DNS Spoofing is the result of alterations to a DNS server’s records resulting in the malicious redirection of traffic. DNS spoofing can be performed by a direct attack on the DNS server (what we will be talking about here) or through any form of a Man-in-the-Middle attack specifically targeting DNS traffic.
DNS Cache spoofing works explicitly in a way that exploits the way in which DNS communication is structure. When a DNS server attempts to perform a lookup on a domain, it will forward the request along to the root authoritative DNS and iteratively proceed down the chain of DNS servers until it reaches the DNS server authoritative over the domain. Since the local DNS server does not know which server is in charge of which domain, and does not know the full route to each authoritative server, it accepts replies to its queries from anywhere so long as the reply matches the query and is formatted correctly. The attacker can exploit this design by beating the actual Authoritative DNS server in replying to the local DNS server, and if it does so, the local DNS server will use the attacker’s DNS record instead of the actual Authoritative answer. Due to the nature of DNS, the local DNS server has no way of determining which reply is real and which is fake.
This attack is made worse by the fact that DNS servers will cache lookups internally so that they don’t have to waste time querying the authoritative servers each time the domain is requested. This poses another problem, because if an attacker can beat the Authoritative DNS server to a reply, then the attackers record will be cached by the local DNS server meaning that any user that uses the local DNS server will be given the attackers record, potentially redirecting all users using that local DNS server to the attacker’s website.