Every time you type a URL into a browser, your device asks the Domain Name System (DNS) to translate that human-readable name into an IP address. DNS was designed for reliability, not security. That design gap has created an entire category of attacks — DNS hijacking — where attackers intercept or corrupt that translation process to redirect your traffic wherever they want.
How DNS Works (Briefly)
When you visit example.com:
- Your device queries its configured DNS resolver (often your ISP’s or a public resolver like
8.8.8.8) - The resolver queries the root nameservers, then the
.comTLD nameservers, thenexample.com’s authoritative nameserver - The authoritative nameserver returns the IP address
- Your browser connects to that IP
DNS hijacking corrupts any one of these steps. There are several distinct attack types.
Types of DNS Hijacking Attacks
1. Router DNS Hijacking
The most common attack targeting home and small business users. Attackers compromise your router (via default credentials, unpatched firmware, or CSRF vulnerabilities) and change the DNS server settings from a legitimate resolver to one they control.
From that point on, every device on your network sends DNS queries to the attacker’s resolver, which returns whatever IP addresses the attacker chooses.
How to check: On Windows, run:
ipconfig /all | findstr "DNS Servers"On Linux/macOS:
cat /etc/resolv.conf
# or
scutil --dns | grep nameserverCompare the addresses against what you configured. If you see an IP you don’t recognize, your router may be compromised.
2. Local DNS Hijacking (Malware on Device)
Malware modifies the hosts file or the local DNS client settings on the infected machine. The hosts file is checked before any DNS query is sent — entries there override DNS entirely.
On Windows, the hosts file is at C:\Windows\System32\drivers\etc\hosts. A hijacked entry looks like:
192.168.1.100 paypal.com
192.168.1.100 bankofamerica.comAny request to those domains resolves to the attacker’s server, which serves a convincing phishing page.
Detecting hosts file tampering on Windows:
Get-Content C:\Windows\System32\drivers\etc\hosts | Where-Object { $_ -notmatch "^#" -and $_ -ne "" }3. DNS Cache Poisoning (Kaminsky Attack)
DNS resolvers cache answers to avoid querying authoritative servers repeatedly. Cache poisoning tricks a resolver into storing a malicious record.
In the classic Kaminsky attack (discovered 2008, still relevant today), an attacker floods a resolver with forged DNS responses for a target domain, trying to win a race against the legitimate response. If successful, the resolver caches the attacker’s fake IP and serves it to every user who queries that resolver — potentially thousands or millions of people.
DNSSEC was created specifically to prevent cache poisoning by cryptographically signing DNS records.
4. Authoritative DNS Server Compromise
Attackers compromise the systems of a domain registrar or DNS hosting provider and modify the authoritative DNS records directly. This is especially devastating because:
- The fake records are served as legitimate responses
- DNSSEC does not help if the attacker controls the signing keys
- All users worldwide are affected, not just those on a specific network
Notable examples include the Sea Turtle campaign (2019), attributed to a state-sponsored actor, which hijacked the DNS of dozens of organizations including government agencies by compromising registrars and DNS providers.
5. BGP Hijacking Combined with DNS
Border Gateway Protocol (BGP) controls internet routing. BGP hijacking can redirect traffic intended for a DNS resolver to an attacker-controlled machine that impersonates the resolver. In 2018, attackers hijacked BGP routes to Amazon’s Route 53 DNS service and redirected cryptocurrency users to a phishing site, stealing approximately $152,000 in Ethereum.
6. NXDOMAIN Hijacking by ISPs
Some ISPs intercept DNS queries for non-existent domains (which should return NXDOMAIN) and instead return the IP of their own search page to monetize failed lookups. While not strictly malicious, this behavior violates DNS standards and can cause security tools to malfunction.
