What Is DNS Hijacking

How To Prevent It
Redirection Attacks And Fixes

Learn about DNS Hijacking or DNS Redirecting Vulnerabilities

Updated: March 18, 2022
By: RSH Web Editorial Staff

Contact Us

DNS Hijacking

Domain Name Server Hijacking

DNS based attack is not something the average World Wide Web user would know about. But this can be a serious online threat.

To understand what DNS hijacking or redirecting is, you first need to learn what DNS is and how it is used with the Internet.

How DNS Works

DNS or Domain Name System functions as an interpreter between humans, (who communicate with words) And computers (which communicate with digits).

For example, when you type in a Domain Name such as rshweb.com"
Your Computer looks up the IP numbers such as "" to actually find it and route you to the website
It does this by sending a query to a DNS Server That stores a complete database of IP addresses and their associated host names or domain names.

What Makes DNS Vulnerable?

DNS was created in 1985. The Internet was beginning to grow and everyone trusted everyone. As the World Wide Web grew, DNS grew with it.

Unfortunately, Hackers knowledge also grew and became more sophisticated. Compromised or malicious DNS Servers opened the system up for exploitation.

How Does DNS Hijacking Happen

DNS is highly decentralized. No single DNS Server contains all the IP addresses and Domain Names for the whole Internet. Your request will travel across a multitude of DNS Servers before you see your results.

DNS hijacking is the practice of redirecting DNS queries. You send out a query, but a third party steers the query the wrong way. As a result, a false IP address is used and the wrong website is shown in your Browser.

Sometimes a different website that looks exactly like the web page you wanted is shown
This is known as phishing scams. Hackers create fake copies of a website to extract critical information.

But In most cases, DNS Redirecting is more annoying than harmless. When you type the Domain of a website that does not exist, you would normally see a 404 Error Message.


How Does DNS Get Hijacked?

A DNS hack can happen at any place in the long chain of DNS queries
Here are a few examples.


Your computer or device can be infected with malware that rewrites the DNS information. As a result, your device queries a rogue DNS server that serves you fake IP addresses.

One famous malware was called "DNSChanger", which created havoc on the Internet until it was stopped in 2012. It infected thousands of computers and changed the DNS configurations files
This pointed them to Servers operated by hackers. These Servers replaced advertising on websites with ads sold by the Hackers, making almost $14 million in profit. In total, more than four million computers were infected. People had no idea they were seeing ads placed by hackers who had corrupted their systems.

A more malicious malware could create a Website Backdoor. Or redirect you through a hacked controlled web proxies and get access to all your traffic (and any sensitive data you send). You could also be directed to a fake website that extracts your passwords through fake login procedures. Such as a PayPal look alike website. The worst part of this type of attack is that you would have no idea until the damage is done.

Compromised DNS Server

In a DNS Server hack, a query is redirected to a wrong destination by a DNS Server under a hacker’s control. This attack is even more cunning because once your query leaves your device, you would have no control over the direction where you wind up at. Hacking a DNS Server in this way is much more difficult - But not impossible.

Internet Service Providers

Some ISP's use DNS hijacking on their own customers to display ads or collect statistics. They do this by hijacking the NXDOMAIN response. NXDOMAIN is the response you get if you type in a Domain Name that does not exist. An example could be if you typed in “http://drshsrwebfadsfdgfaaf.com” into your browser, you would get the NXDOMAIN response: “Server Not Found” or a similar error message. When an Internet Service Provider hijacks the NXDOMAIN response, they replace the error message with a fake website set up by the ISP to show you ads or collect your data. Just a cheap way to get some advertising money.


DNS Hijacking Cases

Listing a few of the most famous DNS hijacking cases.

The Google Attack, 2017

On October 16, 2020, Google’s Threat Analysis Group (TAG) posted a blog update discussing how the threats and threat actors are changing their tactics due to the 2020 U.S. election. The company added in a note:
In 2017, our Security Reliability Engineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.

The AWS DDoS Attack in 2020

Amazon Web Services was hit by a DDoS attack in February 2020. This was the most extreme recent DDoS attack, and it targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection. This technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s IP address by 56 to 70 times. The attack lasted three days.

DNSpionage Targeted Middle East

In late 2018 a huge DNS hijacking campaign dubbed DNSpionage was uncovered and reported by Cisco Talos. The attackers were stealing credentials from government and private sector employees in the Middle East and North Africa by hijacking their DNS servers
Krebs on Security did extensive research on the case, going so far as to share how SecurityTrails Passive DNS API was used to pinpoint changes to DNS records of domains that were tied to the campaign. This is also a very good read if looking for more research information.

