IPv4 gateway changes when DNS poisoning from successful arp spoof

IPv4 gateway changes when DNS poisoning from successful arp spoof

I’ve recently been testing my wireless LAN against common attacks, one of them being arp spoofing, and attacks stemming from a successful arp spoof, such as dns poisoning. (I use bettercap)

On all of my routers, arp spoofing works successfully. But on one, DNS spoofing results in something strange:

1. I obtain full arp control of a target device.
2. The target device makes a DNS request to a particular domain.
3. I “poison” the reply, attempting to redirect the victim to a different IP address, before domain resolution occurs.
4. Instead, what actually happens is that before the victim has time to be redirected, the IPv4 gateway address changes to something random.
5. I (automatically) try again, and it changes, again.
6. This creates an endless loop where the victim’s page never actually loads, but neither does the intended one.

Why?- Is this some sort of protection? I don’t know of any premeditated protections on that router.

Is there a way to prevent this happening?