DNS poisoning in AP Cybersecurity

DNS poisoning (DNS spoofing) is an attack that corrupts the data in a DNS resolver or cache so that a legitimate domain name resolves to an attacker-controlled IP address, silently redirecting users to a malicious site even though they typed the correct URL.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is DNS poisoning?

DNS is basically the internet's phone book. You type bank.com, and DNS looks up the matching IP address so your browser knows where to go. DNS poisoning (also called DNS spoofing or cache poisoning) sabotages that lookup. An attacker slips a fake record into a DNS resolver or cache, so the next time someone asks for bank.com, they get the attacker's IP instead of the real one.

The scary part is that you did nothing wrong. You typed the correct address, but the corrupted answer sends you to a clone site that looks identical to the real thing. From there an adversary can harvest your login credentials, drop malware, or capture sensitive data. In AP Cybersecurity, DNS poisoning shows up in Unit 1 as one of the redirection-and-impersonation tricks adversaries use, often as the delivery mechanism that makes phishing and credential theft work.

Why DNS poisoning matters in AP Cybersecurity

DNS poisoning lives in Unit 1: Introduction to Security, where you build the vocabulary of how attacks actually happen. It connects to AP Cybersecurity 1.4.A (how adversaries augment attacks) because a poisoned DNS record is how a convincing fake page gets in front of a victim in the first place. Pair it with an AI-generated phishing message (EK 1.4.A.2) and you have a complete attack chain: a believable lure plus a redirect to a fake site that the victim can't tell apart from the real one. It also matters for the defensive objective AP Cybersecurity 1.4.B, because the same fix that stops voice-cloning attacks, multifactor authentication (EK 1.4.B.2), blunts DNS poisoning too. Even if an attacker steals your password on a spoofed site, a second factor can stop them from getting in.

Keep studying AP Cybersecurity Unit 1

How DNS poisoning connects across the course

ARP poisoning (Unit 1)

ARP poisoning and DNS poisoning are cousins that lie at different layers. ARP poisoning fakes the link between an IP address and a hardware (MAC) address on a local network, while DNS poisoning fakes the link between a domain name and an IP address. Both reroute traffic to an attacker, just at different points in the chain.

Generative AI phishing (Unit 1)

DNS poisoning is the redirect, and AI-generated phishing (EK 1.4.A.2) is the bait. An LLM can write a flawless email telling you to 'log in now,' and a poisoned DNS record makes sure the link lands you on a perfect fake. Together they remove the spelling-mistake red flags students are taught to look for.

Multifactor authentication (Unit 1)

MFA (EK 1.4.B.2) is the safety net for DNS poisoning. Even if you get redirected and type your password into a fake site, the attacker still needs your second factor to actually log in. This is the same logic that protects against voice-cloning attacks.

Is DNS poisoning on the AP Cybersecurity exam?

Expect DNS poisoning in multiple-choice stems that describe a scenario and ask you to name the attack: 'A user types the correct URL but lands on a fake login page' points to DNS poisoning, not phishing alone. You may be asked to distinguish it from ARP poisoning by layer, or to pick the best defense, where MFA (EK 1.4.B.2) is a strong answer. No released FRQ has used this term verbatim, but it fits any prompt asking you to trace an attack chain or recommend protections aligned with AP Cybersecurity 1.4.A and 1.4.B. Be ready to explain WHAT it does (redirects via corrupted DNS records) and HOW to defend against it.

DNS poisoning vs ARP poisoning

Both reroute a victim's traffic to an attacker, which is why they get mixed up. The difference is what they fake and where. DNS poisoning corrupts the domain-name-to-IP lookup and can affect many users who query a poisoned resolver. ARP poisoning corrupts the IP-to-MAC-address mapping and works only within a single local network segment. If the question mentions a domain name resolving to the wrong site, it's DNS; if it mentions a local network and MAC addresses, it's ARP.

Key things to remember about DNS poisoning

  • DNS poisoning corrupts DNS records so a correct domain name resolves to an attacker-controlled IP, redirecting you to a fake site.

  • It works even when you type the right URL, which makes it harder to spot than a typo or a sketchy link.

  • It often pairs with AI-generated phishing (EK 1.4.A.2): the email is the bait, the poisoned DNS record is the redirect.

  • DNS poisoning and ARP poisoning both reroute traffic but at different layers; DNS fakes domain-to-IP, ARP fakes IP-to-MAC.

  • Multifactor authentication (EK 1.4.B.2) is a strong defense because a stolen password alone won't get the attacker in.

Frequently asked questions about DNS poisoning

What is DNS poisoning in AP Cybersecurity?

DNS poisoning is an attack that corrupts DNS records or a resolver's cache so a legitimate domain name resolves to an attacker's IP address. In Unit 1 it's framed as a redirection technique that sends victims to fake sites for credential theft or malware delivery.

Is DNS poisoning the same as phishing?

No. Phishing is the social-engineering lure that tricks you into clicking or logging in, while DNS poisoning is the technical redirect that controls where you actually land. They're often used together, but they're different parts of an attack chain.

How is DNS poisoning different from ARP poisoning?

DNS poisoning fakes the domain-name-to-IP mapping and can affect anyone querying a poisoned resolver. ARP poisoning fakes the IP-to-MAC mapping and only works on a local network. If the scenario mentions a domain resolving to the wrong site, it's DNS; if it's MAC addresses on a LAN, it's ARP.

How do you protect against DNS poisoning?

Enabling multifactor authentication (EK 1.4.B.2) is a top defense, since a stolen password from a fake site won't be enough to log in. Verifying that pages are legitimate and not entering sensitive data into untrusted sites also reduces the damage.

Does DNS poisoning require the victim to make a mistake?

No, and that's what makes it dangerous. You can type the exact correct URL and still get redirected, because the poisoned DNS answer hands your browser the wrong IP address before you ever see the page.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.