Oct

25,
202
5
GMR Institute of Technology, Rajam

DNS Spoofing Detection and URL Monitoring System

GMR Institute of Technology

Project Supervisor
A.Tarun Chandra(22341A12C3
Ms.Ch.Bharathi, V.Uday Kiran(22341A12C8)
Assistant Professor, V.Kulasekhar(22341A12C9)
Department of IT. A.Vijay(23345A1208)

Oct 25, 2025

1
1
Oct 25, 2025 1
 ABSTRACT
DNS spoofing, or DNS cache poisoning, is a significant cybersecurity issue that
threatens the safety of online communication by redirecting users to malicious
websites. This project focuses on developing a reliable system to detect and
prevent DNS spoofing attacks in real time. The solution combines DNS
Security Extensions (DNSSEC) to validate DNS responses, ensuring their
authenticity, with advanced network traffic monitoring to identify unusual
patterns in DNS queries and responses.To further enhance security, the system
incorporates encryption methods like DNS-over-HTTPS (DoH) and DNS-over-
TLS (DoT), which protect DNS queries from being intercepted or altered.
GMR Institute of Technology

These technologies prevent attackers from manipulating DNS traffic. The

proposed system works efficiently by detecting anomalies and blocking threats
before they cause harm.Through simulations and traffic analysis, the
effectiveness of this solution is demonstrated, showing its ability to protect
users from spoofing attacks. By integrating multiple security measures, the
system offers a strong and practical defense to safeguard the integrity and
confidentiality of DNS communications, ensuring a safer internet experience
for users.

Keywords: DNS Spoofing, Anomaly Detection, Real-time Traffic Monitoring,

DNS Security
 INTRODUCTION
The Domain Name System (DNS) serves as the backbone of internet communication,
translating human-readable domain names into IP addresses. However, its inherent
vulnerabilities make it a prime target for cyber threats such as DNS spoofing, also known
as DNS cache poisoning. This attack deceives users by redirecting them to malicious
websites, compromising security and privacy. To address this critical issue, our project
proposes a real-time DNS spoofing detection and prevention system. By integrating DNS
Security Extensions (DNSSEC) for response validation, network traffic monitoring for
anomaly detection, and encryption technologies like DNS-over-HTTPS (DoH) and DNS-
over-TLS (DoT), our solution ensures a robust defense against DNS manipulation.
Through simulations and traffic analysis, we demonstrate the system’s effectiveness in
GMR Institute of Technology

mitigating spoofing attacks, enhancing the security and reliability of online

communications.
 PROBLEM STATEMENT

DNS Spoofing poses a significant threat to the integrity and security of online
communication. The following outlines the key aspects of the problem: Vulnerability of
DNS Infrastructure- allowing malicious actors to manipulate the system and redirect
users to fraudulent websites.

 Lack of Adequate Authentication - This absence of strong verification methods

opens the door to malicious entities altering DNS records undetected.

 Exploitation for Malicious Activities - Attackers can deceive users by redirecting

GMR Institute of Technology

them to counterfeit websites, compromising sensitive information.

 Ineffectiveness of Traditional Security Measures - Traditional security measures,

such as firewalls and antivirus software, often fall short in detecting and preventing
DNS spoofing attacks.

 Economic and Reputational Impact- Organizations face substantial economic and

reputational consequences when their DNS infrastructure is compromised. Loss of
customer trust, financial losses, and damage to the brand's reputation are common
outcomes of successful DNS spoofing attacks.
 OBJECTIVES OF THE PROJECT

•Validate DNS Responses: Utilize DNS Security Extensions (DNSSEC) to ensure

the authenticity and integrity of DNS responses.

•Enhance Encryption of DNS Queries: Explore the use of DNS-over-HTTPS

(DoH) and DNS-over-TLS (DoT) protocols to protect DNS queries from
interception and tampering.

•Implement Advanced Monitoring: Apply advanced network traffic monitoring

techniques to detect anomalies in DNS queries and responses.
GMR Institute of Technology

•Provide a Robust Defense Mechanism: Deliver an efficient and comprehensive

solution that includes detection, prevention, and validation of DNS
communications to safeguard against malicious activities.

•Demonstrate Effectiveness: Validate the proposed system's efficacy through

simulations and traffic analysis.

•Detect DNS Spoofing in Real-Time: Develop a mechanism to identify and

mitigate DNS spoofing (DNS cache poisoning) attacks as they occur in network
traffic.
 EXISTING SYSTEM
Various systems and methods have been developed to mitigate the threat of DNS
spoofing, also known as DNS cache poisoning. Here's a summary of the existing
approaches:

 1. DNS Security Extensions (DNSSEC)

• Purpose: DNSSEC ensures the integrity and authenticity of DNS responses by
using public-key cryptography to sign DNS records.

