---
title: "DNS Poisoning — AP Cybersecurity Definition & Exam Guide"
description: "DNS poisoning corrupts DNS records to redirect users to fake sites. Learn how it works, how it pairs with phishing, and how it shows up in AP Cybersecurity Unit 1."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/dns-poisoning"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 1"
---

# DNS Poisoning — AP Cybersecurity Definition & Exam Guide

## Definition

DNS poisoning (DNS spoofing) is an attack that corrupts the data in a DNS resolver or cache so that a legitimate domain name resolves to an attacker-controlled IP address, silently redirecting users to a malicious site even though they typed the correct URL.

## What It Is

DNS is basically the internet's phone book. You type `bank.com`, and DNS looks up the matching [IP address](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink") so your browser knows where to go. **DNS poisoning** (also called DNS spoofing or cache poisoning) sabotages that lookup. An attacker slips a fake record into a DNS resolver or cache, so the next time someone asks for `bank.com`, they get the attacker's IP instead of the real one.

The scary part is that you did nothing wrong. You typed the correct address, but the corrupted answer sends you to a clone site that looks identical to the real thing. From there an adversary can harvest your login credentials, drop malware, or capture sensitive data. In [AP Cybersecurity](/ap-cybersecurity "fv-autolink"), DNS poisoning shows up in [Unit 1](/ap-cybersecurity/unit-1 "fv-autolink") as one of the redirection-and-impersonation tricks adversaries use, often as the delivery mechanism that makes phishing and credential theft work.

## Why It Matters

DNS poisoning lives in **Unit 1: Introduction to Security**, where you build the vocabulary of how attacks actually happen. It connects to **AP Cybersecurity 1.4.A** (how [adversaries](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97 "fv-autolink") augment attacks) because a poisoned DNS record is how a convincing fake page gets in front of a victim in the first place. Pair it with an AI-generated [phishing](/ap-cybersecurity/key-terms/phishing "fv-autolink") message (EK 1.4.A.2) and you have a complete attack chain: a believable lure plus a redirect to a fake site that the victim can't tell apart from the real one. It also matters for the defensive objective **AP Cybersecurity 1.4.B**, because the same fix that stops voice-cloning attacks, multifactor authentication (EK 1.4.B.2), blunts DNS poisoning too. Even if an attacker steals your password on a spoofed site, a second factor can stop them from getting in.

## Connections

### [ARP poisoning (Unit 1)](/ap-cybersecurity/key-terms/arp-poisoning)

[ARP poisoning](/ap-cybersecurity/key-terms/arp-poisoning "fv-autolink") and DNS poisoning are cousins that lie at different layers. ARP poisoning fakes the link between an IP address and a hardware (MAC) address on a local network, while DNS poisoning fakes the link between a domain name and an IP address. Both reroute traffic to an attacker, just at different points in the chain.

### Generative AI phishing (Unit 1)

DNS poisoning is the redirect, and AI-generated phishing (EK 1.4.A.2) is the bait. An LLM can write a flawless email telling you to 'log in now,' and a poisoned DNS record makes sure the link lands you on a perfect fake. Together they remove the spelling-mistake red flags students are taught to look for.

### [Multifactor authentication (Unit 1)](/ap-cybersecurity/key-terms/multifactor-authentication)

MFA (EK 1.4.B.2) is the safety net for DNS poisoning. Even if you get redirected and type your [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") into a fake site, the attacker still needs your second factor to actually log in. This is the same logic that protects against voice-cloning attacks.

## On the AP Exam

Expect DNS poisoning in multiple-choice stems that describe a scenario and ask you to name the attack: 'A user types the correct URL but lands on a fake login page' points to DNS poisoning, not phishing alone. You may be asked to distinguish it from ARP poisoning by layer, or to pick the best defense, where MFA (EK 1.4.B.2) is a strong answer. No released FRQ has used this term verbatim, but it fits any prompt asking you to trace an attack chain or recommend protections aligned with AP Cybersecurity 1.4.A and 1.4.B. Be ready to explain WHAT it does (redirects via corrupted DNS records) and HOW to defend against it.

## DNS poisoning vs ARP poisoning

Both reroute a victim's traffic to an attacker, which is why they get mixed up. The difference is what they fake and where. DNS poisoning corrupts the domain-name-to-IP lookup and can affect many users who query a poisoned resolver. ARP poisoning corrupts the IP-to-MAC-address mapping and works only within a single local network segment. If the question mentions a domain name resolving to the wrong site, it's DNS; if it mentions a local network and MAC addresses, it's ARP.

