We query a non-existing domain which likely isn't in the cache already (that is,
a random string as subdomain). For example, we might query for:

$ dig eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl

Then we race the actual DNS server to provide this response:

    ;; ANSWER SECTION:
    eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl. 120 IN A 10.10.10.10

    ;; AUTHORITY SECTION:
    blackboard.ru.nl.       86400   IN      NS      ourns.blackboard.ru.nl.

    ;; ADDITIONAL SECTION:
    ourns.blackboard.ru.nl. 604800  IN      A       10.10.10.20

Here, 10.10.10.20 would be our address. The cache will now ask stuff about
blackboard.ru.nl to our nameserver which he thinks is at ourns.blackboard.ru.nl.

Thus by simply requesting

$ dig blackboard.ru.nl

and sending back an incorrect A record for blackboard.ru.nl from 10.10.10.20, we
have spoofed the cache.