Ketil Froyn

DNS Poisoning

UPDATE 2007-05-17: Due to migration of my site, the self poisoning test may not be working properly. I will update this page again when it is functional again.

For a description of DNS poisoning, read this. On this page I have set up a simple procedure where I will try to poison your DNS cache and take over the domain (reserved by IANA for examples). To see if you can be poisoned, follow these simple steps:

  1. click on this link (it will fail with a DNS error, because that name doesn't have an address, but things will nevertheless happen in your caching DNS)
  2. click this link. If you see the page with a link to RFC 2606, you are probably safe
If you get to my "poisoned" page in the second step, someone could be stealing your bank account information just as easy as I did this. All it needs to work is one stray click...

What actually happens?

The link in step 1. points to My name server is authoritative for, so your resolver will ask my name server what the IP for is. My response is to delegate to, which is ok. In addition, the response includes the IP address for If your resolver trusts this, that is not ok.

The link in step 2. points to If you were poisoned, you will arrive at the IP address I gave for in step 1., rather than the correct IP for I have configured the web server at that IP to respond to with a specific page, which contains a warning that you are vulnerable to poisoning. If it looked exactly the same, you would probably never have known.

(C), Ketil Froyn, 2003