to access DNS encryption.

Use a virtual private network

In addition to encrypting the transport and protecting the connection to the DNS server, a virtual private network (VPN) can be used to increase protection against DNS spoofing . By using a VPN, all connections are conducted through an encrypted tunnel. It is important to mention that in most VPN programs it is possible to store the IP address of a DNS server. This way, if it is a malicious address, the VPN will not offer any protection against DNS spoofing.

In case you don't want to waste a lot of time choosing a VPN provider, you can use Cloudflare's free WARP app, which offers VPN functionality and DNS encryption through Cloudfare's Public DNS resolver. You will find more information about it in the next section. In this application, increased security is accompanied by an intuitive user interface. At the moment, it is only available for mobile devices, but in the future it will also have the desktop version for Windows and Mac.

Use a public network to resolve DNS

One of the most effective protection measures against DNS spoofing is to use a public DNS resolver. Installing it is so simple that practically any user can configure it on their device. To do this, you just have to change the DNS server registered in your system. As an example, we can name the Quad9 network, made available by the non-profit organization of the same name.

Using a public DNS service offers the following benefits:

  • Fast DNS response speed: Large DNS networks manage dozens of servers around the world. Through so - called anycast-routing , the geographically closest server is always used for name resolution, which translates into short response times.
  • High degree of protection and anonymity: Many ISPs sell their customers' data exposed during DNS traffic. Public solvers typically store very little or no user data, thus offering a high degree of protection and anonymity.
  • No imposition of censorship measures: Government censorship obligations are only valid within the borders of a country. Internet providers generally operate in the customer's own country and are therefore obliged to impose them. On the contrary, a public DNS service established abroad can offer its services globally without having to respect the censorship decreed by any state.
  • Support for current security standards: Large public DNS networks specialize in exclusively answering DNS requests. Therefore, they are pioneers when it comes to the application of security standards such as DNSSEC, DoH, DoT, and DNSCrypt.
  • Malicious domain blocking: Using a public DNS resolver can also protect against malware and phishing . Known malicious domains are added to blacklists. When trying to access them, the user is redirected to a warning page.

The following table summarizes the most popular public DNS networks. All these services are redundantly configured using two IP addresses, so that if the first of the two servers is not found, the second is used. Some networks offer other IP addresses on which additional functions can be activated, such as child protection.


Filtering contents

Data Protection

Name server IP addresses


Malicious domain filtering

No user data registration and

Cloudflare DNS Family

Malicious domain filtering and child protection

No user data registration and

Cloudflare DNS

No filtering

No user data registration and


No filtering

No user data registration and


The DNS spoofing poses a serious threat. Using encryption technologies in combination with a public DNS resolution network protects us greatly against this type of attack.