/ ANNOUNCEMENT — JUN 10, 2026

We’re shipping DNS spoofing detection.

A resolver-change check can’t see this one — the resolver looks the same. So we check the answer instead.

Our seventh detector goes after the stealthiest DNS attack: DNS spoofing detection. It resolves canary names whose correct IP is fixed and well-known, and flags any tampered answer — catching interception even when the resolver’s own address never changed. On Windows, free.

You typed the name correctly. The answer sent you somewhere else.
/ WHY IT MATTERS

The resolver looks fine — the answer isn’t

Where a DNS anomaly changes which resolver you use, DNS spoofing keeps the resolver you trust and rewrites the answer. An attacker on the network can run a transparent proxy that forwards most lookups untouched but rewrites the ones they care about, so the resolver’s IP looks unchanged the whole time.

CANARY LOOKUPone.one.one.one
KNOWN-GOOD IP1.1.1.1
ANSWER RECEIVED1.1.1.1
answer matches — resolution is clean
DNS ANSWER INTEGRITYthe resolver IP looks the same — the answer is what gives it away
/ WHAT SHIPPED

Answer-integrity canaries

Periodically, the detector asks your network’s resolver for a couple of canary names whose correct IP addresses are fixed and well-known — stable anycast addresses that shouldn’t vary from network to network. If an answer comes back different from the known-good address, the lookups are being tampered with — flagged as DNS spoofing, even when the resolver’s own IP never changed. Empty or blocked resolutions (a captive portal, a down link) are never treated as an attack, and the check pauses during the app’s own network-reset window so it doesn’t misread itself.

> nslookup one.one.one.one
known-good:1.1.1.1
Address:1.1.1.1
answer matches — resolution is clean
ANSWER, NOT RESOLVERresolve a name whose correct IP you already know — the answer is what gives it away
/ AND WHEN YOU’RE PROTECTED

Resolve inside the tunnel

A tampered answer is a strong signal the network is actively hostile. When you connect through Active Defense, your DNS resolves inside the encrypted tunnel — the same canary that came back wrong locally comes back clean, out of reach of whatever was rewriting answers.

ON THE LOCAL NETWORK
one.one.one.one →203.0.113.7
✗ answer rewritten
THROUGH THE TUNNEL
one.one.one.one →1.1.1.1
✓ matches known-good
RESOLVED IN THE TUNNELthe same canary that came back tampered on the local network resolves correctly through Active Defense
/ THE PRICE

Detection is free

DNS spoofing detection ships in the free version and always will. Catching the one lookup that was quietly redirected is exactly the kind of thing that shouldn’t be paywalled.

FREE FOREVERDNS spoofing detection is free, for Windows.

Read more: how DNS spoofing works · how to detect it yourself · the DNS anomaly detector

The address looks fine.
We check what it answers.