I was learning networking and knew that browsers don't have algorithms to convert domain names to IPs. It queries a DNS server.
After that, the computer remembers the IP, so next time the domain is referenced, the browser will use the cached IP.
But if there is malware on the device, can it change the cached DNS data so when a user enters https://security.stackexchange.com/
, the device sends traffic to a malicious IP? How it can be done?
Or this logs are located in RAM?
hosts
file and do the same thing. Except that HTTPS would alert a problem because the TLS certificates would not match.