DNS Spoofing.

DNS spoofing manipulates the Domain Name System resolution process so that a query for a legitimate hostname returns an IP address chosen by the attacker. It can be achieved by tampering with hosts files, intercepting resolver traffic, exploiting weak transaction IDs, or poisoning recursive resolver caches. Once the victim is redirected, attackers harvest credentials, deliver malware, or perform man-in-the-middle interception of TLS sessions with rogue certificates.

The classic technique is Dan Kaminsky's 2008 cache-poisoning attack. Because legacy resolvers authenticated answers using only a 16-bit transaction ID, an off-path attacker could flood a resolver with forged responses for random non-existent subdomains, winning the race against the real authoritative server and injecting a poisoned NS record for the whole domain. The fix, standardised in RFC 5452, added source-port randomisation — turning a ~65,000-guess search space into billions of combinations. Stronger protection comes from DNSSEC (RFC 4033–4035), which cryptographically signs records so resolvers can reject forged answers, and from encrypted transport such as DoH (RFC 8484) and DoT (RFC 7858), which stops on-path tampering on shared Wi-Fi.

sequenceDiagram
  participant V as Victim
  participant R as Resolver
  participant A as Attacker
  participant N as Real name server
  V->>R: Query bank.example?
  R->>N: Recursive lookup
  A-->>R: Forged reply (guessed TXID/port) -> attacker IP
  N-->>R: Genuine reply (arrives too late)
  R-->>V: Cached poisoned answer
  V->>A: Connects to attacker IP

Defences include DNSSEC validation, encrypted transport (DoH/DoT), randomized source ports and transaction IDs, resolver hardening, and monitoring for anomalous resolution patterns.