DNS Hijacking: How It Works and How to Detect It
Learn how DNS hijacking works, the different types of DNS attacks, real-world examples, and how to detect and prevent DNS spoofing and poisoning.
Last updated: 2026-02-17
DNS hijacking is the redirection of DNS queries or the modification of DNS records so that a domain resolves to an IP address the attacker controls instead of the legitimate one. It is one of the most effective attack vectors available because it is invisible to the end user and often to the domain owner as well.
When DNS is hijacked, users who type your domain into their browser are silently sent to a different server. That server can serve a pixel-perfect copy of your website, harvest credentials, intercept email, or distribute malware. The URL bar still shows your domain name. There is no browser warning unless the attacker fails to obtain a valid SSL certificate.
Types of DNS Hijacking
DNS hijacking is an umbrella term that covers several distinct attack methods. Each targets a different point in the DNS resolution chain.
Registrar-Level Hijacking
The attacker gains access to your domain registrar account and changes the nameserver records. This gives them complete control over your DNS zone. They can point your domain to any server they choose and create any records they want.
This is the most damaging type of hijacking because it is authoritative. Every resolver in the world will eventually see the attacker's records as the legitimate ones.
How it happens: Credential theft (phishing, password reuse, credential stuffing), social engineering of registrar support staff, or exploitation of registrar platform vulnerabilities.
DNS Provider Account Compromise
If you use a third-party DNS provider (separate from your registrar), compromising that account gives the attacker control over your zone records without needing registrar access. They can modify A records, MX records, TXT records, and anything else in the zone.
How it happens: Similar to registrar compromise: stolen credentials, insufficient access controls, compromised API keys.
Man-in-the-Middle (On-Path) Attacks
The attacker intercepts DNS queries between the user and the recursive resolver, or between the resolver and the authoritative server. They inject forged responses that point to the attacker's IP.
How it happens: Network-level access (compromised router, malicious WiFi hotspot, ISP-level interception). This attack targets specific users or networks rather than affecting all users globally.
DNS Cache Poisoning
The attacker sends forged DNS responses to a recursive resolver, tricking it into caching an incorrect record. Once the resolver's cache is poisoned, every user who queries that resolver gets the wrong answer until the cache expires.
How it happens: The attacker exploits weaknesses in the DNS protocol (predictable transaction IDs, lack of source port randomization) to inject responses that the resolver accepts as legitimate.
Cache poisoning affects entire populations
A single successful cache poisoning attack against a major ISP resolver can redirect millions of users. The attacker doesn't need to compromise any account. They exploit the DNS protocol itself.
Rogue DNS Server
The attacker configures a device (typically through malware or a compromised router) to use a DNS server they control. All queries from that device are resolved by the attacker, who can return any IP they choose for any domain.
How it happens: Malware that changes DNS settings, compromised home routers with default credentials, DHCP attacks on local networks.
BGP Hijacking Affecting DNS
By advertising false BGP routes, an attacker can redirect traffic destined for DNS server IP addresses through their own network. This allows them to intercept and modify DNS queries and responses at the network routing level.
How it happens: Exploitation of BGP's trust-based design. Requires access to a network capable of announcing BGP routes, but has been observed in real attacks.
How DNS Hijacking Attacks Play Out
Understanding the attack sequence helps clarify why these attacks are so dangerous.
The attacker gains control of DNS
Through one of the methods above, the attacker gains the ability to modify the DNS responses for your domain. This might be by editing your zone file, poisoning a resolver's cache, or intercepting queries.
Records are changed to point to attacker infrastructure
The attacker sets A/AAAA records to their own servers. They may also modify MX records to intercept email. Changes are often subtle to avoid immediate detection.
The attacker obtains an SSL certificate
Using DNS validation (which they now control), the attacker can obtain a valid SSL certificate from any certificate authority that supports DNS-based validation. This eliminates browser security warnings.
Users are silently redirected
As DNS caches refresh, users start resolving the domain to the attacker's IP. They see a valid SSL certificate, the correct domain in the URL bar, and possibly a convincing copy of the original website.
Credentials and data are harvested
Users enter passwords, submit forms, and interact with what they believe is the legitimate site. The attacker captures everything. Email sent to the domain arrives at the attacker's mail server.
Real-World Examples
DNS hijacking is not theoretical. It has been used in major attacks.
DNSpionage (2018-2019)
A sophisticated campaign targeting government and private organizations in the Middle East. Attackers modified DNS records at registrars and DNS providers to redirect web and email traffic through their own servers, intercepting credentials and email content.
Sea Turtle (2017-2019)
A state-sponsored campaign that compromised DNS registrars and registries to redirect traffic for government, military, and intelligence targets across the Middle East and North Africa. The attackers targeted the DNS infrastructure itself, not individual domains.
