Domain name system (DNS) poisoning occurs when an attacker pretends to be an authoritative DNS server and manages to fool a caching server into believing that the records provided by the attacker are legitimate. The caching server requests a DNS mapping from the authoritative DNS server, wherein the authoritative DNS server is a well-known address or is a well-known server. A well-known address or alternatively a well-known server is in reference to a well-known internet protocol (IP) address that is known to the public. For example, IP addresses of authoritative DNS servers and DNS cache servers may be publically known to support any hosts or routers sending DNS requests to them. When cache servers request a DNS mapping from the authoritative DNS server, an attacker assumes that the cache server is requesting lookups from popular services and forges replies for the cache server to take in. Alternatively, when a cache server requests a DNS mapping from the authoritative DNS server, an attacker—who may be “sniffing” packets transiting the network to find one addressed to an authoritative DNS server (which has a “well known” IP address) sent by a DNS cache server (which likewise has a “well known” IP address)—may intercept or copy that DNS look-up request and reply to it with a bogus domain name to IP address mapping, for example a mapping that associates the domain name to an IP address of a malicious web site. This may result in users or hosts that request a domain name to IP address mapping for the subject domain name being redirected to a malicious site of the attacker's choice.