DNS spoofing is the manipulation of the DNS resolver cache by inputting corrupted DNS data. This causes the DNS server to send the user the wrong IP, redirecting the victim to the attacker's fake domain. When launching evil twin attacks, attackers will often use DNS spoofing to redirect the victim to a cloned landing page or website. This leads to setting up the victim for a MITM attack. DNS cache poisoning is a popular method hackers use to spoof DNS quickly and efficiently. Most users on the same wireless network will usually share the same DNS cache provided by the ISP DNS server. When users are logged on the evil twin, a hacker can easily inject a spoofed DNS record into the DNS cache changing the DNS record for all users on the fake network. When any user logs into the evil twin they will be redirected by the spoofed DNS record injected into the cache. Remember, the DNS cache is what updates all the DNS records for any user of the wireless network. Getting the DNS cache to accept a spoofed record is the main objective of DNS poisoning. Some ways to defend against DNS spoofing are packet filtering, cryptographic protocols, and spoofing detection software such as EvilAP_Defender. Using packet filtering is good, because packets with conflicting addresses can be easily blocked. This is a great first line defense method. Make sure network communication is secure.

Use cryptographic network protocols such as TLS, SSL, and SSH to protect sensitive network traffic. The best defense method is to use spoofing detection software such as EvilAP_defender. Detection tools offer the fastest alerts to spoofing and evil twins. Using intrusion detection systems like Snort can also be a big help. Snort can be configured to alert the cyber security team of any spoofing attempt on the network. Having quick and reliable alerts can make all the difference in protecting a wireless network from spoofing attacks.