DNS Spoofing
What You Will Learn
- What DNS spoofing is and how it differs from DNS cache poisoning
- How to set up a local DNS server with dnsmasq for testing
- How DNS spoofing is used in man-in-the-middle attacks
- How to defend against DNS spoofing
What Is It?
DNS spoofing (also called DNS poisoning) is an attack where a malicious DNS server returns a fake IP address for a domain. When a victim queries google.com, the attacker’s DNS server returns the attacker’s IP instead of Google’s real IP. The victim’s traffic is redirected to the attacker’s server.
This is a critical component of man-in-the-middle (MITM) attacks.
Why It Matters
DNS spoofing can:
- Redirect users to phishing pages that look identical to legitimate sites
- Intercept credentials and session cookies
- Serve malware disguised as legitimate software downloads
- Redirect payment pages to attacker-controlled servers
How DNS Spoofing Works
- Attacker positions themselves on the network (e.g., same Wi-Fi) or controls the DNS server
- Victim’s device queries DNS for
bank.com - Attacker responds with
attacker-IPinstead of the real IP - Victim’s browser connects to the attacker’s server
- Attacker presents a fake login page and captures credentials
Setting Up dnsmasq for Testing
dnsmasq is a lightweight DNS server commonly used for local testing and MITM labs.
Create or edit your local dnsmasq.conf:
# Format: address=/domain/IP
# Redirect ALL domains to your IP (wildcard)
address=/#/192.168.200.147
# Redirect a specific domain to localhost (block it)
address=/google.com/127.0.0.1
# Enable query logging
log-queries
Running dnsmasq with Docker
# Pull the image
docker pull andyshinn/dnsmasq
# Run with your config file and expose UDP port 53
docker run --name my-dnsmasq --rm -it \
-p 0.0.0.0:53:53/udp \
-v /path/to/dnsmasq.conf:/etc/dnsmasq.conf \
andyshinn/dnsmasq
Now point your test device’s DNS server to the Docker host’s IP. All DNS queries will be intercepted.
Redirecting a Victim’s DNS
In a local network attack:
# Using ARP spoofing to become the gateway
arpspoof -i eth0 -t <victim-IP> <gateway-IP>
# Then run a DNS spoofing tool
dnschef --fakeip 192.168.1.100 --interface eth0
Real Attack Chain Example
- Connect to same Wi-Fi as victim
- ARP spoof to intercept victim’s traffic
- Run dnsmasq or dnschef to respond to all DNS queries with your IP
- Run a fake web server (nginx/Apache) at your IP with a cloned login page
- Victim visits
paypal.com→ your fake page → enters credentials → you capture them
Detection
DNS spoofing can be detected by:
- Comparing DNS responses from multiple resolvers
- Using DNSSEC (DNS Security Extensions) — responses are cryptographically signed
- Monitoring for unexpected changes in DNS records
- Using encrypted DNS (DNS-over-HTTPS or DNS-over-TLS)
Defenses
- DNSSEC: Verifies DNS responses with cryptographic signatures
- DNS-over-HTTPS (DoH): Encrypts DNS queries so an attacker cannot intercept and modify them
- HSTS: Forces HTTPS — the browser rejects invalid certificates even if redirected
- Certificate Pinning: Mobile apps reject unexpected certificates even with valid CA signatures
- Use a trusted, well-secured DNS resolver (Cloudflare
1.1.1.1, Google8.8.8.8)