What is DNS Cache Poisoning?

DNS cache poisoning is a cyberattack in which false DNS data is inserted into a DNS resolver's cache, causing users to be redirected to malicious sites instead of legitimate ones. As of early 2025, over 30% of DNS resolvers worldwide remain vulnerable to these attacks.

DNS works by translating human-readable domain names into IP addresses that computers can understand. DNS resolvers cache these translations to improve performance and reduce query time.

When a cache is poisoned, the resolver returns incorrect IP addresses. This sends users to attacker-controlled destinations without their knowledge.

Attackers target the lack of authentication and integrity checks in traditional DNS protocols. DNS uses UDP without built-in verification, making it vulnerable to forged responses. Attackers send fake DNS responses that beat legitimate ones to the resolver, exploiting prediction patterns and race conditions.

Common attack methods include man-in-the-middle attacks that intercept and alter DNS queries, compromising authoritative name servers to modify records directly, and exploiting open DNS resolvers that accept queries from any source.

The risks of DNS cache poisoning extend beyond simple redirects. Attackers can steal login credentials by sending users to fake banking sites, distribute malware through poisoned domains, or conduct large-scale phishing campaigns. DNS cache poisoning attacks accounted for over 15% of DNS-related security incidents reported in 2024.

Understanding DNS cache poisoning matters because DNS forms the foundation of internet navigation. A single poisoned resolver can affect thousands of users. Poisoned cache entries can persist for hours or days, depending on TTL settings.

What is DNS cache poisoning?

DNS cache poisoning is a cyberattack where attackers inject false DNS data into a DNS resolver's cache. This redirects users to malicious IP addresses instead of legitimate ones.

The attack exploits a fundamental weakness in traditional DNS protocols that use UDP without authentication or integrity checks. This makes it easy for attackers to forge responses.

When a DNS resolver's cache is poisoned, it returns incorrect IP addresses to everyone querying that resolver. This can affect thousands of people at once. The problem continues until the corrupted cache entries expire or administrators detect and fix it.

How does DNS cache poisoning work?

DNS cache poisoning works by inserting false DNS records into a resolver's cache. This causes the resolver to return incorrect IP addresses that redirect users to malicious sites. The attack exploits a fundamental weakness: traditional DNS uses UDP without verifying response integrity or source legitimacy.

When your device queries a DNS resolver for a domain's IP address, the resolver caches the answer to speed up future lookups. Attackers inject forged responses into this cache, replacing legitimate IP addresses with malicious ones.

The most common method is a race condition exploit. An attacker sends thousands of fake DNS responses with guessed transaction IDs, racing to answer before the legitimate server does. If the forged response arrives first with the correct ID, the resolver accepts and caches it.

Man-in-the-middle attacks offer another approach. Attackers intercept DNS queries between clients and servers, then alter responses in transit. They can also directly compromise authoritative name servers to modify DNS records at the source, affecting all resolvers that query them.

Open DNS resolvers present particular risks. They accept queries from anyone and can be exploited to poison caches or amplify attacks against other resolvers.

A single poisoned cache entry can affect thousands of users simultaneously until the TTL expires. This is especially dangerous on popular public resolvers or ISP DNS servers.

What are the main DNS cache poisoning attack methods?

• Race condition exploits: Attackers send forged DNS responses faster than legitimate authoritative servers can reply. They guess transaction IDs and port numbers to make fake responses look authentic.
• Man-in-the-middle attacks: Attackers intercept DNS queries between users and resolvers, then modify the responses before they reach their destination. This approach typically targets unsecured network connections such as public Wi-Fi.
• Authoritative server compromise: Attackers directly access and modify DNS records on authoritative name servers, poisoning DNS data at its source and affecting all resolvers that query the compromised server.
• Birthday attack technique: Attackers flood resolvers with thousands of forged responses to increase their chances of matching query IDs. The method exploits the limited 16-bit transaction ID space in DNS queries.
• Open resolver exploitation: Attackers target publicly accessible DNS resolvers that accept queries from any source, poisoning these resolvers to affect multiple downstream users simultaneously.
• Kaminsky attack: Attackers combine query flooding with subdomain requests to poison entire domain records, sending multiple queries for non-existent subdomains while flooding responses with forged data.

What are the risks of DNS cache poisoning?

