Types of DNS Hijacking

The Best Ways to Avoid It

Learn about DNS Hijacking or DNS Redirecting

Updated: March 21, 2021
By: RSH Web Editorial Staff
DNS Hijacking

DNS based attack is not something the average World Wide Web user would know about. But this can be a serious online threat. To learn about DNS hijacking or redirecting you first need to understand what DNS is and how it is used with the Internet

How DNS Works

DNS or "Domain Name System" functions as an interpreter between humans, (who communicate with words) And computers (which communicate with digits)

For example when you type in a Domain Name such as "rshweb.com"
Your Computer looks up the IP numbers such as "" to actually find it and route you to the website
It does this by sending a query to a DNS Server That stores a complete database of IP addresses and their associated host names or domain names

What Makes DNS Vulnerable?

DNS was created in 1985. The Internet was beginning to grow and everyone trusted everyone. As the World Wide Web grew, DNS grew with it

Unfortunately Hackers knowledge also grew and became more sophisticated. Compromised or malicious DNS Servers opened the system up for exploitation

How Does DNS Hijacking Happen

DNS is highly decentralized. No single DNS Server contains all the IP addresses and Domain Names for the whole Internet. Your request will travel across a multitude of DNS Servers before you see your results

DNS hijacking is the practice of redirecting DNS queries. You send out a query but a third party steers the query the wrong way. As a result, a false IP address is used and the wrong website is shown in your Browser

Sometimes a different website that looks exactly like the web page you wanted is shown
This is known as phishing scams. Hackers create fake copies of a website to extract critical information

But In most cases, DNS Redirecting is more annoying than harmless. When you type the Domain of a website that does not exist you would normally see a 404 Error Message

web resources

How Does DNS Get Hijacked?

A DNS hack can happen at any place in the long chain of DNS queries
Here are a few examples


Your computer or device can be infected with malware that rewrites the DNS information. As a result, your device queries a rogue DNS server that serves you fake IP addresses

One famous malware was called "DNSChanger", which created havoc on the Internet until it was stopped in 2012. It infected thousands of computers and changed the DNS configurations files
This pointed them to Servers operated by hackers. These Servers replaced advertising on websites with ads sold by the Hackers making almost $14 million in profit. In total more than four million computers were infected. People had no idea they were seeing ads placed by hackers who had corrupted their systems

A more malicious malware could create a Website Backdoor. Or redirect you through a hacked controlled web proxies and get access to all your traffic (and any sensitive data you send). You could also be directed to a fake website that extracts your passwords through fake login procedures. Such as a PayPal look alike website. The worst part of this type of attack is that you would have no idea until the damage is done

Compromised DNS Server

In a DNS Server hack a query is redirected to a wrong destination by a DNS Server under a hacker’s control. This attack is even more cunning because once your query leaves your device, you would have no control over the direction where you wind up at. Hacking a DNS Server in this way is much more difficult - But not impossible

Internet Service Providers

Some ISP's use DNS hijacking on their own customers to display ads or collect statistics. They do this by hijacking the NXDOMAIN response. NXDOMAIN is the response you get if you type in a Domain Name that does not exist. Example could be if you typed in “http://drshsrwebfadsfdgfaaf.com” into your browser, you would get the NXDOMAIN response: “Server Not Found” or a similar error message. When an Internet Service Provider hijacks the NXDOMAIN response, they replace the error message with a fake website set up by the ISP to show you ads or collect your data. Just a cheap way to get some advertising money

Internet resources

DNS Hijacking Cases

Listing a few of the most famous DNS hijacking cases

The Google Attack, 2017

On October 16, 2020, Google’s Threat Analysis Group (TAG) posted a blog update discussing how the threats and threat actors are changing their tactics due to the 2020 U.S. election. The company added in a note:
In 2017, our Security Reliability Engineering team measured a record breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware

The AWS DDoS Attack in 2020

Amazon Web Services was hit by a DDoS attack in February 2020. This was the most extreme recent DDoS attack and it targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection. This technique relies on vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s IP address by 56 to 70 times. The attack lasted three days

