2.4.6 DNS Poisoning

A domain name server (DNS) translates a domain name, such as apple.com, into an IP address, such as The DNS then caches that IP address to be used later. When an employee types in "www.apple.com", the DNS server translates the request to That website is contacted and is then displayed on the employee’s browser showing the URL www.apple.com.

DNS cache poisoning is the act of changing the IP addresses that are cached. If a DNS server’s cache is poisoned, it diverts traffic to a different IP address than what the user intended. When the employee entered "www.apple.com" into his browser, he would be diverted to a fake website. Most likely the employee will not realize that he is actually viewing a fake website since he entered the URL directly into his web browser or found it in his favorites list of his web browser. The website could contain malicious content, such as a worm or virus, that the employee is tricked into installing on his computer. Or if the employee purchases something on that fake website, he will inadvertently give the attacker his credit card information.

Another type of DNS poisoning is when the attacker spoofs valid email accounts and floods email inboxes of administrators.