What is Pharming? DNS Poisoning and DNS Cache Poisoning Explained

The Internet Patrol default featured image
Share the knowledge

There has been a lot about “pharming”, which is another term for DNS poisoning, also known as DNS cache poisoning, in the news lately. But what exactly is DNS poisoning? Put simply, DNS cache poisoning is when a DNS server is made to tell your computer that a domain resides at a naughty IP address belonging to a bad guy – the poisoner – rather than the true IP address at which the domain actually resides.

DNS (Domain Name Service) is sort of like directory assistance for the Internet. When you type in to your web browser, for example, , your computer queries a DNS server and asks it “where does www.theinternetpatrol.com live?” The DNS server responds with the IP address associated with www.theinternetpatrol.com – let’s say for sake of example that it’s Your computer then rings up, and voila, you’re at the Aunty Spam site.

DNS servers have a cache of hundreds of thousands of domain names cross-referenced with their corresponding IP addresses. These are updated on a regular basis, however, imagine if someone was able to access one of the DNS servers, and change some of the entries in the DNS cache, so that, for example, when your computer asks where Aunty Spam lives, instead of, the DNS server told your computer “”. Instead of ending up at the Aunty Spam site, your web browser would end up at Yahoo.

Now, the odds are pretty good that you, dear reader, being the savvy Internet person that you are, would be able to tell the difference between Aunty’s web site and Yahoo. But what if a bad person changed the DNS cache information – poisoned the DNS cache – so that instead of Aunty Spam’s site, your computer was redirected to an exact copy of Aunty Spam’s site? Maybe you wouldn’t think that is such a big deal, but what if the exact replica naughty site was of your bank’s website, waiting to steal your banking information? Or of a discount airline ticket site, waiting to steal your credit card information? Or even an exact replica of your ISP’s login site, waiting to steal your username and password? The possibilities are endless, and frightening.

Get New Internet Patrol Articles by Email!


Fortunately, DNS cache poisoning is not all that common yet, although it certainly happens. Unfortunately, other than being very vigilent and aware, there is not very much which the end-user can do to protect themselves against it (short of either running one’s own local DNS, which is beyond most end-users, or the very paranoid and laborious extreme of using only IP addresses rather than domain names to navigate the Internet). And, of course, always stay up-to-date on the latest goings on by reading sites such as Aunty Spam’s Internet Patrol!

Share the knowledge

3 thoughts on “What is Pharming? DNS Poisoning and DNS Cache Poisoning Explained

  1. I don’t know for sure, but I’m guessing that Spoof Stick may not help in a situation like this. I guess it all depends on if they run their own NS and let you access them. If it works on the DNS that your ISP uses, and that was compromised, (as unlikely as that may be), then it would see that xyz.com = 216.123.456.789 or whatever. Spoof Stick should be none the wiser. It’s only meant to detect URL’s that have a @ and a different IP at the end as far as I know.

  2. here’s a good place and really nice animation of poisoning
    and other topics

  3. aunty, I use this spoof stick to make sure I am on the right web site…here is the url


Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.