DNS Poisoning (DNS Cache Poisoning) Attack Flow – Complete Deep Technical Explanation
This post provides a book-style, in-depth explanation of the DNS Poisoning (DNS Cache Poisoning) attack, using the visual diagram shown above. The goal is to help students, professionals, and cybersecurity experts understand how DNS poisoning works at an infrastructure level.
DNS poisoning is one of the most dangerous attacks because it does not target a single user — it compromises the DNS system that many users trust.
What Is DNS (Domain Name System)?
The Domain Name System (DNS) is a core internet service that translates human-readable domain names into machine-readable IP addresses.
Example: bank.com → 104.21.56.78
Without DNS, users would need to remember IP addresses instead of simple website names. DNS is therefore a critical trust-based system of the internet.
What Is DNS Cache Poisoning?
DNS Cache Poisoning (also called DNS Spoofing) is an attack where:
An attacker injects fake DNS records into a DNS resolver’s cache, causing users to be redirected to malicious websites instead of legitimate ones.
This attack works by exploiting the fact that DNS resolvers:
- Trust responses they receive
- Cache responses for performance
- Often lack cryptographic verification (without DNSSEC)
Main Components Shown in the Diagram
1. Attacker (Malicious Actor)
The attacker’s objective is to redirect users to a malicious server by poisoning DNS data. The attacker does not directly hack the victim’s device. Instead, the attacker targets the DNS resolver infrastructure.
The attacker typically:
- Sends spoofed DNS responses
- Uses fake IP addresses
- Attempts to respond faster than the legitimate DNS server
2. Vulnerable DNS Resolver (ISP / Public DNS)
A DNS resolver is responsible for:
- Receiving DNS queries from users
- Querying authoritative DNS servers
- Caching responses for future requests
A resolver becomes vulnerable when:
- DNSSEC is not enabled
- Transaction ID randomization is weak
- Source port randomization is insufficient
Once poisoned, every user relying on this resolver is affected.
3. DNS Cache
The DNS cache stores recently resolved domain-to-IP mappings to improve performance.
Normal Cache Entry: bank.com → 104.21.56.78
After poisoning:
Poisoned Cache Entry: bank.com → 1.2.3.4 (Attacker-Controlled IP)
This poisoned entry remains active until:
- The TTL (Time To Live) expires
- The cache is manually flushed
4. Legitimate Authoritative DNS Server
This server holds the correct DNS records for the domain (e.g., bank.com). It provides the legitimate IP address.
In a DNS poisoning attack:
- The legitimate response arrives too late
- The resolver already accepted a fake response
- The correct response is ignored
5. Unsuspecting User (Victim)
The user:
- Types a legitimate domain name (bank.com)
- Trusts DNS completely
- Has no visible sign of compromise
This makes DNS poisoning extremely dangerous and stealthy.
Step-by-Step DNS Poisoning Attack Flow (As Shown in the Image)
Step 1: Cache Poisoning Attack (Fake DNS Responses)
The attacker sends a flood of fake DNS responses to the vulnerable DNS resolver. These responses contain:
- The correct domain name
- A fake IP address controlled by the attacker
- Spoofed source information pretending to be the authoritative DNS server
The attacker’s goal is to respond before the real DNS server does.
Step 2: Legitimate DNS Query From User
The user requests:
bank.com
The DNS resolver does not yet have the answer and forwards the query to the authoritative DNS server.
Step 3: Fake IP Injection (Critical Moment)
Before the legitimate response arrives:
- The attacker’s fake response reaches the resolver
- The resolver accepts it as valid
- The fake IP is cached
This is the exact moment when the DNS cache becomes poisoned.
Step 4: Legitimate DNS Response Arrives (Too Late)
The authoritative DNS server sends the correct IP address. However:
- The resolver already cached the fake record
- The legitimate response is ignored
Step 5: Poisoned Response Sent to User
The DNS resolver responds to the user with the poisoned IP address. The user’s browser connects to the attacker’s server instead of the real one.
Step 6: Redirection to Malicious Website
The attacker’s server hosts a fake website that looks identical to the real site.
The attacker can now:
- Steal usernames and passwords
- Capture OTPs
- Hijack sessions
- Distribute malware
Why DNS Poisoning Is Extremely Dangerous
| Reason | Explanation |
|---|---|
| Infrastructure Attack | Affects many users at once |
| Invisible to Users | URL appears legitimate |
| Long Lasting | Cache remains poisoned |
Defenses Against DNS Poisoning
1. DNSSEC (DNS Security Extensions)
DNSSEC uses cryptographic signatures to verify DNS responses. It prevents resolvers from accepting fake DNS data.
2. Source Port & Transaction ID Randomization
Randomization makes it extremely difficult for attackers to guess valid DNS responses.
3. Trusted Recursive DNS Resolvers
Using secure public DNS providers reduces exposure to vulnerable resolvers.
4. Monitoring and Logging
Monitoring DNS traffic helps detect abnormal or suspicious behavior early.
Interview-Ready One-Line Explanation
DNS cache poisoning is an attack where an attacker inserts fake DNS records into a resolver’s cache, redirecting users to malicious websites instead of legitimate ones.
Final Expert Summary
DNS poisoning is a high-impact, infrastructure-level attack that exploits trust in the DNS system. Understanding this attack means understanding how attackers manipulate core internet services rather than individual users.
If you understand this attack flow clearly, you already think like a cybersecurity engineer 🔐
