SHARE
What is a DNS poisoning attack?
The DNS is the infrastructure behind the internet, which translates human-friendly text domain names into numeric internet protocol (IP) addresses recognized by computers. When users type a website URL into a browser, a series of internet queries are launched, and this complex journey directs users to their intended web destination, usually in a matter of milliseconds.
These internet queries first go to the internet service provider (ISP), and if the ISP has the IP address cached (saved), the computer resolves to the right web location. If the ISP has been compromised, cybercriminals have replaced the cached IP address with a fraudulent website they control, re-routing a company's web traffic to content of the criminal's choice.
Put simply, attackers access servers (like ISPs) and replace the saved information with their own malicious websites—called DNS poisoning. This type of attack is also known as cache poisoning, DNS cache poisoning, or domain poisoning.
The result is DNS spoofing, when your website visitors are directed to a brand-identical but fraudulent website where they unwittingly hand over sensitive, confidential information or credentials in the belief they’re interacting with the legitimate company, potentially downloading malware and viruses along the way.
DNS cache poisoning vs. DNS spoofing attacks
DNS poisoning is a type of DNS spoofing attack. In a DNS spoofing attack, false DNS data is introduced to misdirect users to fraudulent websites without their knowledge. DNS cache poisoning specifically targets the caching mechanisms of DNS resolvers, injecting malicious records that remain until the cache expires or is manually cleared. A poisoned DNS record can impact not just direct website access, but also other internet-dependent services that rely on web requests to function.
Cache poisoning vs. DNS hijacking
Unlike DNS hijacking, which involves changing DNS settings at the domain level, cache poisoning manipulates the stored responses within a DNS resolver’s cache. This means that even if a company’s official DNS records remain secure, users relying on compromised resolvers can still be misdirected due to manipulated cache keys. The impact is often temporary and affects only users relying on that manipulated DNS server. Once the cache is cleared or updated, the breach ends.
DNS hijacking involves taking direct control of a domain’s DNS settings, and the impact is ongoing until the DNS records are corrected manually.
DNS cache poisoning vs. web cache poisoning
DNS cache poisoning and web cache poisoning are sometimes confused with each other, but they are distinct threats. DNS cache poisoning manipulates DNS resolver caches to redirect users to fraudulent websites, while web cache poisoning exploits vulnerabilities in HTTP headers or caching mechanisms to store and serve malicious content. While both involve storing copies of data in temporary locations (caching), DNS cache poisoning affects how users reach a site, whereas web cache poisoning impacts what content is delivered once they arrive.
Consequences of domain poisoning
While DNS cache poisoning has become less common in recent years, it still poses a threat to businesses by amplifying vulnerability and leading the way to more significant assaults and phishing scams. Redirecting visitors from the correct website hurts a brand’s reputation and leads to loss in revenue and customer trust. In addition, companies may face legal liabilities in the wake of a security event.
How to detect DNS cache poisoning
The most obvious sign of trouble when this type of activity occurs is when customers and employees report landing on the wrong website or encountering unusual error messages. Other red flags include finding mismatched IP addresses in DNS records and sudden spikes in queries to unfamiliar or rarely used domains. Fortunately, automated monitoring tools can continually check the integrity of DNS records and identify any discrepancies that may arise.
How to fix a cache poisoning attack
Businesses must act quickly when a breach occurs to mitigate any damage. The first step is to clear the DNS cache on affected servers. This removes any false records inserted by the intruder and forces the DNS server to retrieve the correct information from trusted sources.
This can usually be done through system commands. Those exact steps depend on the operating system or DNS software in use. For example:
On Windows servers: Use the “ipconfig /flushdns” command.
On Linux or macOS servers: Use the “sudo systemd-resolve --flush-caches” or “sudo dscacheutil -flushcache” commands, depending on the system.
After clearing the cache, check that the DNS server is retrieving the right information from trusted sources.
How to prevent DNS poisoning
Strengthening defenses from the outset is the best way to ensure a network remains secure and resilient.
Use DNS security extensions (DNSSEC) to protect website visitors from forged DNS data. When DNS was first created, security was not built in as a priority. DNSSEC was designed to help correct this oversight by verifying DNS queries and responses with digital signatures.
DNSSEC adoption has risen steadily for the past few years, but it remains far from a universal practice. However, it’s one of the most recommended security measures for preventing DNS cache poisoning.
Additional ways to prevent DNS cache poisoning include:
- Selecting a reliable DNS provider with a strong reputation for security
- Restricting recursive DNS queries and zone transfers to trusted users only
- Reducing the time-to-live (TTL) value for DNS records to limit how long potentially poisoned data stays in caches
- Monitoring DNS traffic for anomalies, such as unexpected spikes or irregular patterns, which may indicate poisoning attempts
By implementing measures like DNSSEC, using a trusted DNS provider, and staying vigilant with monitoring, businesses can better shield their domains and customers from dangers.
Adopt reliable DNS service
Selecting a superior DNS security platform helps ensure you avoid attacks like DNS cache poisoning. At CSC, we offer advanced security, including DNSSEC, which safeguards your infrastructure and ensures the integrity of your online presence. Don’t wait until an event compromises your operations—reach out today to learn how to defend your brand from evolving threats.
Frequently asked questions (FAQ)
A key sign of DNS poisoning is when users report being redirected to an unfamiliar or fraudulent website despite entering the correct URL. Other indicators include unusual error messages, mismatched IP addresses in DNS records, and unexpected spikes in DNS queries for unfamiliar domains.
DNS poisoning refers to the act of inserting false information into a DNS resolver’s cache, redirecting users to malicious websites. DNS spoofing is the broader tactic of faking DNS responses to mislead users—DNS poisoning is one method of carrying out DNS spoofing.
A toxic domain is a web address associated with malicious activity, such as phishing, malware distribution, or fraud. These domains may be used in DNS poisoning schemes to trick users into visiting harmful websites designed to steal credentials or compromise security.
Domain abuse in the context of DNS poisoning involves manipulating DNS records or cache data to redirect traffic, deceive users, or facilitate phishing and malware attacks. Unlike domain infringement, which involves unauthorized use of a brand’s name in a domain, DNS poisoning is a type of domain abuse focused on malicious tactics that exploit DNS vulnerabilities.
Related resources
A Basic Overview of DNSSEC
6 Ways to Strengthen DNS Security
Digital Asset Security Checklist
Digital Asset Security:
Back to Basics
Domain Security Blind Spots Put Global Enterprises at Serious Risk According to New Research from CSC’s Digital Brand Services Division
Make an inquiry
All fields marked with * are required.