In April 2018, attackers hijacked the DNS servers used by MyEtherWallet and redirected users to a phishing site hosted in Russia. The entire attack lasted roughly two hours. In that window, victims lost around $17 million in cryptocurrency — simply because their browsers resolved a legitimate domain name to a malicious IP address. That's the raw power of a DNS spoofing attack, and it remains one of the most underestimated threats facing organizations today.

If you manage a network, run a business, or even just care about where your web traffic actually goes, this post will walk you through exactly how DNS spoofing works, why it's so dangerous, real-world incidents that prove the point, and the specific steps you need to take to defend against it.

What Is a DNS Spoofing Attack, Exactly?

DNS — the Domain Name System — is essentially the phone book of the internet. When you type yourbank.com into your browser, a DNS resolver translates that human-readable name into an IP address like 192.0.2.1. Your browser then connects to that IP.

A DNS spoofing attack (also called DNS cache poisoning) corrupts that translation process. The threat actor injects fraudulent DNS records into a resolver's cache, so when your machine asks "where is yourbank.com?" it gets back an IP address controlled by the attacker instead of the real one.

The terrifying part? Your browser's address bar still shows the correct domain name. There's no typo, no obvious red flag. You think you're on the real site. The attacker now owns the connection.

How Attackers Actually Pull It Off

Cache Poisoning at the Resolver Level

The classic technique targets recursive DNS resolvers — the servers your ISP or corporate network uses to look up domains. The attacker floods the resolver with forged responses, trying to beat the legitimate answer back from the authoritative DNS server. If the forged response arrives first and matches the right transaction ID, the resolver caches the poisoned record.

Dan Kaminsky famously disclosed a critical flaw in DNS protocol design back in 2008 that made this attack far easier than anyone had realized. Patches were issued, but the underlying protocol weakness — DNS responses sent over unencrypted, unauthenticated UDP — hasn't fundamentally changed for networks that haven't adopted DNSSEC.

Man-in-the-Middle on Local Networks

On a local network, the attack gets even simpler. An attacker who has compromised a machine on your LAN (or is sitting on the same Wi-Fi) can use ARP spoofing to intercept DNS queries and return malicious responses directly. No need to race the legitimate server — they simply replace the answer before it arrives.

I've seen this in penetration tests more times than I can count. An unmonitored guest Wi-Fi network is a goldmine for this kind of attack.

Compromised DNS Servers

Sometimes the attacker doesn't bother with poisoning at all. They go straight for the DNS server itself. The 2018 DNSpionage campaign, tracked by Cisco Talos and later flagged by CISA in Emergency Directive 19-01, saw state-sponsored actors compromising DNS registrar accounts and modifying DNS records directly. Victims included government agencies and critical infrastructure across the Middle East.

CISA's directive was unprecedented — they ordered all federal agencies to audit their DNS records within ten business days. That should tell you how serious this threat vector is.

The Real-World Damage: Not Just Theory

Sea Turtle: A Nation-State DNS Hijacking Campaign

Cisco Talos published research in 2019 documenting a campaign they called "Sea Turtle." The group compromised DNS registrars and registries — the organizations that control top-level domain records — and redirected traffic for roughly 40 organizations across 13 countries. Targets included national security organizations, foreign affairs ministries, and energy companies.

The attackers used the redirected traffic to harvest credentials. Once they had valid usernames and passwords, they moved deeper into victim networks. This is credential theft at scale, powered entirely by DNS manipulation.

The MyEtherWallet BGP/DNS Attack

The MyEtherWallet incident I mentioned up top combined BGP hijacking with DNS spoofing. Attackers rerouted traffic destined for Amazon's Route 53 DNS service through servers in Chicago and then to a Russian-hosted phishing clone. Users who visited MyEtherWallet during those two hours had their cryptocurrency wallet credentials stolen.

No malware was needed. No phishing email was sent. The social engineering happened at the infrastructure level — users simply trusted that their browser was telling the truth.

DNSChanger Malware: 4 Million Infections

The DNSChanger malware operation, which the FBI dismantled in "Operation Ghost Click" in 2011, infected over four million computers worldwide. The malware quietly changed victims' DNS settings to point at attacker-controlled servers. Every web request those machines made was subject to manipulation — redirecting searches, injecting ads, and steering users to malicious sites.

The infrastructure was so vast that when the FBI seized the rogue DNS servers, they had to keep them running for months to avoid cutting off internet access for millions of still-infected machines.

Why Traditional Security Misses DNS Spoofing

Here's the problem I see in most organizations: they invest heavily in endpoint protection and email filtering but treat DNS as plumbing. It just works, so nobody watches it.

Most firewalls don't inspect DNS traffic at a granular level. Many organizations still allow unrestricted outbound DNS (port 53) from any device on the network. And DNSSEC adoption remains embarrassingly low — according to NIST data, while .gov domains have largely adopted it, private sector adoption has lagged significantly.

A DNS spoofing attack also bypasses multi-factor authentication in many scenarios. If the attacker controls the site you're logging into, they can relay your credentials and MFA token in real time to the legitimate site. This is a real-time phishing proxy attack, and DNS spoofing is the perfect delivery mechanism because the victim has zero visual indication anything is wrong.

How to Defend Against DNS Spoofing Attacks

Deploy DNSSEC — Yesterday

DNSSEC adds cryptographic signatures to DNS records. When a resolver receives a response, it can verify the signature against the domain's public key. If an attacker injects a forged record, the signature won't match, and the resolver rejects it.

