What is DNS Hijacking

Most people don’t realize that the Internet isn’t as safe as we would like it to be. It’s easy to forget that using the Internet without adequate protection leaves us vulnerable to all sorts of cybersecurity threats. As the Internet becomes an integral part of our lives, unscrupulous individuals and organizations are always coming up with cunning and underhanded methods to steal sensitive information from unwary individuals. One such method that is prevalent among hackers today is a technique called DNS hijacking.

What is DNS Hijacking?

what is dns hijacking

DNS hijacking is the technical term for a class of cybersecurity attacks that most people don’t know about. Nevertheless, the threat that the latter poses in today’s interconnected digital age is a serious matter and very real. Of course, to truly understand the danger of DNS hijacking, one must first learn about DNS (Domain Name Service) and its purpose.

A DNS is a system for storing and maintaining all the domain names (website addresses) that are on the Internet. You can think of it as a directory book for websites like Amazon.com and Wikipedia.org. The purpose of such a system is to convert those domain names into a language that computer servers can understand (IP addresses) and return the correct website to users who are searching for it. Any time we want to go to a particular website, the DNS matches our query with the IP address it has on record for that site and directs use there.

As you may have already realized, DNS hijacking is a cybersecurity attack aimed at compromising the functions of a DNS  through ill-disposed means. Once done, the compromised DNS can then be used to reroute visitors to a different site designed to steal sensitive information such as banking account numbers, passwords, and social security numbers. In many cases, the fake site is a mirror image of the real one with limited functions. As a result, victims of DNS hijacking often don’t realize that they were targeted until the problem starts to pile up (unauthorized banking charges, identity theft, and the like).

What makes DNS vulnerable?

While a DNS is a powerful system that makes it easy for users to find a particular website on the Internet (as long as you know the domain name), it inherently lacks security. This is because DNS was initially designed with usability in mind. Security is merely an afterthought after people started to exploit many of its core functions for ill-gotten gains. DNS hijacking is but one of a myriad of DNS attacks that poses a significant cybersecurity concern for internet users around the world.

Other well-known types of DNS-based cybersecurity attacks include the following:

  • DNS flooding / DDoS (Distributed Denial of Service) Attack — overloading a DNS server with thousands (if not millions) of server requests such that it is unable to respond to queries from real users.
  • DRDoS (Distributed Reflection Denial of Service) Attack — a magnified form of DDoS attack.
  • DNS Tunnelling — a type of cybersecurity attack that targets and overwrites DNS protocols to gain control of a remote server and its applications.
  • Random Subdomain Attack — similar to a DDoS attack with the exception that it targets invalid sub-domains. The idea is to drench the targeted DNS server with these attacks until it results in a denial of service.
  • NXDOMAIN attack — flooding a DNS server with requests for non-existing domain names. This wastes precious server requests and interferes with server queries from legitimate users.
  • Phantom Domain Attack — a DNS attack that forces the DNS resolver to query phantom domains that don’t respond to the data request. This leaves the DNS server with thousands of unresolved connections, thereby degrading its performance.

How does DNS hijacking work?

How does DNS hijacking work

While DNS hijacking might seem like an overly complicated matter, the gist of how it works is relatively simple to understand. The attacker “hijacks” the DNS server and disrupts its ability to route users to the correct destination. A fake DNS server is then used to redirect users to a fake website that is usually a copy of the legitimate site that the user wants to visit. Any information the user sends while on the phony site is then forwarded to the attacker.

The state of the compromised server is unknown to both the user and the owner of the legitimate site. As a result, the user is fooled into providing sensitive information without ever noticing that they are being redirected to a fake website. Perhaps the scariest thing about DNS hijacking is that users have no idea that their data has been compromised until the problem becomes apparent. In most cases, most of the damage has already been done, and it’s far too late for users to do anything about it.

How Does Your DNS Get Hijacked?

Of course, the specific circumstances in which a DNS server can get hijacked is a bit more complicated and can occur at various stages of a DNS query. Consider the following scenarios which make the latter possible:

Malware injection

In most cases, DNS hacking is caused by a malware infection that alters the DNS configuration on the user’s computer or network device. As a result, the user’s device communicates directly with a fake DNS server instead of the real one and is then rerouted to a set of pre-programmed malicious IP addresses.

One such malware is a malicious script known as “DNSChanger” which caused much grief over the Internet before it was shut down in 2012. The malware infected millions of computers around the world and corrupted their DNS. The latter was then used to redirect users to advertisements without their consent, netting millions of dollars in profit.

Of course, DNS hijacking does have the potential to do more damage by covertly routing users to a proxy server and mining all of their information. That said, the typical MO is to use the malware to lure unsuspecting users to a fake login form to steal their username and passwords.

Compromised DNS server

A more cunning approach to DNS hijacking is for hackers to attack a legitimate DNS server directly. The compromised DNS server is then used to redirect users to a fake IP address. While such cases are rare due to the high technical skill required to hack even the most basic of DNS servers, it also yields the most reward for the hacker as it has the potential to affect millions of users within a short period.

Internet Service Provider interference

While it does not cause any real harm to users, ISP (Internet Service Providers) themselves can be guilty of doing their share of DNS hijacking by manipulating the NXDOMAIN response. The latter refers to the result you get if you were to query a domain name that does not exist (“This site can’t be reached” or something along that line). In this case, the ISP replaces this default error message with an ad or form for gathering data.

