DNS Spoofing Attacks in 2025: What You Need to Know and How you Can Stop Them

Shireen Stephenson • PublishedSeptember 26, 2025

Subscribe & Save 20% off Premium or Families plans

Enter your email

By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.

Browse articles

Key takeaways: DNS spoofing

The shift from HTTP to HTTPS has reduced DNS spoofing but the full story reveals why the threat lingers.

The “Kaminsky flaw” set off the race to deploy DNSSEC, forever transforming how we fight DNS spoofing.

The Great Firewall has the dubious honor of being the world’s most sophisticated DNS spoofing attack machine.

Pharming, DNS poisoning, DNS spoofing, and DNS hijacking – four names, one ruthless goal – your data

LastPass complements top DNS security tools in fighting DNS spoofing before attackers reach your accounts.

Stop: You may be visiting imposter sites without knowing it, thanks to DNS spoofing which makes fake sites look real.

This occurred during the 2018 XLoader attacks, when scammers corrupted the DNS settings of public Wi-Fi routers in cafes, hotels, airports, and libraries.

Android users who visited sites like Facebook suddenly found themselves redirected to fake domains, where they received “alerts” urging them to update their Facebook app or install a Chrome security update.

Those who complied had their banking or game-related apps hijacked, with XLoader harvesting their personal and financial info without their knowledge. In recent years, XLoader has even resurfaced as macOS-targeting variants.

But don’t panic just yet. There are ways to protect yourself, and it all starts with understanding how DNS spoofing works.

What is DNS spoofing?

First, we define DNS. This is the Domain Name Server, which stores and keeps track of IP addresses associated with domain names.

So, when you type in a domain name, your device queries several types of DNS servers sequentially to resolve that name into an IP address (unless that IP address is already cached locally on your device).

Main server types

Recursive Resolver (DNS resolver), which is typically operated by your ISP

Root Name Server, which directs your query to the appropriate Top-Level Domain (TLD) server based on the domain extension (.com, .org, .net)

Top-Level Domain (TLD) Name Server, which directs queries to the right authoritative name server. For example, a .com TLD name server would send queries to a .com authoritative name server.

Authoritative Name Server, which provides the final and direct answer for a domain query

So, let’s say you type in www.amazon.com. Your request first goes to a DNS resolver managed by your ISP (internet service provider).

The DNS resolver checks its cache. If it doesn’t know the IP address, the resolver will query a root name server and then a TLD name server for .com domains.

The latter responds with the names of the four authoritative Amazon Route 53 servers associated with the domain www.amazon.com.

Finally, the DNS resolver chooses an Amazon Route 53 server and forwards the request to it. This Route 53 server will then return the right IP address to your browser, which uses it to connect to the Amazon website.

Ultimately, Amazon doesn’t have a single static IP address. It has multiple servers across the world, and its IP address may change for performance and scalability reasons.

Now, on to DNS spoofing.

DNS spoofing occurs when attackers insert fake DNS information into a DNS server’s cache, causing it to return an incorrect IP address.

So, instead of taking you to the official Amazon site, the DNS server returns an IP address that takes you to a phishing site. If you enter your login credentials or payment info there, attackers can harvest them to commit account takeovers (ATO), identity theft, and financial fraud.

This brings us to an important question.

How common is DNS spoofing?

The shift from HTTP to HTTPS has reduced (but not eliminated) DNS spoofing. HTTPS is the secure protocol used to enable communications between your browser and websites on the internet.

Here’s why HTTPS makes DNS spoofing less likely:

HTTPS provides SSL/TLS encryption. So, an HTTPS site would have an SSL/ TLS certificate verified by a trusted Certificate Authority (CA). This means any data you enter on the site (such as credit card numbers or bank account details) is encrypted and inaccessible to attackers.

If an attacker tries to spoof a domain but can’t present a valid certificate, your browser will either show you a warning or block access entirely.

