Expressvpn Glossary
DNS hijacking
What is DNS hijacking?
DNS hijacking is a type of cyberattack in which an attacker redirects queries made to the Domain Name System (DNS) to malicious destinations. Instead of reaching the intended website or service, users are sent to different pages, which may be fraudulent or malicious.
See also: DNS, DNS server, DNSSEC, DNS query, DNS attack, DNS resolution
How does DNS hijacking work?
In a normal lookup, when a user types a web address, their device sends a DNS query to resolve that address into an IP address. In a DNS hijacking attack, this process is intercepted or manipulated at one of several points: on the user's device, at the router level, or at the DNS server itself.
The query then returns a fraudulent IP address instead of the correct one, and the user's browser connects to the attacker's server, which may look identical to the legitimate site. Because DNS responses are cached by devices and servers to speed up future lookups, a hijacked response can persist and continue redirecting users even after the attacker's access has been removed.
Types of DNS hijacking
There are several distinct techniques attackers use to hijack DNS, each targeting a different layer of the resolution process.
- Local hijacking: Malware installed on a user's device alters its DNS settings, redirecting all queries through an attacker-controlled server.
- Router hijacking: Attackers exploit vulnerabilities in a router's firmware or use default credentials to change its DNS settings, affecting all devices on the network.
- Rogue DNS server hijacking: Attackers compromise a legitimate DNS server directly, causing it to return malicious responses to all users who query it.
- Man‑in‑the‑middle DNS hijacking: Attackers intercept DNS queries in transit and return fraudulent responses.
Risks and privacy concerns
DNS hijacking poses significant risks to both individuals and organizations. The most immediate threat for users is credential theft, as they may unknowingly submit login details, payment information, or other sensitive data on the fraudulent site.
DNS hijacking may also be used to distribute malware. Fraudulent sites can prompt users to download malicious software or silently redirect them to pages that exploit browser vulnerabilities. Phishing campaigns frequently rely on hijacked DNS to make spoofed sites appear legitimate.
Beyond that, DNS hijacking can enable surveillance. By controlling DNS resolution, an attacker may gain visibility into sites a user attempts to visit, even when the connection is encrypted. For organizations, a compromised DNS can redirect customers away from legitimate services, damage brand trust, and expose internal infrastructure.
DNS hijacking also undermines trust in standard security indicators. Fraudulent sites can obtain valid certificates for spoofed domains, meaning the padlock icon in a browser doesn’t guarantee the user has reached the intended destination.
DNS hijacking vs. DNS spoofing
Both DNS hijacking and DNS spoofing redirect traffic, but they employ different techniques and offer varying levels of control. Hijacking takes over DNS settings or infrastructure, while spoofing focuses on forging responses in transit or poisoning caches.
| Feature | DNS hijacking | DNS spoofing |
| What happens | Attacker alters DNS settings or compromises infrastructure to redirect queries | Attacker injects forged responses into DNS communication or poisons resolver caches |
| How long it lasts | Persists until settings are corrected | Temporary; it expires when the cache clears or the attack stops |
Further reading
- DNS hijacking: A detailed guide
- DNS security: How to protect your network from DNS threats
- What is pharming? Understanding cybersecurity threats
- DHCP vs. DNS: Understanding key differences and functions
