For this type of DNS poisoning method an attacker sets up a proxy server on his/her system. Then he/she sets up a rouge DNS and keeps its IP address as primary DNS entry in proxy server system. Now he/she has to convince victim to use proxy server set by him/her. Since proxy server has set up a rouge DNS as its primary DNS all requests will pass through it. Since all traffic passes from your system as proxy server you can sniff all traffic between victim and site he/she communicates and also perform DNS poisoning attack.