What is DNS hijacking?

A DNS is essential for any business that relies on its online presence to generate sales.

24-04-2022 - 6 minute read. Posted in: cybercrime.

What is DNS hijacking?

A DNS is essential for any business that relies on its online presence to generate sales. DNS hijacking is a growing threat and it is therefore important for businesses to be aware of this type of cyber attack.

What is a DNS server?

DNS is an acronym for Domain Name System, which is the system that enables communication between a computer and the Internet.

A DNS or Domain Name System converts URLs, such as "www.virksomhed.dk", into machine-readable IP addresses. Every device connected to the Internet has an IP address, which is made up of numbers. An IP address is used by a computer to identify itself and communicate with other devices. The basic function of DNS is to synchronise domain names with their corresponding IP addresses, so that users can match their requests with the appropriate websites.

The way it works is that you submit a query by typing, for example, "www.virksomhed.dk" into a search engine. The request is sent from the computer to the relevant DNS server, which is a server that searches for IP addresses associated with the specific search query. DNS servers are programmed to communicate with domain servers, find a match and send it back to the device that sent the query.

DNS servers allow both website owners and users to choose appropriate and meaningful domain names, while devices on the other hand can use machine-friendly IP addresses.

How DNS hijacking works

DNS hijacking, or DNS redirection, means that when users try to access a particular website, they are redirected to a fake website. DNS hijacking collects and redirects all traffic from the compromised websites to the fake websites and thus to the cyber criminals. This traffic may include, for example, emails containing personal information, credit card details and VPN details.

A hijacked DNS server translates domain names of the real compromised websites into IP addresses of websites with unwanted content or fake websites created by cyber criminals.

To perform DNS hijacking, cybercriminals hack either routers or DNS communications. They may also install malware on the digital devices of website users.

What is the purpose of DNS hijacking?

A DNS server can be hacked for a variety of reasons. A DNS attack can be used to carry out phishing, which is a cyber attack that tricks users into accessing a fake version of a website with the aim of stealing data or login credentials.

An Internet Service Provider (ISP) may also use a form of DNS hijacking to hijack a user's DNS requests, collect user data and display advertisements when users access a domain. This is called "pharming". Some governments use DNS hijacking to censor and redirect users to government-authorised websites.

Types of DNS hijacking

There are four basic types of DNS redirection:

  • Local DNS hijacking: IT criminals install Trojan malware on a user's computer and change the local DNS settings to redirect the user to fake websites.
  • Router DNS hijacking: Many routers have default passwords or firmware vulnerabilities that can be exploited. Cyber criminals can take over a router and overwrite DNS settings, affecting all users connected to the router.
  • "Man-in-the-middle" DNS hijacking: IT criminals intercept communications between a user and a DNS server in real time and insert different destination IP addresses leading to fake websites.
  • "Rogue DNS Server": Cybercriminals can hack a DNS server and change DNS settings to redirect DNS requests to fake websites.

Redirection vs. Domain Name System spoofing

DNS spoofing is an attack where traffic is redirected from a legitimate website, such as "www.google.com", to a fake website, such as "www.google.hi.com". DNS spoofing can be achieved through DNS redirection. For example, hackers can compromise a DNS server and in this way "spoof" legitimate websites and redirect users to fake websites.

Cache poisoning is another way of performing DNS spoofing without the hackers having to rely on a physical takeover of DNS server settings. DNS servers, routers and computers "cache", i.e. store, DNS records.

Hackers can "poison" the DNS cache by inserting a forged DNS query containing an alternative IP destination for the same domain name. The DNS server translates the domain to the spoofed site until the cache or storage is updated.

To prevent DNS hijacking

There are several security measures that can improve your website's DNS security and prevent DNS hijacking.

Most security measures should be taken by the IT managers of a company.

Install firewallsabout your DNS servers

IT criminals can install fake servers in DNSs to compromise them and intercept traffic from the legitimate servers. To prevent this, you can install a firewall that blocks all unauthorised DNS servers.

Prevent cache poisoning

There are several measures to prevent cache poisoning. They include user identity randomisation, server source port randomisation and the use of both upper and lower case letters in a company's domain name.

Avoid zone transfers

DNS zone files are vulnerable files that contain data that is often a target for hackers. Hackers can impersonate a master DNS server requesting a zone transfer, which is a process that involves copying zone files. To prevent hackers from obtaining zone files, it is a good idea to avoid zone transfers.


DNSSEC is a security feature that authenticates DNS data. If your local DNS server supports DNSSEC, domains are protected from being redirected to a phishing website whose purpose is to steal confidential information such as passwords and payment card details.

Although this method does not protect against all kinds of attacks on the domain, it blocks man-in-the-middle attacks by adding an extra layer of security to the server.

Registration lock

A registration lock is an authentication system that locks and protects a domain name's information. The system reduces the risk of domain hijacking, whether technical or administrative.

The system protects the domain holder against unwanted and unauthorised changes to the domain name. When used, the system does not allow any changes to the domain name, such as its transfer or deletion.

When the domain name needs to be unlocked again, this is done manually through a process that requires multi-factor authentication.

DNS over HTTPS (DoH)

DoH increases DNS security by minimising the risk of users' online activity being spied on. By encrypting the content sent between the server and a user's computer, DoH makes it difficult for hackers to carry out man-in-the-middle attacks, tracking users' online activity and redirecting it to a website containing malware or phishing software.

DoH protects DNS communications by implementing an HTTPS protocol, which sends encrypted queries, as opposed to unencrypted and transparent information sent by a DNS.

DNS over TLS (DoT)

DoT is also a method that encrypts the communication between a computer and a server. DoT uses algorithms that transform plain text into encrypted text that is impossible for a third party to read.

Prevention as an end-user

End users can protect themselves from DNS hijacking by changing passwords for their routers, installing antivirus software on all devices and using a VPN service. If ISPs hijack an end-user's DNS, free alternative DNS services are available, such as Google Public DNS, Google DNS over HTTPS and Cisco OpenDNS.

Author Sofie Meyer

Sofie Meyer

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

View all posts by Sofie Meyer

Similar posts