Websites can also employ HSTS (HTTP Strict Transport Security) to force your browser to connect via HTTPS only. This means attackers can’t downgrade you to an HTTP connection to make DNS spoofing easier.

That said, some environments like ICS (industrial control systems) can still be vulnerable to DNS spoofing, especially if their network communications rely on DNS hostname resolution. Attacks on ICS are particularly concerning as they can disrupt critical services we rely on, like water and electricity.

What are real-world examples of DNS spoofing?

#1 The 2008 Kaminsky flaw

It all started in 2008, when celebrated security researcher Dan Kaminsky unveiled a flaw in the DNS protocol.

The flaw involved the DNS transaction ID, a 16-bit number included in every DNS query and response.

Attackers know that if they can guess transaction IDs and respond faster than the real DNS server, they can poison the DNS cache with fake data.

But Kaminsky found a way to amplify the attack by exploiting how DNS handled non-existent subdomains.

First, he sent a DNS query for a random subdomain.

Then, he flooded the cache with spoofed replies, each with a different transaction ID.

Once a forged response was accepted, it poisoned the entire cache with bogus IP addresses. Kaminsky’s “flaw” shook the foundations of the security world.

One of the solutions Kaminsky recommended was DNSSEC, which cryptographically verifies the authenticity of DNS data.

Ultimately, the Kaminsky flaw was the single most influential factor in driving the deployment of DNSSEC, which we’ll discuss in the section on DNS spoofing prevention.

#2 The 2016 Brazilian bank attack

Fast forward to 2016, when attackers took full control of a Brazilian bank’s digital infrastructure for five hours.

The bank was a “big fish” catch for the attackers: It had 5 million customers (about twice the population of Mississippi), more than $27 billion in assets, and operations in the U.S. and the Cayman Islands.

The attackers were able to reroute traffic from all 36 of the bank’s domains (including online banking portals, POS systems, and ATMs) to fake sites indistinguishable from the real thing.

The attackers even managed to obtain free HTTPS certificates from Let’s Encrypt to fool customers into thinking their connections were secure. This enabled them to capture passwords, authentication codes, and email credentials.

In addition, the fake sites encouraged customers to download malware disguised as an update to the Trusteer browser security plug-in the bank offered customers.

For at least five hours, the bank was locked out of its own systems, unable to deploy mitigations. The attack revealed how critical DNS security and oversight are, including the use of multi-factor authentication for DNS account access.

#3 The Great Firewall, Middle Kingdom-style

You may have heard of the Great Firewall (GFW), one of the largest and most technologically advanced DNS spoofing systems in the world.

Instead of just blocking or redirecting prohibited domains, the GFW injects fake responses when censored domains are detected in queries.

Remarkably, the forged IP addresses belong to major U.S. companies like Facebook, Dropbox, and Twitter. This tactic was likely employed to confuse anti-censorship tools and frustrate efforts to circumvent the censorship.

Usenix researchers found that 77,000 domains (mostly censored by the GFW) have had their DNS records tampered with, and those poisoned records then ended up in the caches of major public DNS resolvers like Google DNS and Cloudflare DNS.

By poisoning DNS caches with real (but unrelated) IPs or unreachable IPs, the GFW is essentially rewriting the internet address book for millions of users.

And that’s not all. In 2024, nation state actor Muddling Meerkat was reported to have leveraged the GFW’s DNS spoofing capabilities to conduct cyber espionage operations across the world.

The scale and sophistication of such operations is a striking example of DNS spoofing weaponized for state censorship and control.

What is the difference between DNS spoofing and DNS poisoning?

These two attacks are effectively the same i.e. they represent different stages of the same attack.

Here’s how it works:

The attacker sends a forged DNS response (pretending to be from a legitimate authoritative DNS server) to a target DNS resolver.

If the DNS resolver accepts the fake response and stores it, the fake data becomes part of its memory (poisoning).

