What it is
DNS hijacking, also called DNS redirection, occurs when attackers alter the records or resolution path that maps domain names to IP addresses. They may compromise authoritative DNS servers, poison caches on recursive resolvers, tamper with routers, or install malware on endpoints to override local DNS settings. Some adversaries register lookalike domains and use BGP hijacking to intercept traffic meant for legitimate providers. Once DNS responses are manipulated, users unknowingly connect to phishing sites, malware download servers, or man-in-the-middle (MITM) proxies even though the browser displays the expected URL. Because DNS is foundational to every internet transaction, hijacking can disrupt email, Voice over IP, VPN access, and SaaS connectivity. Attackers frequently chain DNS hijacking with credential harvesting or SSL stripping to escalate the impact.
Why it matters
Business disruption can be immediate and widespread, affecting customers, partners, and internal teams. DNS tampering erodes trust, facilitates credential theft, and can expose organizations to legal obligations if fraudulent transactions occur under their brand.
How to reduce risk
- Use DNS hosting providers that support role-based access control, audit logging, DNSSEC signing, and multi-factor authentication.
- Monitor authoritative and registrar accounts for unauthorized changes using change detection services.
- Enforce endpoint protections that block unauthorized modifications to local DNS settings and browser proxies.
- Implement DNSSEC validation and encrypted DNS (DoH or DoT) where feasible to defend against cache poisoning.