DNS Hijacking Cases


On the 30th of August 2017, WikiLeaks was targeted by one of the most notable cases of DNS hijacking seen on the Internet. A hacker organization that goes by the name “OurMine” claimed responsibility for the attack after WikiLeaks allegedly dared everyone to try and hack them.

From the perspective of users who were affected by the attack, it would seem that OurMine succeeded although their claims were ultimately proven false. As you may have surmised, there was nothing wrong with the WikiLeaks server that day. Instead, the hacker group went after a DNS server which redirected users searching for “wikileaks.org” to a fake website they’ve set up to appear as though WikiLeak’s servers were under their control.

Brazilian Bank

On the 22nd of October 2016, millions of account holders lost access to their banking accounts after hackers launched a DNS hijacking attack on Registro.br — a top-level domain registrar which also happens to manage the DNS for a major Brazilian bank. Hackers used the compromised Registro DNS server to funnel visitors to a copy of the bank’s homepage designed to collect login information.

To this day, the specific name of the Brazilian bank whom many believe was the primary target for the DNS hijacking remains unknown. The same goes for the number of people affected by the attack and the losses they’ve incurred as a result. It is believed that Kaspersky — the cybersecurity firm that first reported the attack, was prohibited by the Brazilian banks from providing further details on the matter.

New York Times

A hacker group that goes by the name of “Syrian Electronic Army” hijacked the DNS server of Melbourne IT Domain Registrar in 2013. It so happens that the latter also manages the domain of the New York Times. During that time, millions of people visiting “nytimes.com” were redirected to a page touting the hacker group’s logo.

How to Prevent or Stop a DNS Hijacking

DNS hijacking test

Now that you have an idea of how DNS hijacking works and just how dangerous it could be, you might be wondering — what can you do to protect yourself? Well, the first step is to test for DNS hijacking to see if you are in any immediate danger. The only way to do that is to conduct what is known as a DNS hijacking test.

Don't worry, a DNS hijacking test is not as complicated as it sounds and it’s something that anybody can do because there are many online tools that you can use to accomplish the latter. The simplest method is to go to a website called “WHOISMYDNS.com.” Doing so greatly simplifies the process of determining whether your DNS is being hijacked or not by performing the following three tests:

  1. DNS Access-Request — as soon as you log onto the site, a DNS access request is sent to your DNS server. This enables the website to identify the DNS server catering your queries, which is a crucial first step in locating the source in the event of a DNS hijacking attack.
  1. Reverse DNS Lookup — searches the DNS server for unique logs of your DNS server requests. This allows you to check whether your traffic is coming from somewhere else other than your own, which is bound to be the case in the event of a DNS hijacking.
  1. DNS Verification — The results are compared to a list of suspicious DNS servers to check whether the user is in any danger of DNS hijacking. The tool also provides the registered name of the IP address owner with ARIN (American Registry for Internet Numbers).

How to stop a DNS hijacking

So let’s say that the test described above came back with some alarming results, what can you do about it? What measures should you take to mitigate the risks of falling victim to DNS hijacking? These are good questions and well worth considering if only as a preventive measure to common cybersecurity threats that we all face today.

If you are that concerned about DNS hijacking, then you would be glad to know that there are plenty of things that you can do to mitigate the latter. For one thing, making sure that you are using a good antivirus and antimalware software is the most straightforward DNS hijacking fix that you can implement right away. Make it a habit to always keep your internet devices updated as soon as security patches are released. This is because malware accounts for the vast majority of cases for DNS hijackings.

Other measures that you can readily implement to thwart DNS hijacking includes the following:

  • Refrain from opening any suspicious links from people that you don’t know. Be vigilant and check sources carefully before running them on your device.
  • Start using a good VPN (Virtual Private Network) service. Such a service encrypts your internet traffic and DNS configuration, thereby making it that much harder for unscrupulous third-parties to steal sensitive information. Public networks are often plagued by weak passwords and router configurations which make it a prime target for DNS hijacking.
  • Don’t use default passwords on any of your network devices. Hackers may have already cracked the default credentials on devices like routers and wifi repeaters. This makes manipulating your DNS settings child’s play for them.
  • Watch out for any suspicious behavior on the websites that you frequent, especially the ones you trust with your personal and financial information. Fake websites used for DNS hijacking are almost always never a perfect copy of the original. Be wary of strange landing pages, typos, and pop-ups asking for your sensitive information. If in doubt, perform a DNS hijacking test as described earlier in this article.

Here's a List of TOP 5 VPN Services to Prevent DNS Hijacking:

  1. TorGuard
  2. NordVPN
  3. IPVanish
  4. Surfshark
  5. Private Internet Access


So there you have it — an overview of the threat of DNS hijacking and what people can do to protect themselves from it. As you may have already realized, DNS hijacking is a grave cybersecurity threat with real-world implications when it comes to privacy and security. In today’s increasingly interconnected digital age, it is crucial for people to stay vigilant and acknowledge the risks that DNS hijacking presents to the average user. Only then can you expect to steer clear of these cybersecurity threats and enjoy what the Internet has to offer with any degree of confidence and safety.

Mark Coulman
About Mark Coulman

Cybersecurity expert with a keen interest in technology and digital privacy. Mark has more than 14 years of experience in creating and managing various reliable WEB applications for IT companies in the EU and the US. Loves 3-4 letter words like PHP, XML, HTML, CSS, DB2, ASP, CRM, ERP, SAP, etc.