Now, anyone querying the DNS resolver will get fake IPs that redirect them to credential-harvesting or malware-infected sites (spoofing).

Is ARP spoofing the same as DNS spoofing?

The short answer is no.

ARP spoofing is an attack where attackers manipulate the Address Resolution Protocol to intercept network traffic and link their (malicious) MAC address to a legitimate IP.

Meanwhile, DNS spoofing manipulates the DNS system to redirect users to malicious websites by providing false IP addresses for domain names.

Is DNS spoofing the same as pharming?

Not exactly.

However, DNS spoofing is closely related to pharming.

Here’s how: Pharming describes any attack that corrupts the domain-to-IP resolution process.

So, pharming includes DNS spoofing, DNS cache poisoning, DNS hijacking, and malware-based pharming.

In malware-based pharming, a trojan or virus intercepts the user’s request to visit a particular site and redirects them to an attacker-controlled site instead.

How do I prevent DNS spoofing?

DNS spoofing remains a serious threat in 2025.

But are there ways to stop attackers from re-routing your every move?

The answer is yes, and it all starts with knowing the right security measures to adopt. Below, we break down the essential controls to put you back in the driver’s seat.

Prevention	Description	Who it’s for
Use secure DNS servers	Use trusted DNS resolvers like Cloudflare and NextDNS, which support DoH (DNS over HTTTPS) and DoT (DNS over TLS) Consider strategies like multiple resolvers or DNS security solutions with tunneling protections but note that continuous monitoring is key as DNS threats evolve.	Consumers, small businesses, and enterprises seeking a safer DNS experience
Low TTL values	Some customer support forums recommend setting Time-to-Live (TTL) values low so that if cache poisoning occurs, the poisoned cache expires quickly However, setting TTL values too low can lead to more DNS queries and by extension, more opportunities for attackers to intercept responses. An ideal TTL depends on several factors unique to your organization.	Network admins, businesses
Block rogue DHCP servers	Block DHCP traffic from unauthorized DHCP servers to prevent attackers from controlling DNS/DHCP replies on the local network	Businesses, enterprise networks
Use DNSSEC	Implement Domain Name System Security (DNSSEC) to provide cryptographic verification for both DNS queries and responses When DNSSEC is deployed across the reverse zone (the part of DNS that handles IP-to-domain lookups), reverse DNS keys authenticate DNS responses Every IP address that sends email should have a valid PTR (pointer) record that matches the forward DNS record (domain-to-IP lookup) Normally, when you type in an URL, your device asks the DNS server what the IP address is. Reverse DNS does the opposite. It takes an IP address and asks what domain links to it	Domain owners, businesses, ISPs
DNS filtering engines	Use DNS filtering solutions that analyze DNS traffic in real time to block malicious or spoofed DNS responses	Businesses, MSPs
DNS security tools	Tools like Palo Alto Networks Advanced DNS Security and Heimdal DNS Protection use smart algorithms to spot unusual DNS activity Network traffic analysis tools like Wireshark, Zeek, and Suricata inspect network DNS traffic All-in-one DNS security tools like EfficientIP DNS Guardian and BlueCat DNS Edge combine multiple features like filtering, threat detection, and management in one system Endpoint DNS protection tools like Webroot SecureAnywhere and Palo Alto Networks Endpoint Security helps keep personal devices safe wherever they connect to the internet Be sure to conduct due diligence research based on network security needs, corporate policies, and compliance requirements before deploying any security product. LastPass encourages consulting with security experts to identify best-fit solutions for your unique needs	Consumers, small business owners, IT professionals, enterprises
Integration with security infrastructure	Deploy DNS security tools that integrate with firewalls, antivirus, PAM, and identity access management systems for a layered defense	IT teams, small businesses, enterprises

FAQs about DNS spoofing

How do I know if my DNS has been hacked?

