A counterfeit server is one that spoofs the DNS name resolution process so that the client gets the counterfeit's IP address instead of the genuine server's IP address, thus fooling the client into connecting to the counterfeit while believing it is connecting to the genuine server. Counterfeit servers are not detectable by the challenge/response authentication mechanism, which only authenticates clients. A counterfeit server can use the downgrade attack above to obtain a client's password; it can also execute a denial of service attack by denying the client's requests or returning bogus results. Counterfeit server attacks can be mitigated by deployment of DNSSEC.