An attack that injects false DNS records into a resolver's cache, redirecting traffic to attacker-controlled servers. The victim's resolver then serves poisoned data to clients without knowing it's been compromised.
Works because older DNS implementations didn't validate response authenticity. Attacker floods a resolver with spoofed answers hoping one matches an outbound query the resolver makes. If timing and transaction ID align, the fake record sticks in cache for hours or days.
Impact: users get redirected to phishing sites, malware drops, or surveillance endpoints. Your domain looks legitimate to the victim. A compromised resolver can poison thousands of downstream clients at once.
Defense: DNSSEC cryptographically signs zone data so resolvers reject unsigned or invalid responses. Query randomization (random source ports, transaction IDs) makes spoofing harder. Modern resolvers usually implement both. But DNSSEC adoption remains patchy, and many zones stay unsigned.
Relevant if you're running your own recursive resolver or operating an anycast DNS service. Less relevant if you're just pointing your domain at a third-party nameserver — that provider's security is their problem (and sometimes not great).