What is DNS spoofing?

When we are talking about DNS spoofing, the threat is real. As an online business owner or administrator it is essential to know what risk is hidden behind these words. Understanding it will help for sure with protecting your clients, yourself, and your business. Let’s talk a little more about what it is and how to defend yourself.

What is DNS spoofing?

Another way that you can see DNS (Domain Name System) spoofing to be called is DNS cache poisoning. This is a hacking attack. It happens when into the DNS cache of a resolver server enters malicious DNS data or files, such as forget records or forget entry. They begin to answer the requests from users. Unfortunately, the end-user receives answers with a forged record, like a fake IP address. The intention is apparently to direct the traffic to an address where attackers will try to get the victims’ sensitive data, like credit card information.

The devices of the users work normally because they are tricked through the forged data. Customers think that they are going to the legit website they requested. Instead, they are directed to an unsafe destination, which is in the control of the attackers. The websites’ appearance could look very alike compared to the real one, and the user may not spot the difference. But that is just a forged copy.

DNS spoofing tactics

Attackers can use various tactics, which are for their illegal purposes.

As we mentioned, the goal is to direct traffic to forged websites.

  • DNS cache poisoned through spam. Corrupted code can be found added in ads, images, or URLs in spam e-mails. Once users click the URL, their devices get poisoned. The code, afterward, guides them to forged websites. 
  • Hijack of a DNS server. The hacker accesses the server, exploiting weak spots, remodeling its configuration, including a fake entry, etc. What is the result? When every IP request is attempting to enter a particular website (the one spoofed), it will arrive at the forged website. 
  • Man-in-the-middle technique (DNS responses’ spoofing). With this technique, the intention is to poison both, server and the user’s device at once. Here the criminal is exactly between your browser and the DNS server. The communication gets poisoned through software that injects the code.

How to protect yourself?

  • Use encryption. Encryption is a great way to keep DNS data (queries and responses) safe. For the criminals who want to spoof, forging a copy of the security certificate of the legit website won’t be possible.
  • Work on detection. There are available software tools for scanning the data received as a last step.
  • Domain name system security extensions (DNSSEC). It checks the authenticity of data through DNS records. This way, DNSSEC secures DNS lookup’s authenticity.

Users also have to consider some preventive practices and not make the attackers’ job that easy. After all, they are the main target of such type criminal activity.

  • Prefer a virtual private network (VPN) for connecting. Connecting to a public network hides a pretty significant risk. VPN will supply users with an encrypted tunnel to securely reach servers and interact with the domains they visit.
  • Don’t click strange links. Before clicking any sent link, make a quick check of its URL. This is recommended, especially when such mischievous links are added in spam messages, text, or social media messages, from unknown senders. Not clicking can save users’ sensitive data.
  • Delete DNS cache. DNS data of often visited websites will be kept saved for some time. The server may not be poisoned anymore, but the user’s device may be. Users can prevent being directed by their browsers to forged websites by periodically cleaning the DNS cache.

What is the SOA record?

There are numerous types of DNS records, and for importance to understand DNS, we have to know how they work and their purpose. The SOA record is one of them, and it is one of the most common records. Let’s explain what it is and why it is essential to have it.

What is the SOA record?

The SOA record is a fundamental DNS record. It indicates the start of authority. It will point to the nameserver that will contain the original zone file. This server will have all the important information about the zone, and it will be the authoritative DNS server. The SOA record is the first that a zone file contains and establishes the general properties of the zone.

Typically, DNS servers operate together in a cluster. All of them are required to synchronize their zone file. To achieve that purpose, they need to perform a zone transfer. The SOA record is like a control record. It has a serial number and shows which is the newest update. Secondary servers, also called slave servers, see that the serial number changes. Then, they update and get the latest data from the authoritative server. 

Zone transfer

The Domain name typically has more than one DNS server. One is the primary DNS server, and the others are secondary DNS servers.

The primary has the original zone file, and you can make all the changes you want inside it. The information from it is going to be propagated to the rest. This is possible through a zone transfer. The zone transfer simply is a process of updating the zone file in the secondary DNS servers. It could be through IXFR zone transfer (partial transfer of changes only) or AXFR zone transfer (complete transfer of all DNS records).

Why do you need an SOA record?

The SOA record is required when you want to indicate the authoritative name server and to achieve a successful zone transfer. It is important for every zone to have an SOA record. Also, you must know that each zone should contain only one SOA record. In case that the zone does not have an SOA record or if you insert there are more than one, your zone will not work. So, be careful and don’t make such a mistake. 


The SOA record contains inside the following elements:

  • Name – The name of the zone that the DNS admin has put.
  • Type – The type of the DNS record, which in this case will be SOA.
  • Primary name server – The hostname of the authoritative DNS server for that zone.
  • Admin’s email – It shows the email of the DNS administrator for that zone.
  • Serial number – The serial number of the zone that was mentioned before. The secondary DNS servers check this number and determine whether to update their DNS records or not.
  • Refresh rate – This number will show in seconds how frequently the secondary DNS server needs to re-visit the authoritative DNS server and check for changes.
  • Retry rate – If the zone transfer between the secondary DNS servers and the primary fails, this is the time the secondary servers will remain trying to update. If the time expires, the secondary servers’ data will be outdated, and they will stop answering queries. 
  • Default TTL – The number is a time period showing how long the DNS records are valid. After the time runs out, the secondary DNS servers must discard them and perform a new zone transfer again.