DNS Spoofing

DNS spoofing (also called DNS poisoning) is a type of man-in-the-middle attack commonly used by censorship firewalls to block access to specific domains. DNS translates human-readable addresses (like fireforthewall.org) into the IP addresses that machines use. By tampering with this process, authorities can redirect, block, or manipulate user connections.

Unlike deep packet inspection (DPI), which alters traffic payloads directly, DNS spoofing corrupts only the mapping between domain names and their intended servers, making it a lighter but effective method of censorship.

How Does It Enable Censorship?

Authorities can use DNS spoofing to enforce censorship by manipulating how domain names resolve. Instead of returning a normal “site not found” error, requests to banned domains may be redirected to government-controlled portals, error pages, or simply made to fail. This allows authorities not just to block access, but also to spread propaganda or misinformation through the redirect.

Unlike deep packet inspection (DPI), DNS spoofing does not require tampering with encrypted traffic. Control is exerted at an earlier stage, before any connection is established. Because DNS requests are small, automatic, and largely invisible to end users, most people don’t immediately notice when spoofing is taking place.

Technically, DNS spoofing is simpler but less precise than DPI. It operates only at the domain level, meaning authorities can block or redirect entire sites but cannot filter specific content within them. Usual methods include:

  • Cache poisoning: inserting forged DNS replies into a resolver’s cache so that all subsequent queries resolve incorrectly.

  • Race interception: replying to DNS queries faster than the legitimate DNS server to force acceptance of a fake response.

  • Resolver manipulation: directly altering DNS records on ISP-controlled resolvers, enabling censorship at scale.

How to Circumvent It?

Circumvention involves preventing DNS queries from being tampered with while in transit. Since the standard DNS protocol is unencrypted, censors can easily detect and manipulate requests. Encrypting DNS traffic is therefore a key defense.

Encrypted DNS Protocols

  • DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt encrypt DNS queries, preventing on-path injectors from modifying responses.

  • However, authoritarian regimes may detect and block DoH/DoT endpoints entirely, limiting their effectiveness.

Tunneling & VPNs

  • When using a VPN, DNS queries are resolved by the VPN provider rather than the local network or ISP, rendering local DNS spoofing ineffective.

  • If VPNs themselves are blocked (e.g., via DPI), DNS circumvention may be disrupted as a side effect.

  • The Tor Network can also be used for DNS resolution, offering a similar protection layer against local manipulation.