Real-World Impact
DNS hijacking enables:
- Phishing: Users are sent to convincing fake login pages
- Credential theft: Banking, email, and cloud service credentials stolen at scale
- Malware delivery: Legitimate software update servers spoofed to deliver trojans
- Traffic interception: Man-in-the-middle attacks on unencrypted traffic
- Ad injection: ISPs inserting ads into web pages via transparent proxies reached through hijacked DNS
How to Prevent DNS Hijacking
Secure Your Router
- Change default admin credentials immediately on any new router
- Update router firmware regularly — manufacturers patch DNS-related vulnerabilities
- Disable remote administration (WAN-side access to the router admin panel) unless absolutely necessary
- Use a router that supports DNS-over-HTTPS (DoH) at the network level
Use Encrypted DNS
Standard DNS queries are sent in plaintext over UDP port 53 — anyone on the network can read and modify them. Encrypted DNS prevents interception:
- DNS-over-HTTPS (DoH): DNS queries sent as HTTPS (port 443) — indistinguishable from normal web traffic
- DNS-over-TLS (DoT): DNS queries encrypted with TLS (port 853)
Configure DoH in Windows 11:
Settings > Network & Internet > [Your adapter] > DNS server assignment
> Manual > IPv4 > Preferred DNS: 1.1.1.1
> Check "DNS over HTTPS" = On (automatic template)Recommended encrypted DNS resolvers:
| Resolver | DoH Endpoint | Notes |
|---|---|---|
| Cloudflare | https://1.1.1.1/dns-query | No logging, fast |
| Quad9 | https://9.9.9.9/dns-query | Blocks known malicious domains |
| NextDNS | https://dns.nextdns.io/<id> | Highly configurable, logging available |
https://8.8.8.8/dns-query | Fast, widely supported |
Implement DNSSEC
DNSSEC adds cryptographic signatures to DNS records. Resolvers that support DNSSEC validation will reject records that fail signature verification, preventing cache poisoning.
Check if a domain has DNSSEC enabled:
dig +dnssec example.com
# Look for the "AD" (Authenticated Data) flag in the responseIf you manage DNS for your own domain, enable DNSSEC at your registrar. Major registrars including Cloudflare, Route 53, and GoDaddy support DNSSEC configuration.
Use a DNS Firewall / RPZ
Response Policy Zones (RPZ) let DNS resolvers block known-malicious domains by returning NXDOMAIN or a sinkhole IP instead of the real answer. Security-focused resolvers like Quad9 and Cloudflare Gateway maintain threat intelligence feeds and block malicious domains automatically.
For enterprise deployments, products like Cisco Umbrella (formerly OpenDNS), Infoblox, and BlueCat provide DNS firewalling with detailed logging.
Monitor Your DNS
Set up alerts for unexpected changes to your DNS records:
- Use DNStwist to monitor lookalike domain registrations
- Subscribe to registrar alerts for any changes to your domain
- Use a service like Cloudflare Radar or SecurityTrails to track your authoritative DNS history
- For enterprises, integrate DNS logs into your SIEM and alert on unusual query volumes or patterns
Enable MFA on Your Registrar Account
The Sea Turtle campaign succeeded primarily through compromising registrar accounts with weak credentials. Multi-factor authentication (MFA) on your domain registrar is non-negotiable. Use a hardware key (YubiKey) or TOTP authenticator — not SMS.
Quick Reference: DNS Hijacking Defense Checklist
| Control | Priority |
|---|---|
| Change router default credentials | Critical |
| Update router firmware | Critical |
| Use DoH or DoT encrypted DNS | High |
| Enable DNSSEC on your domains | High |
| MFA on registrar account | Critical |
| Monitor DNS records for changes | Medium |
| Deploy DNS firewall / RPZ | Medium |
| Audit hosts file on endpoints | Medium |
Conclusion
DNS hijacking is insidious because it operates below the application layer — your browser shows the right URL in the address bar while you’re actually talking to an attacker’s server. Defending against it requires layered controls: securing the infrastructure (routers, registrar accounts), encrypting queries in transit (DoH/DoT), validating responses cryptographically (DNSSEC), and monitoring for unexpected changes. These controls together make DNS hijacking significantly harder to pull off and much easier to detect.