 2. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)

GMR Institute of Technology

• Purpose: These protocols encrypt DNS queries and responses, protecting them
from interception and tampering.

 3.Anomaly Detection Systems

• Purpose: These systems monitor DNS traffic patterns for anomalies that indicate
potential spoofing or poisoning attacks.

 4. Firewall and Intrusion Detection Systems (IDS)

• Purpose: Firewalls and IDS can filter malicious DNS traffic and block
suspicious activities.
 LITERATURE SURVEY - 1

[1] Morsy, S. M., & Nashat, D. (2022). D-arp: An efficient scheme to detect and prevent
arp spoofing. IEEE Access, 10, 49142-49153.
The paper "D-ARP: An Efficient Scheme to Detect and Prevent ARP Spoofing" reviews
existing methods to combat ARP spoofing and highlights their limitations. Tools like
Arpwatch and Wireshark struggle with high false positives and lack prevention
capabilities. Defense mechanisms include cryptographic solutions, server-based systems,
static entries, voting-based techniques, and host-based methods, all with various
drawbacks like overhead or trust issues. Schemes like S-ARP offer authentication but
suffer from performance and single-point failures. Emerging SDN-based solutions
GMR Institute of Technology

improve ARP management. The study emphasizes the need for efficient solutions like D-
ARP, which overcome these issues without modifying the ARP protocol.

Advantages: Limitation:
1.No Protocol Modification 1.Dependency on Centralized Control
2. Enhanced Efficiency 2. Performance Trade-offs
3. Improved Accuracy 3. Limited Real-World Testing
4. Centralized Control 4. Scalability Concerns
5. Resilience to Failures 5. Implementation Complexity
6. Prevention Capability
 LITERATURE SURVEY - 2

[2] Moubayed, A., Aqeeli, E., & Shami, A. (2021). Detecting DNS typo-squatting
using ensemble-based feature selection & classification models. IEEE Canadian
Journal of Electrical and Computer Engineering, 44(4), 456-466.

This paper addresses the security vulnerabilities of the Domain Name System (DNS),
particularly focusing on typo-squatting, where attackers register similar domain
names to mislead users to malicious sites. The authors highlight the lack of data
integrity and origin authentication in DNS, which exacerbates these vulnerabilities.
They propose ensemble-based feature selection and classification models to
GMR Institute of Technology

effectively detect DNS typo-squatting attacks, building on previous research.

Experimental results show that their framework achieves high accuracy and precision
while maintaining lower computational complexity, indicating the potential of
machine learning techniques in enhancing DNS security.

Advantages: Limitation:
1.Simplicity and interpretablity 1. Data Dependency
2.Robustness 2. High Computational Cost
3.Handling different data types 3. Frequent Retraining
4.Computational efficiency
 LITERATURE SURVEY - 3
[3] Alharbi, F., Zhou, Y., Qian, F., Qian, Z., & Abu-Ghazaleh, N. (2022). DNS poisoning of
operating system caches: Attacks and mitigations. IEEE Transactions on Dependable and
Secure Computing, 19(4), 2851-2863.

The paper "DNS Poisoning of Operating System Caches: Attacks and Mitigations" outlines
the evolution of DNS cache poisoning attacks and defenses. Key historical attacks include
Klein's 2007 and Kaminsky's 2008 methods, which exploited predictable randomization in
DNS packets. The literature highlights advancements in techniques, including those
targeting caches behind NAT devices. While defenses like DNSSEC exist, they are not
GMR Institute of Technology

widely adopted and primarily focus on resolvers rather than client-side caches. The authors
propose a novel client-side defense that detects poisoning attempts by identifying incorrect
TXIDs in DNS responses, addressing a critical gap in current defenses.

Advantages: Limitation:
1.Client-side protection
1.Implementation complexity
2.Effective Detection
2.Performance Overhead
3.Broad Applicability
3.Resource Limitations
4. Complementing existing defences
 LITERATURE SURVEY - 4
Behnke, M., Briner, N., Cullen, D., Schwerdtfeger, K., Warren, J., Basnet, R., & Doleck, T.
(2021). Feature engineering and machine learning model comparison for malicious activity
detection in the dns-over-https protocol. IEEE Access, 9, 129902-129916.
The paper "Feature Engineering and Machine Learning Model Comparison for Malicious
Activity Detection in the DNS-Over-HTTPS Protocol" builds on previous research in DNS
security. It references the MIT's work on Dynamic DNS (DDNS), which aimed to improve
DNS but faced high latency issues compared to standard DNS . The EXPOSURE system by
Bilge et al. is noted for its effective detection of malicious domains using a two-layer
method, achieving a 98% detection rate with 15 features . The current research focuses on
GMR Institute of Technology

