What is DNS hijacking?

A website being redirected.

​​Domain Name System hijacking (DNS hijacking) is a tactic used to redirect you to websites different from the ones you’re intending to visit, usually to steal your personal data, display unwanted ads, or impose internet censorship. It’s also called DNS Poisoning or DNS spoofing.

What is DNS?

The Domain Name System (DNS) turns domain names into IP addresses so that your browser can read them and load the correct pages. For example, when you type a URL, like expressvpn.com, into the address bar of your browser, your DNS servers will translate that into an IP address that represents expressvpn.com. It’s similar to your home address; you use it to tell others where you live, but not the GPS coordinates.

By default, you use the DNS servers provided by your internet service provider (ISP). However, VPN providers also run their own DNS servers to protect your internet traffic. When you’re connected to ExpressVPN, you’ll use its secure DNS servers, keeping your internet traffic protected.

Want to know more about what a DNS does? Watch the video below:

How DNS hijacking works

When a computer reaches out to a DNS server to find a website, it doesn’t check whether it’s connecting to the correct server. This enables attackers to imitate the DNS server and deliver incorrect responses.

It is also possible for a DNS server itself to poison its records. This means replacing the IP address of the site you want to visit with that of another site, or simply removing the IP address altogether. This is similar to altering a phone book, removing certain names or companies or swapping a listing’s address to that of another company.

DNS hijacking makes it possible for a sophisticated attacker to impersonate websites, gathering personal information such as passwords and IP addresses.

Why are DNSs hijacked?

As DNS is one of the most important aspects of the internet, it’s subsequently a target of various forms of attack for a range of reasons, like the below:

Display ads to generate revenue

Attackers can hijack your DNS to display unwanted ads to generate revenue, in a technique known as pharming. In a less fraudulent sense, your internet service provider can also manipulate your DNS requests to show ads to you.

Steal your personal information

DNS hijackers will redirect you to fake websites which look like legitimate ones, aiming to steal your login credentials and other of your personal data. This is a common technique known as phishing.

Government or organizational censorship

Governments can use DNS hijacking to suppress political opposition or prohibit certain online content. Users won’t be able to access the censored website and will be redirected to a different website. Schools and organizations can also manipulate DNS requests to avoid inappropriate content from showing to their users.

Common types of DNS hijacking attacks

Local DNS hijack

Attackers start by installing malware on a user’s computer. The attacker can then change your DNS settings and redirect you to malicious websites, usually to steal your personal data.

Router DNS hijack

An attacker can change your router’s DNS settings by exploiting software vulnerabilities. They can also break into your router’s configuration page with the default username and password. This allows them to redirect you to malicious websites to obtain your personal information or do harm to your device. That’s why it’s important to keep your router updated to repair vulnerabilities. (ExpressVPN for routers updates automatically to save you the hassle!)

Man-in-the-middle DNS attacks

A MITM attacker intercepts the communication between you and another party, which is usually a website or application you’re trying to access. Instead of seeing the real website, you’ll be presented with a malicious one. This is also called DNS spoofing.

Rogue DNS server attacks

This happens when an attacker hacks a DNS server and changes its DNS records. Your DNS requests will return with malicious sites.

How to detect DNS hijacking

There are usually some telltale signs your DNS has been hijacked. For starters, websites can be loading more slowly than usual, or you are seeing random pop-ups, usually saying your computer is infected. Of course, these signs aren’t enough, and thankfully, there’re tools you can use to verify if your DNS has been hijacked.

Use the ping command

You can detect DNS hijacking by running a ping command, which essentially tests whether an IP address exists. If you ping a non-existent domain name and it resolves, there’s a good chance your DNS is hijacked. If it doesn’t resolve, this means your DNS is safe.

On Mac

  1. Open Terminal.
  2. Enter the following command: ping [a random website name].

If it says “cannot resolve,” your DNS is safe.

On Windows

  1. Open the Command Prompt.
  2. Enter the following command: ping [a random website name].

If it says “cannot resolve,” your DNS is safe.

