Domain Name Server (DNS) poisoning or spoofing is a type of cyber-attack that exploits system vulnerabilities in the domain name server to divert traffic away from legitimate servers and directs it towards fake ones.

How DNS Poisoning and Spoofing Works

The code for DNS cache poisoning is often found in URLs sent via spam emails. These emails attempt to frighten users into clicking on the supplied URL, which in turn infects their computer. Banner ads and images — both in emails and untrustworthy websites — can also direct users to this code. Once poisoned, a user's computer will take them to fake websites that are spoofed to look like the real thing, exposing them to risks such as spyware, keyloggers or worms.


DNS poisoning poses several risks, starting with data theft. Banking websites and popular online retailers are easily spoofed, meaning any password, credit card or personal information may be compromised. Also, if spoofed sites include Internet security providers, a user's computer may be exposed to additional threats such as viruses or Trojans, because legitimate security updates will not be performed. Finally, eliminating DNS cache poisoning is difficult, since cleaning an infected server does not rid a desktop of the problem, and clean desktops connecting to an infected server will be compromised again. If necessary, users can flush their DNS cache to solve the issue.

To prevent DNS poisoning, users should never click on a link they don't recognize, and regularly scan their computer for malware. Always do so using a local program rather than a hosted version, since poisoning could spoof Web-based results.

What is DNS Cache Poisoning or Spoofing?

DNS poisoning or spoofing occurs when an Internet server has been compromised by malicious code. Learn more about the risks and how to protect your system.

Kaspersky Logo