enhancing detection accuracy for DNS over HTTPS (DoH) traffic by employing ten different
machine learning classifiers and utilizing a dataset from the CIRA-CIC-DoHBrw-2020
project, which includes 34 features critical for classification . This literature survey
highlights the evolution of techniques and the significance of feature engineering in detecting
malicious activities in DNS and DoH protocols.
Advantages: Limitation:
1.Improved detection accuracy 1.Feature dependency
2.Real – world application potential 2.Generalizabilty issues
3.Reference to proven methods 3.Potential False positive
 LITERATURE SURVEY - 5
Hynek, K., Vekshin, D., Luxemburk, J., Cejka, T., & Wasicek, A. (2022). Summary of
DNS over https abuse. IEEE Access, 10, 54668-54680.

The paper discusses the adoption of DNS over HTTPS (DoH) to enhance privacy by
encrypting DNS queries, which limits user surveillance. However, it identifies several
abuse scenarios where malicious actors exploit DoH for harmful activities. These include
bypassing censorship, redirecting users to illegal gambling sites, and executing malicious
scripts through spam campaigns. The study highlights that the encryption provided by
DoH complicates the detection of such abuses, making it challenging for network traffic
GMR Institute of Technology

analysis systems to identify malicious activities. It emphasizes the need for further
research to address the security risks associated with DoH and to develop effective
countermeasures against its misuse.

Advantages: Limitation:
1.Increased Privacy 1.Poor Adoption rate
2.Mitigation of censorship 2.Performance issues in certain conditions
3.Protection of DNS spoofing 3. Potential for Abuse
4. User Control 4. Network Monitoring Challenges
 COMPARISION TABLE
TECHNIQUES
S.NO AUTHORS ADVANTAGES DISADVANTAGES
USED

D-ARP scheme for Efficient detection Focuses only on ARP

Morsy & Nashat
[1] ARP spoofing and prevention of spoofing, not DNS
(2022)
detection ARP spoofing spoofing
GMR Institute of Technology

Simplicity and
interpretablity
Moubayed, A., DNS security Robustness Data dependency
[2]
Aqeeli (2021) analysis Handling different Frequent retraining
data types

DNSSEC Effective in
Alharbi, F., Might introduce
[3] NAT(Network detecting network
Zhou(2022) network latency
address translation) scanning
 Feature
engineering & ML Improves DoH ML models require
[4] Behnke et al. (2021) model comparison security,privacy tuning and
for malicious DoH optimization
activity detection
GMR Institute of Technology

ML & DL for
Adapts well to Computationally
[5] Musa et al. (2024) DDoS detection in
dynamic threats intensive
SDNs

Spoof detection Prevents DoS Outdated methods may

[6] Guo et al. (2020) for DNS server attacks against not handle modern
protection DNS threats
 Hierarchical
anomaly-based Effective against
Needs continuous
[7] Lyu et al. (2021) detection for large-scale DNS
monitoring
distributed DNS attacks
attacks
GMR Institute of Technology

Strong real-time
DNSGuard for in- Implementation
[8] Duan et al. (2024) DNS attack
network defense complexity
mitigation

ARP & DNS

Srinivasarao et al. spoofing detection Helps in tracing May generate false
[9]
(2024) with attacker IP attackers positives
capturing
 Cybersecurity Hands-on learning
Not a direct security
[10] Trabelsi et al. (2024) education using for security
solution
Kali Linux students

DNSSEC & DoT Increased

Abirami & Naresh Strengthens DNS
[11] for security computational
(2024) security
enhancement overhead
GMR Institute of Technology

ML-based DNS Detects DNS

[12] El Attar et al. (2024) flooding attack flood attacks Needs labeled datasets
detection accurately
 Provides broad
Survey on DNS Lacks implementation
[13] Schmid (2021) insights into DNS
security issues details
security
GMR Institute of Technology

Improves
Network packet Can be exploited for
[14] Ali et al. (2023) monitoring
sniffing & defense attacks
capabilities

Highlights
Analysis of DoH No direct prevention
[15] Hynek et al. (2022) security risks of
abuse mechanisms
DoH
 PROPOSED METHODOLOGY
The project "DNS Spoofing Detection and URL Monitoring System" adopts a modular,
real-time, and effective approach that integrates various layers of domain-level
verification methods. The prime objective is to examine DNS activities and identify
potential spoofing or redirection attacks without relying on any external database. The
system is deployed utilizing Flask as the backend and a minimal frontend with HTML,
CSS, and JavaScript to ensure ease of use, responsiveness, and quickness. The approach
has the following major functional modules:
3.1. Data Collection and Preprocessing
The system first takes input from users via an easy-to-use and simple web interface. The
GMR Institute of Technology

users provide a domain name into the interface, which is forwarded to the Flask backend
for deeper analysis.

