DNS hijacking
DNS hijacking is the unauthorized modification of DNS resolution, redirecting traffic by compromising registrar accounts, rogue servers, or local resolver settings. This guide covers the major hijacking methods, how they differ from cache poisoning, and detection strategies.
3 min read
What it is#
DNS hijacking is the unauthorized modification of how DNS queries are resolved, redirecting traffic intended for a legitimate domain to an attacker-controlled destination. Where cache poisoning corrupts a resolver's temporary cache, DNS hijacking changes persistent configuration at the registrar, within the network, or on the end-user device.
The consequences range from defacement and credential theft to long-term, silent interception of email and internal services. State-sponsored campaigns such as DNSpionage and Sea Turtle showed the scale of the threat. Both used DNS hijacking to intercept sensitive communications across multiple organizations simultaneously.
Types of DNS hijacking#
Registrar and account compromise#
The most impactful form begins when an attacker gains access to the domain owner's registrar account through credential theft, social engineering, or a vulnerability in the registrar itself. Once inside, the attacker modifies the domain's NS records to point to name servers under their control, giving them authority over every record type: A, MX, TXT, and the rest. Victims see correct-looking URLs while traffic flows through hostile infrastructure.
Rogue DNS server#
In corporate or ISP environments, an attacker who compromises an existing DNS server or deploys a rogue one on the network can return forged answers for any query. This technique is common in man-in-the-middle scenarios on compromised local networks, where clients trust the resolver by default.
Local resolver tampering#
Malware on an endpoint can rewrite the device's DNS settings, whether through the local resolver configuration, DHCP, or the upstream router, to point at an attacker-operated resolver. The DNSChanger malware family, disrupted in 2011, infected millions of devices this way and redirected users to fraudulent advertising and phishing pages.
BGP hijacking of DNS traffic#
By announcing BGP routes for the IP prefixes of a legitimate DNS provider, an attacker can intercept DNS queries at the network level. This is a sophisticated technique that has been observed targeting public DNS resolvers and authoritative infrastructure. A notable example is the 2018 BGP hijack that briefly redirected Amazon Route 53 traffic.
How hijacking differs from spoofing and cache poisoning#
Cache poisoning injects forged responses into a resolver's cache. The authoritative records remain correct, and the poisoned entries expire when their TTL runs out. DNS hijacking changes the authoritative records themselves, or the path to them, making the corruption persistent until the legitimate owner regains control. Hijacking is generally harder to execute but far more damaging and longer-lasting.
Detection#
- NS and A record monitoring. Regularly polling authoritative records for owned domains and alerting on unexpected changes is the single highest-value detection measure
- DNSSEC validation failures. If the legitimate domain uses DNSSEC and the attacker cannot update the parent DS record, hijacked responses will fail signature validation and produce SERVFAIL errors at validating resolvers. An attacker with full registrar control may be able to update both NS and DS records, so DNSSEC catches some hijack paths but is not a guarantee
- Certificate Transparency. New certificates issued for a hijacked domain appear in CT logs, providing an independent signal
- Registrar lock features. Registry lock (a manual, out-of-band change process) and registrar lock prevent automated or unauthorized modifications to NS records
DNS hijacking directly undermines domain integrity by letting attackers serve content and receive email under a domain they do not own. Tracking NS records, registrar WHOIS data, and resolution results across multiple vantage points provides the earliest detection for organizations monitoring their brand's domain footprint. Registrar lock, multi-factor authentication on registrar accounts, and a comprehensive domain protection strategy remain the most cost-effective preventive controls.
More from DNS security
View allDNS records explained
DNS record types define how domain names resolve to addresses, route mail, delegate authority, and verify ownership. This reference covers A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, and CAA records along with their security implications.
What is DNS abuse?
DNS abuse is any harmful activity that exploits domain names or the DNS protocol, but defining exactly what qualifies, who should act, and how to respond without causing collateral damage has been one of the most divisive questions in internet governance. This guide covers the competing definitions, the key distinctions that determine appropriate response, and the governance framework that has emerged.
What is DNS security?
DNS security encompasses protecting DNS infrastructure from attacks and using DNS as a control point for threat detection. This guide covers integrity protections like DNSSEC, confidentiality protocols like DoH and DoT, availability defenses, and the role of DNS logging in security operations.