What is DNS Hijacking?

Understanding DNS Redirection Attacks

DNS hijacking is an attack where DNS queries are intercepted and redirected to a malicious server, sending users to fake or harmful websites without their knowledge. Learn how it works and how to defend against it.

Learn About DNS Security

Step 1: What is DNS Hijacking?

DNS hijacking (also called DNS redirection) occurs when an attacker modifies DNS settings or intercepts DNS queries to redirect users to malicious destinations. Unlike normal DNS resolution where queries go to legitimate resolvers, hijacked queries are answered by attacker-controlled servers.

The result is that users type a legitimate URL (like their bank's website) but are silently redirected to a fake version designed to steal credentials, install malware, or serve unwanted content.

DNS hijacking is particularly dangerous because the URL in the browser's address bar may still appear correct, making the attack difficult for users to detect.

Step 2: Types of DNS Hijacking

DNS hijacking can occur at multiple points in the DNS resolution chain:

  • Local hijacking: Malware on a device changes the DNS settings to point to an attacker's resolver — all queries from that device are intercepted
  • Router hijacking: Attackers exploit vulnerable routers to change DNS settings, affecting every device on the network
  • Man-in-the-middle: Attackers intercept DNS queries in transit between the device and the resolver, returning forged responses
  • ISP-level hijacking: Some ISPs redirect NXDOMAIN responses to their own search or ad pages — a controversial practice that modifies expected DNS behavior
  • Rogue DNS server: Attackers set up fake DNS resolvers that return malicious IP addresses for legitimate domains

Step 3: DNS Hijacking vs DNS Poisoning

While both attacks redirect users, they work differently:

  • DNS hijacking: Changes DNS settings or intercepts queries so they reach the wrong resolver entirely
  • DNS poisoning: Corrupts the cache of a legitimate resolver so it returns wrong answers for specific domains

Think of hijacking as diverting your mail to a different post office, while poisoning is slipping fake letters into your mailbox at the real post office. Both result in you receiving the wrong information, but the attack vector is different.

DNSSEC helps protect against both by adding cryptographic verification to DNS responses, ensuring they haven't been tampered with.

Step 4: How to Protect Against DNS Hijacking

Defending against DNS hijacking requires protecting multiple layers:

  • Use encrypted DNS: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt queries in transit, preventing man-in-the-middle interception
  • Lock DNS settings: Prevent unauthorized changes to DNS configuration on devices and routers
  • Use a trusted resolver: CleanBrowsing's DNS resolvers are hardened against hijacking and validate responses
  • Block DNS bypass: Firewall rules can redirect all DNS traffic to your chosen resolver, preventing malware from using rogue servers
  • Secure your router: Change default admin credentials, keep firmware updated, and disable remote management

On the authoritative DNS side, NOC.org protects domains from being hijacked at the nameserver level with DNSSEC signing and monitoring. CleanBrowsing protects the resolver side — ensuring your users' DNS queries reach the right destination.

Protect your network from DNS threats

Learn About DNS Security