• Domain names are parsed with Python's URL parsing libraries to check correct format
and avoid processing of incorrect or malicious input.
• Preprocessing at this level makes data accurate and consistent, eliminating false
positives or processing faults in other steps.
• This validation eliminates duplicate queries to DNS resolvers, which ensures better
performance.
• User input is cached temporarily to enhance efficiency in processing multiple
requests.
 3.2. DNS Resolution and IP Address Comparison

When the domain is validated, the backend queries several public DNS servers
such as Google DNS, Cloudflare, OpenDNS, and Quad9 through dns.resolver.

• They each resolve the domain to IP addresses (both IPv4 and IPv6) separately.
• The program checks all the resolvers' responses against each other. When
differences are present, it suggests a potential attempt at DNS spoofing.
• IP response consistency means that the DNS path is legitimate and can be
GMR Institute of Technology

trusted.

3.3. Network Diagnostic Actions

• Ping Test: Checks if the domain is online and accessible by sending ICMP
packets via platform specific commands. The system records response times,
packet loss, and latency. Abnormalities

In these figures can suggest congestion, redirection, or denial of service attempts.

Consistent ping failure might indicate that a domain is spoofed or offline.
 • Traceroute: Follows the path packets take from the client machine to the destination
server. By looking at the number of hops, delays, and abnormal geographical leaps, the
system detects abnormal routing. Abrupt path changes or unreachability of middle nodes
may indicate hijacking or network tampering.

• HTTPS Status Check: Uses the requests.head() function to find out the status of the
HTTPS protocol on the target domain. Redirections to irrelevant URLs, status code
errors (e.g., 403, 404), or lack of a secure connection indicate manipulation.
GMR Institute of Technology

3.4. DNS Spoofing Detection

• If various DNS servers return different IP addresses that do not match, and network
diagnostic tools indicate unreachable or suspicious routes, the domain is marked as
likely to be spoofed.
• The mechanism takes a blend of inconsistent IPs, invalid SSL information,
unreachable domains, or HTTPS checks to make a spoofing likelihood determination.
GMR Institute of Technology
FLOW CHART
 RESULTS
In this project, a comprehensive Flask-based web tool was developed to detect. The
system performs real-time DNS resolution, HTTPS status checks, and SSL certificate
validation to ensure domain authenticity. It also retrieves WHOIS information to verify
domain ownership, conducts port scanning to detect unusual open ports, and compares
responses from multiple DNS resolvers to identify potential spoofing. If discrepancies are
found between resolver outputs, the system flags the domain as suspicious. This
integrated approach provides a strong defence mechanism against DNS spoofing and
supports ethical phishing detection. When the code is run, the web browser opens and
displays the interface as shown in the picture below
GMR Institute of Technology

Fig 4.1:web page of DNS spoofing

 After entering a domain name or URL in the search bar, the tool begins analyzing the
information.

Fig 4.2:entering domain name or URL

GMR Institute of Technology

After entering the domain name, the tool displays both the user's IP address and the
domain's IP address

Fig 4.3:ip addresses of user and domain name

 After entering the domain name, the tool displays both the user's IP address and the
domain's IP address. It also shows whether redirection has occurred or not

Fig 4.4:Redirection Status

GMR Institute of Technology

The tool also performs a ping test to the entered domain, displaying the response time and
indicating whether the domain is reachable or not. It shows the average response time in
milliseconds, helping to understand the latency between the user's system and the domain
server.

Fig 4.5:Ping Status

 The tool also performs a traceroute, which displays the path that data packets take from the
user's system to the domain's server. It shows each hop (router) along the way, including IP
addresses and response times, helping to identify any delays or network issues.
GMR Institute of Technology

Fig 4.6:TraceRoute Status

 Additionally, the tool checks if the domain is active and scans for open ports, displaying
how many and which specific ports are accessible. This comprehensive analysis helps in
understanding the network behaviour and detecting any suspicious activity.
GMR Institute of Technology

Fig 4.7:domain status and ports

 CONCLUSION

This project successfully demonstrates a comprehensive approach to detecting DNS

spoofing and analyzing domain-related information using a Flask-based web application.
By integrating multiple network diagnostic tools such as DNS resolution, HTTPS and
redirection checks, SSL certificate validation, WHOIS lookup, ping, traceroute, and port
scanning, the system provides a detailed insight into the trustworthiness and behavior of a
domain. It also identifies potential spoofing by comparing responses from different DNS
resolvers. The tool is user-friendly and effectively helps in identifying suspicious domains,
enhancing security awareness, and supporting ethical measures against phishing and
spoofing attacks. Overall, this project highlights the importance of domain-level analysis
GMR Institute of Technology

in modern cybersecurity practices.