NIST's cybersecurity guidelines have long recommended DNSSEC. If your organization hasn't implemented it, that should be a priority for Q1 2023.

Use Encrypted DNS: DoH and DoT

DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries between the client and the resolver. This prevents man-in-the-middle attackers on local networks from seeing or tampering with DNS traffic.

Configure your endpoints to use a trusted resolver that supports DoH or DoT. Major providers like Cloudflare (1.1.1.1) and Google (8.8.8.8) support both protocols. For enterprise environments, consider running your own encrypted DNS resolver internally.

Lock Down Your DNS Infrastructure

  • Restrict zone transfers. Only authorized secondary DNS servers should be able to pull your zone data.
  • Enable registrar lock. Most domain registrars offer a lock feature that prevents unauthorized changes to your DNS records. Use it.
  • Monitor DNS records continuously. Tools exist to alert you when your DNS records change unexpectedly. CISA's Emergency Directive 19-01 specifically called for this.
  • Use strong, unique credentials with MFA for DNS management portals. The Sea Turtle campaign succeeded partly because registrar accounts were poorly secured.

Segment and Monitor Internal DNS Traffic

Force all DNS traffic through designated internal resolvers. Block direct outbound DNS from endpoints. This gives you a single chokepoint to monitor and apply security policies.

Log all DNS queries. Anomalies — like a sudden spike in queries to a domain that's never been requested before, or queries resolving to unexpected IP ranges — can be early indicators of a DNS spoofing attack or DNS-based data exfiltration.

Adopt Zero Trust Principles

A zero trust architecture doesn't inherently trust any network connection, even internal ones. Applying zero trust to DNS means verifying DNS responses, segmenting network access so a compromised machine can't easily poison other systems, and continuously validating that connections are going where they should.

Zero trust won't single-handedly stop DNS spoofing, but it limits the blast radius dramatically.

Train Your People

Technical controls are essential, but your employees are the last line of defense. If a DNS spoofing attack redirects someone to a convincing credential theft page, will they notice subtle anomalies — like a missing HTTPS padlock or an unexpected certificate warning?

Probably not, unless they've been trained. Regular cybersecurity awareness training builds the instinct to pause and verify before entering credentials. And targeted phishing awareness training for organizations uses phishing simulations to test whether employees can spot the signs of credential harvesting — the exact endgame of most DNS spoofing attacks.

Security awareness isn't a checkbox exercise. It's the habit that catches what your firewall misses.

Can You Detect a DNS Spoofing Attack in Progress?

Yes, but only if you're watching. Here are the specific indicators:

  • Unexpected TTL changes. If a DNS record's time-to-live suddenly drops to an unusually low value, someone may be preparing to swap the record frequently.
  • Certificate mismatches. If users report TLS certificate warnings for internal or commonly visited sites, a DNS spoofing attack may be redirecting them to an attacker-controlled server with an invalid cert.
  • DNS query volume anomalies. A compromised resolver will often show unusual query patterns. Baseline your normal traffic and alert on deviations.
  • DNSSEC validation failures. If your resolver is DNSSEC-aware, validation failures are a direct signal that someone is attempting cache poisoning.
  • Unexpected changes in DNS registrar or zone records. Automated monitoring tools can diff your DNS records at regular intervals and flag unauthorized modifications.

The key takeaway: you can't detect what you don't monitor. If DNS isn't in your security operations center's dashboard, add it today.

The Ransomware Connection Most People Miss

DNS spoofing isn't just about phishing pages. Threat actors increasingly use DNS manipulation as a precursor to ransomware deployment. By redirecting internal DNS queries, an attacker who has gained initial access can steer software update mechanisms to pull malicious payloads instead of legitimate patches.

The 2020 SolarWinds attack — while not a DNS spoofing attack itself — demonstrated how supply chain manipulation could be devastating. Now imagine a scenario where DNS spoofing redirects an internal update server to an attacker-controlled host. The FBI IC3 2021 Internet Crime Report documented over $49 million in losses from ransomware complaints alone, and that figure is widely considered a dramatic undercount given low reporting rates.

DNS security is ransomware prevention. They're not separate conversations.

Your DNS Security Checklist for 2023

Here's what I'd prioritize if I walked into your organization tomorrow:

  • Audit your DNS infrastructure. Know every resolver, every authoritative server, every registrar account. Document who has access.
  • Enable DNSSEC on all domains you control and ensure your resolvers validate DNSSEC signatures.
  • Encrypt DNS traffic with DoH or DoT between endpoints and resolvers.
  • Lock your registrar accounts with strong credentials, MFA, and registrar lock features.
  • Monitor DNS records and query logs continuously. Alert on anomalies.
  • Block unauthorized outbound DNS. All DNS queries should route through controlled resolvers.
  • Run phishing simulations that mimic the credential theft scenarios DNS spoofing enables.
  • Brief your security team on DNS-specific attack techniques — most SOC analysts are trained on endpoint and email threats, not DNS manipulation.

DNS is the foundation of every network connection your organization makes. If that foundation is compromised, nothing built on top of it can be trusted. A single DNS spoofing attack can undermine your encryption, bypass your authentication, and deliver your users straight to a threat actor's doorstep — all without triggering a single endpoint alert.

Treat DNS security like what it is: critical infrastructure defense.