DNS

What is DNS Hijacking?

Definition

DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.

DNS hijacking, also called DNS redirection or DNS poisoning in some contexts, is any method that causes a Domain Name System (DNS) resolver to return a false answer for a domain name lookup. The result directs a user's traffic to an unintended destination, often a malicious server under the control of an attacker. This can occur through cache poisoning, compromised routers, malicious DNS server software, or rogue on-path devices that modify DNS queries or responses in transit. The false answer may be a completely incorrect IP address or a partially altered record (for example, replacing the A record of a legitimate website with an attacker's IP).

There are several common vectors. In router-based hijacking, an attacker gains administrative access to a home or office router and changes its configured DNS servers to resolver instances that the attacker controls. In man-in-the-middle (MITM) scenarios, an active network adversary intercepts DNS packets and spoofs replies before the legitimate answer arrives. In cache poisoning attacks (sometimes considered a subtype of hijacking), an attacker injects a forged record into a recursive resolver's cache so that future queries from legitimate users receive the false answer. Some ISPs have also performed forms of hijacking, such as intercepting NXDOMAIN responses and rerouting users to an advertising portal, though this is generally called DNS interception or DNS redirect.

The impact of DNS hijacking ranges from phishing and credential theft to complete loss of trust in network communications. Mitigations include DNSSEC (which cryptographically signs DNS records so that forged answers can be detected), using encrypted transports like DNS over TLS (DoT) or DNS over HTTPS (DoH), and regularly auditing DNS server configurations. End users can reduce risk by manually setting trusted DNS resolvers (such as those operated by public-interest organizations) and keeping router firmware updated.

Key facts

  • DNS hijacking subverts the DNS resolution process to return false IP addresses or records.
  • It can be achieved via cache poisoning, compromised routers, on-path MITM, or malicious resolver configurations.
  • DNSSEC (RFC 4033-4035) provides authentication of DNS responses, preventing forged answers.
  • DNS over TLS (RFC 7858) and DNS over HTTPS (RFC 8484) protect the transport layer against tampering.
  • Common attacker goals include phishing, malware distribution, and censorship avoidance.

How it works in practice

In 2018, a large-scale DNS hijacking campaign targeted Internet infrastructure and government domains in the Middle East. Attackers gained control of registrar accounts or compromised DNS servers to change A and NS records. Visitors to legitimate sites were redirected to servers that presented fake login pages, leading to credential theft. The attacks persisted for months because many victims lacked DNSSEC validation or multi-factor authentication at their registrars.

Related terms

DNS Spoofing Cache Poisoning DNSSEC DNS over TLS DNS over HTTPS Pharming

References

More in DNS

A Record

A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.

AAAA Record

A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.

Authoritative DNS

An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.

CAA Record

A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.

CNAME Record

A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.

DNS

The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.

DNS Anycast

DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.

DNS Caching

DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.

DNSSEC

DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.

DoH

DNS over HTTPS (DoH) encrypts DNS queries and responses inside HTTPS traffic, preventing on-path observers from seeing or tampering with DNS lookups.

Who Is Online

In total there are 82 users online: 0 registered, 76 guests and 6 bots.

Bots: Facebook Googlebot Majestic Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340