How to do it: DNS Spoofing

This page shows the rendered idea and the teaching code behind normal resolution, poisoned replies, and the protections that stop misdirection.

Code first Rendered preview 3D cards
Back to demo
Safe teaching mode: the cards below explain DNS trust visually and show the example code and config patterns used to understand the lookup path and its defense side.

Card 1 — normal DNS lookup

Teach the expected path first: browser asks a name, resolver returns the real IP.

Rendered + Code
normal lookup preview
Browser asks
Where is example.com?
query sent to resolver

Simple lookup example

Use this to teach what a normal name resolution looks like.

# Python DNS lookup
import socket
ip = socket.gethostbyname("example.com")
print(ip)

# The browser expects a trustworthy answer here.

Card 2 — poisoned answer

This card shows the false reply layer that redirects the visitor to the wrong place.

Rendered + Code
spoofed path preview
Trusted domain request
False answer
The wrong IP comes back and points to a fake destination.
poisoned route

Teaching example of a wrong mapping

Use this to explain the concept of name-to-IP misdirection.

# Example of a misleading mapping in a teaching lab
hosts:
  example.com -> 203.0.113.55

# The lesson:
The browser still thinks it asked for the real site,
but the answer now points somewhere else.

Card 3 — cache and path explanation

This explains how a bad answer can keep being reused until the cache is corrected.

Rendered + Code
cache path preview
Resolver cache
A cached wrong answer can keep sending users the same wrong way.
answer stored
cached answer reused

DNS cache flush example

Use this as a teaching point for recovery and troubleshooting.

# Windows example
ipconfig /flushdns

# Linux systemd-resolved example
resolvectl flush-caches

# The goal is to clear the bad cached answer.

Card 4 — defense with verification

End the lesson with secure DNS and HTTPS validation so the wrong answer is easier to catch or reject.

Rendered + Code
defense preview
Verified path
DNSSEC, HTTPS certificate checks, and trusted resolvers reduce spoofing risk.
trusted answer

Defense-side configuration example

Finish the teaching with verification and secure resolver choices.

# Example resolver choice
nameserver 1.1.1.1
nameserver 8.8.8.8

# Teach alongside:
- DNSSEC validation
- HTTPS certificate warnings
- checking the real URL before logging in