Table of Contents 4 sections
What is DNS Hijacking?
DNS hijacking, also known as DNS redirection, is an attack technique in which an attacker interferes with the Domain Name System resolution process to redirect users to malicious websites. The Domain Name System translates human-readable domain names like example.com into IP addresses that computers use to locate servers. By manipulating this translation process, attackers can silently redirect users to phishing sites, malware distribution servers, or other malicious destinations.
DNS hijacking is particularly insidious because users believe they are visiting legitimate websites. The URL in the browser's address bar may appear correct, yet the underlying IP address points to a server controlled by the attacker. This makes it an effective platform for credential theft, malware distribution, and surveillance of internet traffic.
Types of DNS Hijacking
Local DNS hijacking targets individual devices by modifying the DNS settings on a user's computer or router. Malware can alter the operating system's DNS configuration to point to a malicious DNS server, or attackers can compromise home routers and change their DNS settings. All devices using the compromised router then have their DNS queries handled by the attacker's server.
Router DNS hijacking exploits vulnerabilities in router firmware or uses default credentials to access the router's administration panel and modify DNS settings. ISP-level DNS hijacking occurs when an internet service provider manipulates DNS responses, sometimes for censorship or to display advertising on non-existent domains. Man-in-the-middle DNS hijacking intercepts DNS queries in transit and returns forged responses before the legitimate DNS server can reply.
DNS Hijacking vs. DNS Spoofing
While DNS hijacking and DNS spoofing are related, they are distinct attack techniques. DNS hijacking involves changing the DNS settings on a device, router, or server so that queries are directed to a malicious DNS resolver. DNS spoofing, also called DNS cache poisoning, involves corrupting the cached DNS records on a legitimate DNS resolver so that it returns incorrect IP addresses for domain lookups.
DNS cache poisoning typically targets recursive DNS resolvers by sending forged DNS responses that get stored in the resolver's cache. Once poisoned, the resolver serves the malicious records to all users who query it for the affected domain. Both techniques achieve similar results from the victim's perspective: being redirected to an attacker-controlled server while believing they are visiting a legitimate website.
Preventing DNS Hijacking
DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS responses, allowing resolvers to verify that responses have not been tampered with and originate from authoritative sources. While DNSSEC adoption has been growing, it is not yet universal. Using DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts DNS queries, preventing interception and manipulation by man-in-the-middle attackers.
At the local level, keeping router firmware updated, changing default credentials, and disabling remote administration help prevent router-based DNS hijacking. Using trusted DNS providers such as those offering DNSSEC validation adds a layer of protection. Regular monitoring of DNS settings on devices and routers can detect unauthorized changes. Organizations should implement DNS monitoring to detect anomalous resolution patterns that could indicate hijacking attempts.
FAQ
Frequently Asked Questions
Signs of DNS hijacking include unexpected website redirects, unfamiliar search engine results pages, slow browsing speeds, and browser security warnings. You can check your device and router DNS settings for unauthorized changes and use online DNS leak test tools to verify your DNS resolver.
DNSSEC adds digital signatures to DNS records, allowing resolvers to verify that the response came from the authoritative server and was not modified in transit. This prevents DNS spoofing and some forms of hijacking by ensuring the authenticity and integrity of DNS responses.
DNS over HTTPS encrypts your DNS queries, preventing ISPs, network operators, and attackers from seeing or modifying your DNS traffic. It is recommended for privacy and security, though it should be used with a trusted DNS provider. Most modern browsers support DoH configuration.
Tags
Related Definitions
How to prevent ransomware
Preventing ransomware requires a multi-layered security approach that combines reliable backups, endpoint protection, network segmentation, user training, and incident response planning.
What is a data breach?
A data breach is a security incident in which sensitive, protected, or confidential information is accessed, disclosed, or stolen by an unauthorized party.
What is a KRACK attack?
A KRACK (Key Reinstallation Attack) is a vulnerability in the WPA2 WiFi security protocol that allows attackers to intercept and decrypt wireless network traffic by manipulating the four-way handshake process.
What is an on-path attack?
An on-path attack, traditionally known as a man-in-the-middle attack, occurs when an attacker secretly positions themselves between two communicating parties to intercept, read, and potentially alter the data being exchanged.