What Is DNS Cache Poisoning? (And How DNSSEC Stops It)

Q: Does DNSSEC encrypt my DNS?

No — DNSSEC authenticates answers (proves they're genuine). Encrypting the lookup itself is a separate thing (DNS-over-HTTPS/TLS).

TL;DR: DNS cache poisoning (or DNS spoofing) is when an attacker tricks a DNS resolver into caching a fake answer for a domain — so visitors who look it up are quietly sent to the attacker's server instead of yours. It can redirect web traffic and email. The defence is DNSSEC, which cryptographically signs DNS answers so forged ones are rejected. Scan your domain free to check if DNSSEC is enabled.

How the attack works

When your computer needs an IP for a domain, it asks a resolver, which may ask other servers and cache the answer for a while. If an attacker can slip a forged response in before the real one arrives — guessing the right query details — the resolver stores the fake. Every user of that resolver then gets the poisoned answer until the cache expires.

Why it's dangerous

Traffic redirection: users typing your real domain land on a look-alike phishing or malware site.
Email interception: poisoned MX answers can route your mail through an attacker.
It's invisible: the address bar shows your real domain — nothing looks wrong to the victim.

How DNSSEC stops it

DNSSEC adds a cryptographic signature to your DNS records. A validating resolver checks that signature against a chain of trust up to the root — so a forged, unsigned (or wrongly signed) answer fails validation and is thrown away. The attacker can't produce a valid signature without your keys, which is exactly what breaks cache poisoning. See our DNSSEC guide for setup.

What you can do

Enable DNSSEC on your domain (your registrar/DNS host supports it) so your answers can't be forged.
Use trustworthy resolvers that validate DNSSEC and use modern anti-spoofing (source-port randomisation).
Pair with HTTPS and email auth so even a redirect runs into a certificate or DMARC failure.

FAQ

Does DNSSEC encrypt my DNS?

No — DNSSEC authenticates answers (proves they're genuine). Encrypting the lookup itself is a separate thing (DNS-over-HTTPS/TLS).

Is cache poisoning still a real risk?

Modern resolvers have mitigations, but the underlying weakness is why DNSSEC exists — and most domains still don't sign, leaving the door open.

Will DNSSEC slow down my site?

The overhead is negligible for visitors and well worth the integrity guarantee.

Not sure if your domain is signed against forgery? Scan your domain, then reply to your report — we're developers and we'll get DNSSEC enabled for you.