Mirai Krebs and OVH DDoS Attacks

In 2016 the blog of cybersecurity expert Brian Krebs was assaulted by a DDoS attack in excess of 620 Gbps, which at the time, was the largest attack ever seen. Krebs’ site had been attacked before. Krebs had recorded 269 DDoS attacks since July 2012, but this attack was almost three times bigger than anything his site or that the Internet had seen before. The source of the attack was the Mirai botnet, which, at its peak, consisted of more than 600,000 compromised devices such as IP cameras, home routers, and video players.


Anyone who tried to visit Wikileaks.org on August 30, 2017, saw an ominous message claiming that the website, famous for storing and publishing classified and secret information, had been hacked. A hacker group called OurMine took credit. “Wikileaks, remember when you challenged us to hack you?” they taunted them right on their Website. From a visitor’s standpoint, it appeared that Wikileaks was under total hacker control
That was not the case
Wikileaks was up and running, and its servers were secure. If you knew the IP address, you could reach and browse the website without any hassle. In reality, the hackers had hijacked one of the DNS servers that directed visitors to wikileaks.org and sent users fake DNS information.


Six Different Banks DDoS Attack

In 2012, six U.S. banks were targeted by a wave of DDoS attacks. Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The attacks were carried out by hundreds of hijacked servers from a botnet called Brobot with each attack generating over 60 gigabits of DDoS attack traffic per second. Being unique in their persistence, and rather than trying to execute one attack at a time. The perpetrators barraged their targets with a multitude of different attack methods in order to find one that worked. So even if the bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types of attack.

Brazilian Banks

For about five hours on October 22, 2016. Hackers had control over the Domain of a major Brazilian bank with hundreds of branches, over 5 million customers, and $27 billion in assets. The attackers launched the attack by compromising the DNS server of Registro.br. Which is the registrar for the top-level domain .br, and manages the DNS for the Brazilian bank. (its name was not disclosed by the researchers who discovered the hack). The hackers redirected users to their own Servers that looked exactly like the bank’s homepage. But were, in fact, fakes meant to extract user login credentials. Users, directed to the fake sites, handed their usernames and passwords to the hackers and were infected with malware.

New York Times

In 2013, the Syrian Electronic Army hacker group compromised the website of the Melbourne IT Domain Registrar and changed the records of Melbourne IT customers. One such customer was The New York Times, whose website was replaced with the logo of the Syrian Electronic Army. The Syrian Electronic Army used the same vulnerability to disrupt Twitter in the UK and HuffingtonPost.

How to prevent DNS hijacking

The most common way in which DNS Hijacking is through "Malware Attacks", How to protect yourself are very similar to those used to guard against any other form of attack. Do all the basic things that (we hope) you are already doing to protect yourself online.

Always updated Security Software, and make sure that security patches and updates are installed on all your devices as soon as they are available.

NEVER click on suspicious links. In emails, Social Media or any other place.

Be wary of Websites that you are not familiar with or that just look untrustworthy.

Protecting your Router is also very important. Make sure that you change the default admin username and password for the router. Every Hacker knows the default ones.


Scan your routers and check your DNS settings with the following scanners.

F-Secure • free and instant DNS hijacking test.

Komando • Free check to see if your router has been hacked by criminals.

Router Security • Test Your Router.

Bitdefender • Free & super-fast Wi-Fi scanner.

DNS Leaks • DNS test for leaks.

Use reliable antivirus software and update whenever the patches come out.

Use a VPN, which encrypts your traffic and DNS settings and prevents hackers from intercepting and snooping your sensitive information. A VPN is especially useful if you frequently use public Wi-Fi, which is often unsafe due to poor router configuration and weak passwords.

Be wary, especially if a Website you are familiar with acts differently. Different pop-ups, welcome screens, different landing pages.

Alertness is key since there is no real foolproof protection against the types of hijacking attacks like the ones listed above. In those cases, authoritative DNS Servers, which hold actual records, were corrupted.

We welcome your comments, questions, corrections and additional information relating to this article. Please be aware that off-topic comments will be deleted.
If you need specific help with your account, feel free to contact us anytime
Thank you

Tweet  Share  Pin  Email

More Articles Of Interest

Offering the best hosting services for your website, SSL certs, SSD, Softaculous, enhanced security, free domain name (for life) and more