{
    "@context": "https://schema.org",
    "@type": "DefinedTerm",
    "@id": "https://hostdir.net/glossary/dns-hijacking",
    "name": "DNS Hijacking",
    "description": "DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.",
    "url": "https://hostdir.net/glossary/dns-hijacking",
    "inDefinedTermSet": "https://hostdir.net/glossary",
    "termCode": "dns-hijacking",
    "mainEntityOfPage": "https://hostdir.net/glossary/dns-hijacking",
    "license": "https://creativecommons.org/licenses/by/4.0/",
    "_hostdir": {
        "kind": "glossary-term",
        "slug": "dns-hijacking",
        "canonical": "https://hostdir.net/glossary/dns-hijacking",
        "term": "DNS Hijacking",
        "category": "DNS",
        "category_slug": "dns",
        "summary": "DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.",
        "definition": "DNS hijacking, also called DNS redirection or DNS poisoning in some contexts, is any method that causes a Domain Name System (DNS) resolver to return a false answer for a domain name lookup. The result directs a user's traffic to an unintended destination, often a malicious server under the control of an attacker. This can occur through cache poisoning, compromised routers, malicious DNS server software, or rogue on-path devices that modify DNS queries or responses in transit. The false answer may be a completely incorrect IP address or a partially altered record (for example, replacing the A record of a legitimate website with an attacker's IP).\n\nThere are several common vectors. In router-based hijacking, an attacker gains administrative access to a home or office router and changes its configured DNS servers to resolver instances that the attacker controls. In man-in-the-middle (MITM) scenarios, an active network adversary intercepts DNS packets and spoofs replies before the legitimate answer arrives. In cache poisoning attacks (sometimes considered a subtype of hijacking), an attacker injects a forged record into a recursive resolver's cache so that future queries from legitimate users receive the false answer. Some ISPs have also performed forms of hijacking, such as intercepting NXDOMAIN responses and rerouting users to an advertising portal, though this is generally called DNS interception or DNS redirect.\n\nThe impact of DNS hijacking ranges from phishing and credential theft to complete loss of trust in network communications. Mitigations include DNSSEC (which cryptographically signs DNS records so that forged answers can be detected), using encrypted transports like DNS over TLS (DoT) or DNS over HTTPS (DoH), and regularly auditing DNS server configurations. End users can reduce risk by manually setting trusted DNS resolvers (such as those operated by public-interest organizations) and keeping router firmware updated.",
        "examples": "In 2018, a large-scale DNS hijacking campaign targeted Internet infrastructure and government domains in the Middle East. Attackers gained control of registrar accounts or compromised DNS servers to change A and NS records. Visitors to legitimate sites were redirected to servers that presented fake login pages, leading to credential theft. The attacks persisted for months because many victims lacked DNSSEC validation or multi-factor authentication at their registrars.",
        "key_facts": [
            "DNS hijacking subverts the DNS resolution process to return false IP addresses or records.",
            "It can be achieved via cache poisoning, compromised routers, on-path MITM, or malicious resolver configurations.",
            "DNSSEC (RFC 4033-4035) provides authentication of DNS responses, preventing forged answers.",
            "DNS over TLS (RFC 7858) and DNS over HTTPS (RFC 8484) protect the transport layer against tampering.",
            "Common attacker goals include phishing, malware distribution, and censorship avoidance."
        ],
        "related_terms": [
            "DNS Spoofing",
            "Cache Poisoning",
            "DNSSEC",
            "DNS over TLS",
            "DNS over HTTPS",
            "Pharming"
        ],
        "references": [
            {
                "title": "RFC 3833: Threat Analysis of the Domain Name System (DNS)",
                "url": "https://datatracker.ietf.org/doc/html/rfc3833"
            },
            {
                "title": "RFC 4033: DNS Security Introduction and Requirements",
                "url": "https://datatracker.ietf.org/doc/html/rfc4033"
            },
            {
                "title": "MITRE ATT&CK: DNS Hijacking (T1584.002)",
                "url": "https://attack.mitre.org/techniques/T1584/002/"
            },
            {
                "title": "US-CERT Alert TA18-086A: DNS Hijacking Campaign",
                "url": "https://www.cisa.gov/news-events/alerts/2018/03/27/dns-hijacking-campaigns"
            }
        ],
        "word_count": 304,
        "license": "CC BY 4.0",
        "license_url": "https://creativecommons.org/licenses/by/4.0/",
        "attribution": "HostDir Glossary — https://hostdir.net/glossary/dns-hijacking"
    }
}