What is Pharming? DNS Poisoning and DNS Cache Poisoning Explained

If you find this useful please share it!


There has been a lot about “pharming”, which is another term for DNS poisoning, also known as DNS cache poisoning, in the news lately. But what exactly is DNS poisoning? Put simply, DNS cache poisoning is when a DNS server is made to tell your computer that a domain resides at a naughty IP address belonging to a bad guy – the poisoner – rather than the true IP address at which the domain actually resides.

DNS (Domain Name Service) is sort of like directory assistance for the Internet. When you type in to your web browser, for example, , your computer queries a DNS server and asks it “where does www.theinternetpatrol.com live?” The DNS server responds with the IP address associated with www.theinternetpatrol.com – let’s say for sake of example that it’s Your computer then rings up, and voila, you’re at the Aunty Spam site.

DNS servers have a cache of hundreds of thousands of domain names cross-referenced with their corresponding IP addresses. These are updated on a regular basis, however, imagine if someone was able to access one of the DNS servers, and change some of the entries in the DNS cache, so that, for example, when your computer asks where Aunty Spam lives, instead of, the DNS server told your computer “”. Instead of ending up at the Aunty Spam site, your web browser would end up at Yahoo.

(Article continues below)
Get notified of new Internet Patrol articles for free!
Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
What is Pharming?  DNS Poisoning and DNS Cache Poisoning Explained

Now, the odds are pretty good that you, dear reader, being the savvy Internet person that you are, would be able to tell the difference between Aunty’s web site and Yahoo. But what if a bad person changed the DNS cache information – poisoned the DNS cache – so that instead of Aunty Spam’s site, your computer was redirected to an exact copy of Aunty Spam’s site? Maybe you wouldn’t think that is such a big deal, but what if the exact replica naughty site was of your bank’s website, waiting to steal your banking information? Or of a discount airline ticket site, waiting to steal your credit card information? Or even an exact replica of your ISP’s login site, waiting to steal your username and password? The possibilities are endless, and frightening.

Fortunately, DNS cache poisoning is not all that common yet, although it certainly happens. Unfortunately, other than being very vigilent and aware, there is not very much which the end-user can do to protect themselves against it (short of either running one’s own local DNS, which is beyond most end-users, or the very paranoid and laborious extreme of using only IP addresses rather than domain names to navigate the Internet). And, of course, always stay up-to-date on the latest goings on by reading sites such as Aunty Spam’s Internet Patrol!

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

What is Pharming?  DNS Poisoning and DNS Cache Poisoning Explained

Get notified of new Internet Patrol articles!
People also searched for dns pharming, pharming or dns poisoning, pharming vs cache poisoning, watering hole vs dns poisoning, what is the difference between Pharming and DNS poisoning

If you find this useful please share it!

3 Replies to “What is Pharming? DNS Poisoning and DNS Cache Poisoning Explained”

  1. I don’t know for sure, but I’m guessing that Spoof Stick may not help in a situation like this. I guess it all depends on if they run their own NS and let you access them. If it works on the DNS that your ISP uses, and that was compromised, (as unlikely as that may be), then it would see that xyz.com = 216.123.456.789 or whatever. Spoof Stick should be none the wiser. It’s only meant to detect URL’s that have a @ and a different IP at the end as far as I know.

  2. here’s a good place and really nice animation of poisoning
    and other topics

  3. aunty, I use this spoof stick to make sure I am on the right web site…here is the url


Leave a Reply

Your email address will not be published. Required fields are marked *