 REFERENCES

1. Morsy, S. M., & Nashat, D. (2022). D-arp: An efficient scheme to detect and prevent arp
spoofing. IEEE Access, 10, 49142-49153.

2. Moubayed, A., Aqeeli, E., & Shami, A. (2021). Detecting DNS typo-squatting using
ensemble-based feature selection & classification models. IEEE Canadian Journal of
Electrical and Computer Engineering, 44(4), 456-466.

3. Alharbi, F., Zhou, Y., Qian, F., Qian, Z., & Abu-Ghazaleh, N. (2022). DNS poisoning of
GMR Institute of Technology

operating system caches: Attacks and mitigations. IEEE Transactions on Dependable and
Secure Computing, 19(4), 2851-2863.

4. Behnke, M., Briner, N., Cullen, D., Schwerdtfeger, K., Warren, J., Basnet, R., &
Doleck, T. (2021). Feature engineering and machine learning model comparison for
malicious activity detection in the dns-over-https protocol. IEEE Access, 9, 129902-
129916.

5. Hynek, K., Vekshin, D., Luxemburk, J., Cejka, T., & Wasicek, A. (2022). Summary of
DNS over https abuse. IEEE Access, 10, 54668-54680.
 6. Guo, F., Chen, J., & Chiueh, T. C. (2006, July). Spoof detection for preventing dos
attacks against dns servers. In 26th IEEE International Conference on Distributed
Computing Systems (ICDCS'06) (pp. 37-37). IEEE.

7. Lyu, M., Gharakheili, H. H., Russell, C., & Sivaraman, V. (2021). Hierarchical anomaly-
based detection of distributed DNS attacks on enterprise networks. IEEE Transactions on
Network and Service Management, 18(1), 1031-1048.

8. Duan, G., Li, Q., Zhang, Z., Zhao, D., Xie, G., Yang, Y., ... & Xu, M. (2024). DNSGuard:
GMR Institute of Technology

In-network Defense against DNS Attacks. IEEE Transactions on Dependable and Secure
Computing.

9. Srinivasarao, T., Leelavathy, N., Dev, S. K. C. S. S., Ganesh, I. O., Aditya, P. S., &
Krishna, P. S. (2024). ARP and DNS Spoofing Detection with Attacker IP Capturing.
Algorithms in Advanced Artificial Intelligence: ICAAAI-2023, 363.

10. Trabelsi, Z., Parambil, M. M. A., Qayyum, T., & Alomar, B. (2024, May). Teaching
DNS Spoofing Attack Using a Hands-on Cybersecurity Approach Based on Virtual Kali
Linux Platform. In 2024 IEEE Global Engineering Education Conference (EDUCON) (pp.
1-8). IEEE.
 11. Abirami, S., & Naresh, R. (2024, April). DNS Enhancement with DNSSEC and DoT
for Enhanced Online Security. In 2024 2nd International Conference on Networking and
Communications (ICNWC) (pp. 1-11). IEEE.

12. El Attar, A., Khatoun, R., Chbib, F., Fadlallah, A., & Serhrouchni, A. (2024, May).
DNS flooding attack detection scheme through Machine Learning. In 2024 International
Wireless Communications and Mobile Computing (IWCMC) (pp. 132-137). IEEE.
GMR Institute of Technology

13. Schmid, G. (2021). Thirty years of DNS insecurity: Current issues and perspectives.
IEEE Communications Surveys & Tutorials, 23(4), 2429-2459.

14. Ali, M. L., Ismat, S., Thakur, K., Kamruzzaman, A., Lue, Z., & Thakur, H. N. (2023,
March). Network packet sniffing and defense. In 2023 IEEE 13th Annual Computing and
Communication Workshop and Conference (CCWC) (pp. 0499-0503). IEEE.

15. Hynek, K., Vekshin, D., Luxemburk, J., Cejka, T., & Wasicek, A. (2022). Summary of
DNS over HTTPS abuse. IEEE Access, 10, 54668-54680.
GMR Institute of Technology
 5
02
,2
25
GMR Institute of Technology

Oct

31