[dns-operations] difference between dns spoofing and dns hijacking?

Doug Barton dougb at dougbarton.email
Sat Aug 4 05:17:51 UTC 2018

On 08/02/2018 11:43 AM, John Levine wrote:
> In article <alpine.DEB.2.20.1808021112290.3596 at grey.csi.cam.ac.uk> you write:
>>> Is this a "hijack" or a "spoof" or a "poison" attack?
> If I were defining these things, which I don't at this point think I
> am, I'd say a DNS hijack involved taking over the legitimate owner's
> facilities such as a registrar account or DNS server to inject false
> data.  A spoof injects false data by tricking the recipient to accept
> data from an illegitimate source.
> If we wanted to try and distinguish poison from spoof, I'd wave my
> hands and say that poison somehow involves piggybacking bad data on
> good data.

The term cache poisoning has long referred to the act of trying to get 
the malicious reply in ahead of the legitimate reply after a resolver 
initiates a query. Bonus points if you can somehow prompt the resolver 
to make the query in the first place.

Spoofing generally involves getting a target resolver to query a domain 
you control, and including bad data in the response, usually in the 

But all three terms are used nebulously, so I wouldn't claim AUTHORITY 
on these definitions.  :)

More information about the dns-operations mailing list