Cache Poisoning
An attack that injects forged DNS records into a resolver's cache, redirecting users to malicious servers.
DNS cache poisoning (also called DNS spoofing) tricks a recursive resolver into storing a forged answer for a domain. Once the bad record is cached, every user of that resolver gets sent to the attacker's IP until the TTL expires. Dan Kaminsky's 2008 demonstration was the canonical example: it exploited weak transaction-ID entropy plus the ability to retry against any subdomain to race legitimate responses, and forced an industry-wide patch within weeks. Modern defences layer source-port randomization (RFC 5452), 0x20 query-name case randomization, DNS cookies (RFC 7873), and DNSSEC validation, which cryptographically rejects forged answers regardless of how they arrived. Operators should validate DNSSEC and use a resolver that implements all four.
Reference
Related terms
See also
Referenced on
- Build a DNS Resolver from Scratch in Node.js
- Build a DNS Resolver from Scratch in Python
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Blog
- DNS Hijacking Explained: How Attackers Take Control of Your Domain's Resolution
- DNS Rebinding Attack: How Browsers Are Tricked Into Bypassing Same-Origin Policy
- DNS Security Dashboard
- DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains
- DNSSEC Adoption by TLD
- DNSSEC Downgrade Attack: How Attackers Strip Cryptographic Protection from DNS
- Domain Availability
- Free DNS Lookup Tool
- What Is an Open DNS Resolver? Why It's Dangerous and How to Fix It
- What Is DNS Cache Poisoning? How It Works and How to Prevent It
- What Is DNS TTL? How Time to Live Controls Caching, Propagation, and Performance
- What Is DNSSEC and Why Should You Enable It?
- What Is NXDOMAIN? Understanding the 'Domain Does Not Exist' DNS Response
- Why DNSSEC Is Still Failing: Lessons from 240 Million Domains