• Traffic redirection: Poisoned DNS caches send users to malicious servers instead of legitimate websites, enabling credential theft, malware delivery, and phishing.
• Man-in-the-middle attacks: Attackers can intercept communications between users and services to steal sensitive information.
• Widespread user impact: A single compromised resolver can affect thousands or millions of users, especially when large public or ISP DNS servers are poisoned.
• Credential theft: Victims unknowingly enter login details on fake websites controlled by attackers.
• Malware distribution: Poisoned records redirect software updates to attacker-controlled servers hosting malicious versions.
• Business disruption: Organizations lose access to critical services and customer trust until poisoned entries expire.
• Persistent cache contamination: Malicious records can persist for hours or days depending on TTL values, continuing to infect downstream resolvers.

What is a real-world DNS cache poisoning example?

In 2023, attackers targeted a major ISP’s DNS resolvers and injected false DNS records that redirected thousands of users to phishing sites. They exploited race conditions by flooding the resolvers with forged responses that arrived faster than legitimate ones. The attack persisted for several hours before detection, compromising customer accounts and demonstrating how a single poisoned resolver can impact thousands of users simultaneously.

How to detect DNS cache poisoning

You detect DNS cache poisoning by monitoring DNS query patterns, validating responses, and checking for suspicious redirects across your DNS infrastructure.

1. Monitor resolver logs for unusual query volumes, repeated lookups, or mismatched responses. Set automated alerts for deviations exceeding 20–30% of normal baselines.
2. Enable DNSSEC validation to verify cryptographic signatures on DNS responses and reject tampered data.
3. Compare DNS responses across multiple resolvers and authoritative servers to identify inconsistencies.
4. Analyze TTL values for anomalies; poisoned entries often have irregular durations.
5. Check for SSL certificate mismatches that indicate redirection to fake servers.
6. Use tools like DNSViz to test resolver vulnerability to known poisoning techniques.

How to prevent DNS cache poisoning attacks

1. Deploy DNSSEC on authoritative servers and enable validation on resolvers to cryptographically verify responses.
2. Use trusted public DNS resolvers with built-in security validation.
3. Enable source port randomization to make guessing query parameters significantly harder for attackers.
4. Close open resolvers and restrict responses to trusted networks only.
5. Keep DNS software updated with the latest security patches.
6. Set shorter TTL values (300–900 seconds) for critical DNS records to limit exposure duration.
7. Continuously monitor DNS traffic for anomalies and use IDS systems to flag suspicious response patterns.

What is the role of DNS service providers in preventing cache poisoning?

DNS service providers play a critical role in preventing cache poisoning by validating DNS responses and blocking forged data. They deploy DNSSEC, source port randomization, and rate limiting to make attacks impractical.

Secure providers validate response data against DNSSEC signatures, implement 0x20 encoding for query entropy, and monitor for patterns that indicate poisoning attempts. Many also use threat intelligence feeds to block known malicious domains and IPs.

Providers that fully implement DNSSEC validation can eliminate forged data injections entirely. Query randomization raises the difficulty of successful poisoning from thousands to millions of attempts, while shorter TTLs and anycast routing further reduce attack windows.

However, not all DNS providers maintain equal protection. Open resolvers and outdated configurations remain vulnerable, exposing users to cache poisoning risks.

Frequently asked questions

What's the difference between DNS cache poisoning and pharming?

DNS cache poisoning manipulates a resolver's cache to redirect users to malicious IPs, while pharming more broadly refers to redirecting users to fake sites via DNS poisoning or local malware that modifies host files.

How long does DNS cache poisoning last?

It lasts until the poisoned record's TTL expires—typically from a few minutes to several days. Administrators can flush caches manually to remove corrupted entries sooner.

Can DNS cache poisoning affect mobile devices?

Yes. Mobile devices using vulnerable resolvers through Wi-Fi or mobile networks face the same risks, as the attack targets DNS infrastructure rather than device type.

Is HTTPS enough to protect against DNS cache poisoning?

No. The attack occurs before an HTTPS connection is established, redirecting users before encryption begins.

How common are DNS cache poisoning attacks?

They’re relatively rare but remain persistent. Over 30% of DNS resolvers worldwide were still vulnerable in 2025, and these attacks accounted for more than 15% of DNS-related security incidents in 2024.

Does clearing my DNS cache remove poisoning?

Yes. Clearing your local DNS cache removes poisoned entries from your system but won’t help if the upstream resolver remains compromised.