MyEtherWallet (2018)
Attackers used BGP hijacking to redirect traffic destined for Amazon's Route 53 DNS servers. This allowed them to serve fraudulent DNS responses for MyEtherWallet.com, redirecting users to a phishing site that stole cryptocurrency wallet credentials.
Brazilian banking attacks (2017)
Attackers compromised the DNS registrar account of a major Brazilian bank, changing all DNS records to point to attacker-controlled servers. For approximately five hours, all of the bank's online operations, including web banking, mobile banking, ATMs, and point-of-sale systems, were under attacker control.
Detect DNS hijacking before damage is done
DNS Monitor continuously checks your records from multiple locations. If your domain suddenly points somewhere unexpected, you'll know within minutes.
How to Detect DNS Hijacking
Detection is the critical link between an attack happening and being able to respond. DNS hijacking is designed to be invisible, so passive observation rarely catches it.
Continuous DNS Monitoring
The most effective detection method is automated monitoring that regularly queries your DNS records from multiple geographic locations and compares results against known-good baselines. Any deviation triggers an immediate alert.
Monitoring should cover:
- All record types (not just A records)
- Multiple resolver locations (to detect poisoning of specific resolvers)
- Historical comparison (to detect gradual changes)
Certificate Transparency Logs
Monitoring Certificate Transparency (CT) logs for your domain can reveal when someone obtains an SSL certificate for your domain. If you did not request a certificate, it may indicate that an attacker has hijacked your DNS and used DNS validation to issue one.
DNSSEC Validation Failures
If you have DNSSEC enabled, hijacking attempts that modify records will cause validation failures for DNSSEC-aware resolvers. Monitoring for DNSSEC validation errors can indicate an attack in progress.
Anomalous Traffic Patterns
A sudden drop in legitimate traffic can indicate that users are being redirected elsewhere. If your server logs show a significant decrease in requests while users report they can access your site "normally," your domain may be resolving to a different server.
Prevention Measures
| Measure | Attack Type Prevented | Effort Level |
|---|---|---|
| DNSSEC | Cache poisoning, man-in-the-middle | Moderate (initial setup) |
| Registry lock | Registrar-level hijacking, social engineering | Low (request from registrar) |
| Two-factor authentication | Account compromise at registrar/DNS provider | Low |
| DNS monitoring | Detection of all hijacking types | Low (deploy and configure) |
| CAA records | Unauthorized certificate issuance | Low (add DNS record) |
| Strong, unique passwords | Credential stuffing, password reuse | Low |
| API key rotation | Compromised automation credentials | Moderate |
DNSSEC Is Essential but Not Sufficient
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. Resolvers that validate DNSSEC can detect forged responses, which protects against cache poisoning and man-in-the-middle attacks.
However, DNSSEC does not protect against registrar-level hijacking. If the attacker changes your nameservers at the registrar, they can set up their own DNSSEC-signed zone. DNSSEC also does not help if the validating resolver itself is compromised or if the user's resolver does not support DNSSEC validation.
CAA Records Limit Certificate Issuance
Certificate Authority Authorization (CAA) records specify which certificate authorities are allowed to issue certificates for your domain. This does not prevent DNS hijacking, but it can prevent an attacker from easily obtaining a valid SSL certificate if they hijack your DNS but do not modify the CAA record (or if the CA checks the legitimate CAA record).
Registry Lock Is Underused
Registry lock requires out-of-band verification (phone call, multi-step authentication) before nameserver or registrar changes can be made at the registry level. This is the strongest defense against registrar-level hijacking and social engineering attacks. Despite its effectiveness, most domains do not use it because it requires manual interaction and sometimes a premium fee.
Building a Defense-in-Depth Strategy
No single measure prevents all types of DNS hijacking. An effective defense combines multiple layers.
Enable DNSSEC on your domain
This protects against cache poisoning and response forgery. Work with your DNS provider to enable signing and publish DS records at your registrar.
Lock your domain at the registry
Enable registry lock for your most critical domains. Accept the tradeoff of slower legitimate changes in exchange for strong protection against unauthorized modifications.
Secure all access points
Use strong, unique passwords and two-factor authentication on every account that can modify your DNS: registrar, DNS provider, and any automation tools with API access.
Deploy continuous DNS monitoring
Monitor all record types from multiple locations. Set up alerts that go to multiple people through multiple channels so that no single point of failure prevents notification.
Add CAA records
Restrict which certificate authorities can issue certificates for your domain. This adds a layer of protection against attackers obtaining valid SSL certificates through DNS hijacking.
DNS hijacking remains one of the most potent attack vectors because it subverts the fundamental trust model of the internet. Users trust that a domain resolves to the right place. Attackers exploit that trust. The defense is layered: sign your records, lock your domain, secure your accounts, and monitor continuously.
Your first line of defense against DNS hijacking
DNS Monitor watches your records around the clock and alerts you within minutes if anything changes. Detect hijacking attempts before attackers can do damage.