## Key Takeaways

- DNS poisoning corrupts DNS records so a correct domain name resolves to an attacker-controlled IP, redirecting you to a fake site.
- It works even when you type the right URL, which makes it harder to spot than a typo or a sketchy link.
- It often pairs with AI-generated phishing (EK 1.4.A.2): the email is the bait, the poisoned DNS record is the redirect.
- DNS poisoning and ARP poisoning both reroute traffic but at different layers; DNS fakes domain-to-IP, ARP fakes IP-to-MAC.
- Multifactor authentication (EK 1.4.B.2) is a strong defense because a stolen password alone won't get the attacker in.

## FAQs

### What is DNS poisoning in AP Cybersecurity?

DNS poisoning is an attack that corrupts DNS records or a resolver's cache so a legitimate domain name resolves to an attacker's IP address. In Unit 1 it's framed as a redirection technique that sends victims to fake sites for credential theft or [malware](/ap-cybersecurity/key-terms/malware "fv-autolink") delivery.

### Is DNS poisoning the same as phishing?

No. Phishing is the social-engineering lure that tricks you into clicking or logging in, while DNS poisoning is the technical redirect that controls where you actually land. They're often used together, but they're different parts of an attack chain.

### How is DNS poisoning different from ARP poisoning?

DNS poisoning fakes the domain-name-to-IP mapping and can affect anyone querying a poisoned resolver. ARP poisoning fakes the IP-to-MAC mapping and only works on a local network. If the scenario mentions a domain resolving to the wrong site, it's DNS; if it's MAC addresses on a LAN, it's ARP.

### How do you protect against DNS poisoning?

Enabling multifactor authentication (EK 1.4.B.2) is a top defense, since a stolen password from a fake site won't be enough to log in. Verifying that pages are legitimate and not entering sensitive data into untrusted sites also reduces the damage.

### Does DNS poisoning require the victim to make a mistake?

No, and that's what makes it dangerous. You can type the exact correct URL and still get redirected, because the poisoned DNS answer hands your browser the wrong IP address before you ever see the page.

## Related Study Guides

- [1.4 AI-Based Cybersecurity Attacks](/ap-cybersecurity/unit-1/ai-based-cybersecurity-attacks/study-guide/f3ZMXhsLGaHVUDgQUpge)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/dns-poisoning#resource","name":"DNS Poisoning — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/dns-poisoning","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/dns-poisoning#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:28.328Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/dns-poisoning#term","name":"DNS poisoning","description":"DNS poisoning (DNS spoofing) is an attack that corrupts the data in a DNS resolver or cache so that a legitimate domain name resolves to an attacker-controlled IP address, silently redirecting users to a malicious site even though they typed the correct URL.","url":"https://fiveable.me/ap-cybersecurity/key-terms/dns-poisoning","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.4, LO 1.4.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.4, LO 1.4.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is DNS poisoning in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"DNS poisoning is an attack that corrupts DNS records or a resolver's cache so a legitimate domain name resolves to an attacker's IP address. In Unit 1 it's framed as a redirection technique that sends victims to fake sites for credential theft or [malware](/ap-cybersecurity/key-terms/malware \"fv-autolink\") delivery."}},{"@type":"Question","name":"Is DNS poisoning the same as phishing?","acceptedAnswer":{"@type":"Answer","text":"No. Phishing is the social-engineering lure that tricks you into clicking or logging in, while DNS poisoning is the technical redirect that controls where you actually land. They're often used together, but they're different parts of an attack chain."}},{"@type":"Question","name":"How is DNS poisoning different from ARP poisoning?","acceptedAnswer":{"@type":"Answer","text":"DNS poisoning fakes the domain-name-to-IP mapping and can affect anyone querying a poisoned resolver. ARP poisoning fakes the IP-to-MAC mapping and only works on a local network. If the scenario mentions a domain resolving to the wrong site, it's DNS; if it's MAC addresses on a LAN, it's ARP."}},{"@type":"Question","name":"How do you protect against DNS poisoning?","acceptedAnswer":{"@type":"Answer","text":"Enabling multifactor authentication (EK 1.4.B.2) is a top defense, since a stolen password from a fake site won't be enough to log in. Verifying that pages are legitimate and not entering sensitive data into untrusted sites also reduces the damage."}},{"@type":"Question","name":"Does DNS poisoning require the victim to make a mistake?","acceptedAnswer":{"@type":"Answer","text":"No, and that's what makes it dangerous. You can type the exact correct URL and still get redirected, because the poisoned DNS answer hands your browser the wrong IP address before you ever see the page."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 1","item":"https://fiveable.me/ap-cybersecurity/unit-1"},{"@type":"ListItem","position":4,"name":"DNS poisoning"}]}]}
```
