We’re shipping DNS spoofing detection.
A resolver-change check can’t see this one — the resolver looks the same. So we check the answer instead.
Our seventh detector goes after the stealthiest DNS attack: DNS spoofing detection. It resolves canary names whose correct IP is fixed and well-known, and flags any tampered answer — catching interception even when the resolver’s own address never changed. On Windows, free.
You typed the name correctly. The answer sent you somewhere else.
The resolver looks fine — the answer isn’t
Where a DNS anomaly changes which resolver you use, DNS spoofing keeps the resolver you trust and rewrites the answer. An attacker on the network can run a transparent proxy that forwards most lookups untouched but rewrites the ones they care about, so the resolver’s IP looks unchanged the whole time.
Answer-integrity canaries
Periodically, the detector asks your network’s resolver for a couple of canary names whose correct IP addresses are fixed and well-known — stable anycast addresses that shouldn’t vary from network to network. If an answer comes back different from the known-good address, the lookups are being tampered with — flagged as DNS spoofing, even when the resolver’s own IP never changed. Empty or blocked resolutions (a captive portal, a down link) are never treated as an attack, and the check pauses during the app’s own network-reset window so it doesn’t misread itself.
Resolve inside the tunnel
A tampered answer is a strong signal the network is actively hostile. When you connect through Active Defense, your DNS resolves inside the encrypted tunnel — the same canary that came back wrong locally comes back clean, out of reach of whatever was rewriting answers.
Detection is free
DNS spoofing detection ships in the free version and always will. Catching the one lookup that was quietly redirected is exactly the kind of thing that shouldn’t be paywalled.
Read more: how DNS spoofing works · how to detect it yourself · the DNS anomaly detector