/ THREATS — DNS ANOMALY · HIGH

DNS Anomaly

The directory your device trusts to find websites has been quietly swapped.

/ WHAT IT IS

What it is

DNS is the directory your device uses to turn a name like your-bank.com into an IP address. A DNS anomaly is an unexpected change to which resolver your device is trusting for those lookups.

If an attacker controls your DNS, they can quietly send you to servers they control — even for sites you type correctly. That makes a resolver change one of the clearer fingerprints of an evil-twin or man-in-the-middle setup.

YOUR DEVICE
asks DNS
your-bank.com?
RESOLVER
1.1.1.1
→ 8.8.4.4
GOES TO
REAL BANK
trusted resolver — lookup resolves where it should
DNS REDIRECTthe same lookup, answered by whichever resolver sits in the middle

The directory your device trusts to find websites has been quietly swapped.

/ THE ATTACK

How attackers do it

On a network they control, an attacker hands out their own DNS server through DHCP, or intercepts DNS traffic and answers it themselves. Even when they forward queries so resolved names look correct, the resolver doing the answering has changed — and that change is detectable even behind a transparent DNS proxy.

/ DETECTION

How we detect it

WifiThreatWatch reads the system’s DNS resolver and remembers a per-network baseline. A change to the resolver that isn’t explained by the app’s own actions is flagged as a high-severity DNS anomaly, once per unique value, then re-baselined.

The hard part is not crying wolf at yourself: bringing a VPN tunnel up or down legitimately changes DNS. So the app suppresses the resolver change it causes itself within a short window around its own VPN state transitions — otherwise the product’s own VPN would trip its own detector. DNS is also used as a third corroborating signal in evil-twin detection.

RESOLVER CHANGED
1.1.1.1 10.0.0.9
caused by our own VPN?
yes
no
SUPPRESSED
our VPN did it
FLAGGED
high severity
SUPPRESSION GATEa resolver change we caused ourselves is not an attack
FREE FOREVERFree in every WifiThreatWatch install.
[ wifi_scanner.py — resolver baseline + VPN-aware suppression ]
/ RESPONSE

How we stop it

On its own, a DNS-only mismatch is treated as “soft” — too unreliable to disconnect you over by itself — so it’s surfaced as a warning rather than a full alarm. Combined with a BSSID or gateway mismatch, it becomes part of a confirmed evil-twin alert.

When you connect through Active Defense, your traffic — including DNS — routes through the encrypted tunnel, out of the attacker’s reach.

LOCAL RESOLVERattacker-controlledYOUyour deviceENCRYPTED TUNNELOUR RESOLVERout of reach
DNS ON THE TUNNELyour lookups ride the encrypted tunnel to a resolver we control — the swapped local one never sees them
WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.