/ THREATS — DNS SPOOFING · HIGH

DNS Spoofing

You typed the name correctly. The answer sent you somewhere else.

/ WHAT IT IS

What it is

DNS spoofing is an attacker tampering with the answers to your name lookups. Where a DNS anomaly is a change to which resolver you’re using, DNS spoofing is the resolver you already trust — or something silently intercepting it — handing back the wrong address.

CANARY LOOKUPone.one.one.one
KNOWN-GOOD IP1.1.1.1
ANSWER RECEIVED1.1.1.1
answer matches — resolution is clean
DNS ANSWER INTEGRITYthe resolver IP looks the same — the answer is what gives it away

You typed the name correctly. The answer sent you somewhere else.

/ THE ATTACK

How attackers do it

On a network they control, an attacker intercepts DNS queries and answers them directly, or runs a transparent DNS proxy that forwards most lookups untouched but rewrites the ones they care about. The resolver’s IP can look exactly the same as always — so a check that only watches for a resolver change never fires.

That’s what makes it dangerous: everything looks normal, right up until the one lookup that matters is quietly redirected to a server the attacker owns.

/ DETECTION

How we detect it

WifiThreatWatch checks the answers, not just the resolver. Periodically it asks your network’s resolver for a couple of canary names whose correct IP addresses are fixed and well-known — stable anycast addresses that shouldn’t vary from network to network.

If an answer comes back different from the known-good address, the lookups are being tampered with — flagged as DNS spoofing, even when the resolver’s own IP never changed. Empty or blocked resolutions (a captive portal, a down link) are never treated as an attack, and the check pauses during the app’s own network-reset window so it doesn’t misread itself.

FREE FOREVERFree in every WifiThreatWatch install.
[ wifi_scanner.py — DNS answer-integrity canaries ]
/ RESPONSE

How we stop it

A tampered answer is a strong signal the network is actively hostile, not just misconfigured — the point to stop trusting it for anything sensitive.

When you connect through Active Defense, your DNS resolves inside the encrypted tunnel, out of reach of whatever was rewriting answers on the local network.

ON THE LOCAL NETWORK
one.one.one.one →203.0.113.7
✗ answer rewritten
THROUGH THE TUNNEL
one.one.one.one →1.1.1.1
✓ matches known-good
RESOLVED IN THE TUNNELthe same canary that came back tampered on the local network resolves correctly through Active Defense
WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.