On Linux

  1. Open Terminal.
  2. Enter the following command: ping [a random website name].

If it says “cannot resolve,” your DNS is safe.

Use a router checker

There are a number of online router checkers that can verify whether your router has been affected by DNS hijacking. These services work by checking with a reliable DNS resolver, and whether it’s using an authorized DNS server. A good example of such a service is F-Secure. They provide a free, web-based router checker here.

Use WhoIsMyDNS.com

WhoIsMyDNS shows you the DNS servers you’re using and the company that owns them. Unless you’re connected to a VPN, you’ll be using the IP addresses of the DNS servers provided by your internet service provider. If you don’t recognize the company name, there’s probably something wrong with your DNS.

Ways to prevent DNS hijacking

Thankfully, there are ways to prevent DNS hijacking.

For general internet users

Here are a couple of things you can do to prevent DNS hijacking:

  • Change your router’s default username and password. This prevents attackers from trying to access your router’s settings with the default login credentials commonly used for routers.
  • Install antivirus software. Antivirus software can detect and eliminate malware that performs DNS hijacking. Some antivirus software performs constant scans, detecting attacks at the moment they occur.
  • Use a VPN. ExpressVPN runs its own encrypted, secure DNS servers, so when you’re connected to ExpressVPN, you automatically use these servers. No one else can get hold of your information or hijack your connection. This also ensures you can’t be censored by a government or your internet service provider.
  • If your ISP’s DNS servers aren’t safe, use an alternative DNS service like Google Public DNS.

If you do all of the above, you will have a multi-layered defense against DNS hijacking.

For name servers and resolvers

  • Shut down unneeded DNS resolvers. Also, legitimate resolvers should be placed behind a firewall.
  • Restrict access to a name server. Network security measures should be used.
  • Take precautions against cache poisoning. For example, use a random source port and query ID. Also, randomize upper and lower cases in domain names.
  • Patch known vulnerabilities. Hackers actively exploit vulnerabilities in DNS servers.
  • Separate the authoritative nameserver from the DNS resolver. A DDoS attack happening on one won’t affect the other one.

For website owners

If you use a Domain Name Registrar, a business that registers a domain name on your behalf, take the following steps to avoid DNS redirection:

Limit DNS access

Limit DNS access to only a few members of the IT team. Make sure they use two-factor authentication whenever accessing the domain name server registrar.

Enable client lock

Some DNS registrars support client lock, which prevents changes to your DNS records without approval. If your DNS registrar supports it, you should enable this option.

Use a DNS registrar that supports DNSSEC

DNSSEC stands for Domain Name System Security Extensions. It makes it more difficult for hackers to intercept your DNS requests. If your DNS registrar supports DNSSEC, make sure to enable this option.

Real-world examples of DNS hijacking

There are many real-life examples of DNS hijacking. We’ve collated a few significant ones below:

The Sea Turtle campaign

In early 2017, a mysterious group called Sea Turtle targeted 40 organizations spreading across 13 countries, primarily in the Middle East and North Africa. They compromised third parties that handled the victims’ DNS queries, redirecting them to fake websites to steal their login credentials.

The Twitter, New York Times & Huffington Post DNS hijack

In 2013, a group of hackers called Syrian Electronic Army hijacked the DNS servers of Twitter, the New York Times, and the Huffington Post among other media outlets.

The ICANN DNS hijack attack

The Internet Corporation for Assigned Names and Numbers (ICANN) was hijacked by a Turkish hacker group, NetDevilz, in 2018. Its site users were redirected to a page that says “You think that you control the domains but you don’t! Everybody knows wrong.”

A DNS attack against WikiLeaks

In 2017, a Saudi Arabian-based hacker group known as OurMine compromised the DNS servers of WikiLeaks, directing its users to a fake website.

FAQ: About DNS hijacking

Is DNS hijacking common?
Does VPN prevent DNS hijacking?
What can someone do with your DNS?
What’s the difference between DNS poisoning and DNS hijacking?
How do I change my DNS servers?
What’s the problem with DNS spoofing to censor the Internet?
Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.