DNS Anomaly
The directory your device trusts to find websites has been quietly swapped.
What it is
DNS is the directory your device uses to turn a name like your-bank.com into an IP address. A DNS anomaly is an unexpected change to which resolver your device is trusting for those lookups.
If an attacker controls your DNS, they can quietly send you to servers they control — even for sites you type correctly. That makes a resolver change one of the clearer fingerprints of an evil-twin or man-in-the-middle setup.
The directory your device trusts to find websites has been quietly swapped.
How attackers do it
On a network they control, an attacker hands out their own DNS server through DHCP, or intercepts DNS traffic and answers it themselves. Even when they forward queries so resolved names look correct, the resolver doing the answering has changed — and that change is detectable even behind a transparent DNS proxy.
How we detect it
WifiThreatWatch reads the system’s DNS resolver and remembers a per-network baseline. A change to the resolver that isn’t explained by the app’s own actions is flagged as a high-severity DNS anomaly, once per unique value, then re-baselined.
The hard part is not crying wolf at yourself: bringing a VPN tunnel up or down legitimately changes DNS. So the app suppresses the resolver change it causes itself within a short window around its own VPN state transitions — otherwise the product’s own VPN would trip its own detector. DNS is also used as a third corroborating signal in evil-twin detection.
How we stop it
On its own, a DNS-only mismatch is treated as “soft” — too unreliable to disconnect you over by itself — so it’s surfaced as a warning rather than a full alarm. Combined with a BSSID or gateway mismatch, it becomes part of a confirmed evil-twin alert.
When you connect through Active Defense, your traffic — including DNS — routes through the encrypted tunnel, out of the attacker’s reach.
ARP Spoofing
An attacker on your network impersonates your router to silently intercept everything you send.
Read more →Evil Twin
A fake access point broadcasts your network’s name to lure your device onto attacker-controlled hardware.
Read more →Rogue Device
A device you never authorized quietly joins your network and gains a foothold on your LAN.
Read more →