DNSpionage Targeted Middle East

In late 2018 a huge DNS hijacking campaign dubbed DNSpionage was uncovered and reported by Cisco Talos. The attackers were stealing credentials from government and private sector employees in the Middle East and North Africa by hijacking their DNS servers
Krebs on Security did extensive research on the case, going so far as to share how SecurityTrails Passive DNS API was used to pinpoint changes to DNS records of domains that were tied to the campaign. This is also a very good read if looking for more research information

Mirai Krebs and OVH DDoS Attacks

In 2016 the blog of cybersecurity expert Brian Krebs was assaulted by a DDoS attack in excess of 620 Gbps, which at the time, was the largest attack ever seen. Krebs’ site had been attacked before. Krebs had recorded 269 DDoS attacks since July 2012, but this attack was almost three times bigger than anything his site or that the internet had seen before. The source of the attack was the Mirai botnet, which, at its peak consisted of more than 600,000 compromised devices such as IP cameras, home routers, and video players


Anyone who tried to visit Wikileaks.org on August 30, 2017 saw an ominous message claiming that the website, famous for storing and publishing classified and secret information, had been hacked. A hacker group called OurMine took credit. “Wikileaks, remember when you challenged us to hack you?” they taunted them right on their Website. From a visitor’s standpoint, it appeared that Wikileaks was under total hacker control
That was not the case
Wikileaks was up and running and its servers were secure. If you knew the IP address, you could reach and browse the website without any hassle. In reality, the hackers had hijacked one of the DNS servers that directed visitors to wikileaks.org and sent users fake DNS information

resources for websites

Six Different Banks DDoS Attack

In 2012, six U.S. banks were targeted by a wave of DDoS attacks. Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The attacks were carried out by hundreds of hijacked servers from a botnet called Brobot with each attack generating over 60 gigabits of DDoS attack traffic per second. Being unique in their persistence. and rather than trying to execute one attack at a time, the perpetrators barraged their targets with a multitude of different attack methods in order to find one that worked. So even if the bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types of attack

Brazilian Banks

For about five hours on October 22, 2016, Hackers had control over the Domain of a major Brazilian bank with hundreds of branches, over 5 million customers, and $27 billion in assets. The attackers launched the attack by compromising the DNS server of Registro.br, which is the registrar for the top-level domain .br and manages the DNS for the Brazilian bank (its name was not disclosed by the researchers who discovered the hack). The hackers redirected users to their own Servers that looked exactly like the bank’s homepage, but were, in fact, fakes meant to extract user login credentials. Users, directed to the fake sites, handed their user-names and passwords to the hackers and were infected with malware

New York Times

In 2013, the Syrian Electronic Army hacker group compromised the website of the Melbourne IT Domain Registrar and changed the records of Melbourne IT customers. One such customer was The New York Times, whose website was replaced with the logo of the Syrian Electronic Army. The Syrian Electronic Army used the same vulnerability to disrupt Twitter in the UK and HuffingtonPost

How to prevent DNS hijacking

The most common way in which DNS Hijacking is through "Malware Attacks", How to protect yourself are very similar to those used to guard against any other form of attack. Do all the basic things that (we hope) you are already doing to protect yourself online

Always updated Security Software, and make sure that security patches and updates are installed on all your devices as soon as they are available

NEVER click on suspicious links. In emails, Social Media or any other place

Be wary of Websites that you are not familiar with or that just look untrustworthy

Protecting your Router is also very important. Make sure that your change the default admin username and password for the router. Every Hacker knows the default ones!

Use reliable antivirus software and update whenever the patches come out

Use a VPN, which encrypts your traffic and DNS settings and prevents hackers from intercepting and snooping your sensitive information. A VPN is especially useful if you frequently use public Wi-Fi, which is often unsafe due to poor router configuration and weak passwords

Be wary especially if a Website you are familiar with acts differently - Different pop-ups, welcome screens, different landing pages...

Alertness is key since there is no real foolproof protection against the types of hijacking attacks like the ones listed above. In those cases, authoritative DNS Servers, which hold actual records were corrupted

We welcome your comments, questions, corrections and additional information relating to this article. Please be aware that off-topic comments will be deleted.
Or if you need specific help with your account, feel free to contact us anytime
Thank you

Tweet  Share  Pin  Tumble  Email

More Articles Of Interest