What is DNS Hijacking?

DNS hijacking is a malicious activity where attackers redirect DNS queries to fraudulent websites by altering DNS settings on a device, router, or through man-in-the-middle attacks. DNS poisoning, also known as cache poisoning, involves corrupting the cache of a DNS resolver with incorrect entries, causing it to return wrong IP addresses and redirect users to malicious sites. Both techniques are used to facilitate phishing, malware distribution, and service disruption.

Award winning ThreatDown EDR stops threats that others miss

Talk to an expert

What is DNS hijacking?

DNS hijacking, also known as DNS redirection, is a type of cyber attack where hackers manipulate the DNS resolution process to redirect users to malicious websites. This can result in identity theft, financial fraud, or exposure to unwanted advertisements.

Understanding DNS

DNS (Domain Name System) is like the internet’s phonebook. It translates human-friendly website names (like www.example.com) into machine-friendly IP addresses (like 192.0.2.1) that computers use to locate each other on the internet.


How DNS Hijacking Works

As an internet user, you probably trust your web browser to take you to the correct website when you enter a URL. You might not think twice before entering sensitive information like your username, password, or credit card details. But what if your browser took you to a fake website instead? This is where DNS hijacking comes into play.

When you type a website address into your browser, your device sends a DNS query to find the corresponding IP address. In a DNS hijacking attack, this process is tampered with, sending you to a different, often malicious, site.

Types of DNS Attacks

  1. DNS Flood: A DDoS attack that overwhelms DNS servers.
  2. DNS Amplification: Amplifies small DNS queries to disrupt the target server.
  3. DNS Tunneling: Uses DNS to tunnel malware.
  4. DNS Spoofing: Redirects users by altering DNS records.
  5. DNS Spying: Monitors user activity due to unencrypted DNS requests.


DNS hijacking vs DNS cache poisoning

While DNS hijacking involves physically altering DNS settings, DNS cache poisoning corrupts the DNS cache on your device to redirect you to malicious sites.


How to Detect DNS Hijacking

Symptoms include slow website loading or unexpected popups. You can check your DNS security by pinging a non-existent domain. If your DNS resolves it, you may be compromised.


Why DNS Hijacking Happens

  • Revenue Generation: Displaying unwanted ads for profit.
  • Stealing Personal Information: Redirecting to fake sites to capture sensitive data.
  • Censorship: Governments redirecting users to propaganda sites.
  • Phishing: Redirecting to fake versions of legitimate sites to steal credentials.


High-Level DNS Attacks

  1. Watering Hole Attack: Targeting organizations through commonly visited websites.
  2. Whaling Attack: Targeting high-profile individuals like CEOs.
  3. Supply-Chain Attack: Compromising a supplier to attack a larger target.

Preventing DNS Hijacking

  1. Registry Locks: Use registry locks and multi-factor authentication (MFA).
  2. Install Antivirus: Use advanced antivirus software.
  3. DNS Security Solutions: Utilize DNS security tools to control vulnerabilities.
  4. DNS Filtering: Blocks malicious websites and enhances compliance.
  5. Use a VPN: Encrypts data and masks IP addresses.
  6. Patch Vulnerabilities Quickly: Regularly update software to fix vulnerabilities.
  7. Separate Name Server from Resolver: Prevents both from being paralyzed by an attack.
  8. Verify DNS Infrastructure: Regularly check that DNS points to correct hostnames.
  9. Look Out for Resolvers: Use firewalls to prevent unauthorized access to DNS resolvers.
  10. Protect Against Cache Poisoning: Use random source ports and query IDs.

Featured resources

Frequently Asked Questions (FAQ) about DNS Hijacking

What is DNS hijacking and how does it affect my online security?

DNS hijacking is a cyber attack where hackers manipulate the DNS resolution process to redirect users to malicious websites. This can result in identity theft, financial fraud, or exposure to unwanted advertisements. By redirecting your web traffic to spoofed sites, attackers can steal sensitive information like usernames, passwords, and credit card details, or inject unwanted ads into your browsing experience.

How can I detect if my DNS has been hijacked?

You might be a victim of DNS hijacking if your websites load slower than usual or you notice random popups. To check, you can ping a non-existent domain name:

  • Windows: Open Command Prompt, type “ping” followed by a random website name. If it “cannot resolve,” your DNS is secure.
  • Mac: Open Terminal, type “ping” followed by a random website name. If it “cannot resolve,” your DNS is secure.
  • Linux: Open Terminal, type “ping” followed by a random website name. If it “cannot resolve,” your DNS is secure. If your DNS resolves the non-existent domain, it might be compromised.

What steps can I take to prevent DNS hijacking?s been hijacked?

To prevent DNS hijacking, consider the following measures:

  • Registry Locks: Use registry locks and multi-factor authentication (MFA) to prevent unauthorized changes.
  • Install Antivirus: Invest in advanced antivirus software to stop and remove malware.
  • DNS Security Solutions: Utilize DNS security tools to control vulnerabilities and provide real-time protection.
  • DNS Filtering: Implement DNS filtering to block malicious websites and enhance security compliance.
  • Use a VPN: Use a VPN to encrypt your data and mask your IP address.
  • Patch Vulnerabilities: Regularly update software to fix vulnerabilities and prevent exploitation.
  • Separate Name Server from Resolver: Ensure your server’s name is separate from your resolver to avoid paralysis during attacks.