DNS Spoofing
You typed the name correctly. The answer sent you somewhere else.
What it is
DNS spoofing is an attacker tampering with the answers to your name lookups. Where a DNS anomaly is a change to which resolver you’re using, DNS spoofing is the resolver you already trust — or something silently intercepting it — handing back the wrong address.
You typed the name correctly. The answer sent you somewhere else.
How attackers do it
On a network they control, an attacker intercepts DNS queries and answers them directly, or runs a transparent DNS proxy that forwards most lookups untouched but rewrites the ones they care about. The resolver’s IP can look exactly the same as always — so a check that only watches for a resolver change never fires.
That’s what makes it dangerous: everything looks normal, right up until the one lookup that matters is quietly redirected to a server the attacker owns.
How we detect it
WifiThreatWatch checks the answers, not just the resolver. Periodically it asks your network’s resolver for a couple of canary names whose correct IP addresses are fixed and well-known — stable anycast addresses that shouldn’t vary from network to network.
If an answer comes back different from the known-good address, the lookups are being tampered with — flagged as DNS spoofing, even when the resolver’s own IP never changed. Empty or blocked resolutions (a captive portal, a down link) are never treated as an attack, and the check pauses during the app’s own network-reset window so it doesn’t misread itself.
How we stop it
A tampered answer is a strong signal the network is actively hostile, not just misconfigured — the point to stop trusting it for anything sensitive.
When you connect through Active Defense, your DNS resolves inside the encrypted tunnel, out of reach of whatever was rewriting answers on the local network.
ARP Spoofing
An attacker on your network impersonates your router to silently intercept everything you send.
Read more →Evil Twin
A fake access point broadcasts your network’s name to lure your device onto attacker-controlled hardware.
Read more →Rogue Device
A device you never authorized quietly joins your network and gains a foothold on your LAN.
Read more →