Unusual redirects and browser security warnings about invalid SSL/TLS certificates are strong signals your DNS has been hacked. Other signs include:

Web pages failing to load entirely, even when accessing trusted domains

Increased phishing or malware alerts related to known domains

The appearance of random, excessive pop-ups on familiar sites

Can VPN prevent DNS spoofing?

VPNs improve privacy but aren’t a complete defense against DNS spoofing.

A VPN encrypts your internet traffic and DNS queries, reducing the risk of interception. However, some consumer VPNs lack DNS leak protections, which means attackers may still be able to see your DNS queries and manipulate DNS responses accordingly.

What is a DNS leak test?

First, a DNS leak is a security flaw where your device sends DNS queries outside the VPN tunnel, exposing your browsing habits to your ISP and others. A DNS leak test checks if this is happening, so you can act promptly with the proper tools to secure your online privacy.

What is the difference between DNS hijacking and spoofing?

The main difference is DNS hijacking involves deeper control and is more invasive.

In a DNS hijacking attack, threat actors gain unauthorized access to a DNS registrar account, which allows them to modify DNS settings. Such access allows them to disrupt services and effectively seize full control of the domain.

Meanwhile, DNS spoofing is a tactic within hijacking that corrupts DNS caches to redirect users to fake sites.

What are the consequences of DNS spoofing?

The consequences of DNS spoofing include credential theft, malware infections, and service disruptions. If you have a business, these service disruptions can lead to financial loss, a damaged brand, and a loss of consumer trust.

Better with LastPass: Your ally in securing your digital privacy

It’s natural to wonder how LastPass fits in an already crowded security toolbox. But when it comes to DNS spoofing, LastPass identity and access controls can be a gamechanger in reinforcing your security posture against DNS spoofing.

So, even if attackers manage to redirect traffic, your accounts stay safe.

Here’s how:

Exact domain matching autofill: With LastPass, your credentials are only filled on correct domains. This means your risk of credential theft and account takeovers is dramatically reduced.

Strong, unique password generation: Our built-in password generator lets you create strong credentials for every account. So, even if attackers manage to steal one password, they can’t reuse it for other accounts.

FIDO2MFA: With LastPass, you get phishing-resistant protection for every login. Even if attackers get your password via spoofed sites, FIDO2 MFA like passkeys and hardware security keys adds an extra verification step they must complete to get their hands on your data and financial assets.

SaaS Monitoring: As SaaS app use explodes and expands your digital footprint, your risk of DNS spoofing soars. LastPass complements your current security stack with powerful SaaS app monitoring identity and access controls, which means you get visibility into every SaaS app login.

SaaS Protect: With SaaS Protect, visibility is transformed into control, allowing you to take immediate action to revoke access before compromised credentials can be exploited.

Continuous Dark Web Monitoring: With LastPass Dark Web Monitoring, you get an early warning system if any of your email addresses or logins are compromised. This means you can act quickly to update your credentials before real damage occurs.

I have various electronic devices from Android, Apple and PCs. Last Pass is super convenient to use across all my devices no matter where I am (Cheryl M, Business Administrator and verified G2 reviewer)

It securely stores my passwords for the sites I visit. I love that it can autofill the username and password when I visit a site. Additionally, I like that it generates strong passwords for me. It can also store passkeys and other sensitive information, such as credit cards and social security numbers. The app is very easy to use (Lara K, Senior Manager of Web Development and verified G2 reviewer).

Remember: DNS spoofing remains a serious threat. Get effortless security by unlocking your free trial of LastPass today (no credit card required).

Type of account	Who it’s for	Free trial?
Premium	For personal use across devices	Yes, get it here
Families	For parents, kids, roommates, friends, and whoever else you call family (6 Premium accounts)	Yes, get it here
Teams	For your small business or startup	Yes, get it here
Business	For small or medium-sized businesses	Yes, get it here
Business Max	Advanced protection and secure access for any business	Yes, get it here