Expiration of domain entry opens door: With cache poisoning an attacker tries to insert a fake address entry into a DNS server. In the past an attacker could only attack a DNS server when it was refreshing a cache entry.
1. Attacker figures out when a domain entry will expire on a caching server using readily available tools.
2. Attacker "races" the legitimate DNS server, trying to get the caching server to accept a fake response.
3. In order to be accepted the fake response must match query parameters of the actual response.