What is DNS Hijacking? DNS Hijacking Explained

DNS hijacking, also known as DNS redirection, has been used to successfully attack websites as big as The New York Times and the Egyptian Ministry of Defense.


DNS hijacking redirects web traffic from the intended destination to a new, malicious source. Often, the victim will not even be aware they were redirected since their URL will appear the same in their browser. 

While DNS hijacking continues to be a threat, there are many ways and services to mitigate and protect a DNS for your employees and users. This article will explore what is DNS hijacking in more detail, explain how it works, and demonstrate how to prevent DNS hijacking so businesses can avoid falling victim to the attack. 

What is it?

What is DNS Hijacking?

  • DNS (Domain Name System) is the protocol that translates the URL in your search bar to an IP address that a computer can understand. Whenever you search for a URL, it will send a query to a DNS resolver to locate the IP address and direct you to the site. Think of DNS as the Internet’s address book.

    DNS hijacking works by causing the DNS query to be incorrectly resolved. Instead of being sent to the intended site, the query will direct you to a different — and typically malicious — one. 

    For attackers, there are numerous motivations for launching a DNS hijacking attack, such as:

    • Disrupting a site and causing financial loss and reputational damage
    • Posing as a trustworthy site to collect user information (phishing)
    • Espionage

How it works

How DNS hijacking works

There are several different ways DNS hijacking can work. Some of the most common methods include: 

    • “Man-in-the-middle” attacks where attackers (sitting “in the middle” of the server and requester) intercept a DNS request to a server and redirect it to another compromised server by providing a different IP address
    • Infecting a user’s machine with malware and using it to change settings and redirect DNS requests to the attacker’s server. Since the URL in the user’s browser remains the same, it’s difficult for users to notice these attacks.
    • Attacking a router and changing the DNS settings. This severe attack affects all users connected to that router and is often easily accomplished by taking advantage of weak passwords and other common vulnerabilities.
    • Attacking the DNS server directly and changing the records, redirecting any DNS requests to a new site

Network security products and services

AT&T Network Security provides products and services to help your business protect and connect your users, data, and applications on premises, remotely, or in the cloud.

Learn more

How to prevent

DNS Hijacking Explained: How to prevent DNS hijacking

The DNS resolver sends queries to and from the DNS. A fake resolver can be used in DNS hijacking, redirecting traffic to a phony website. For this reason, it’s crucial to ensure your legitimate resolvers are always safely behind a firewall — blocking access to anyone outside the organization. 

Resolvers should always be carefully monitored, and you should shut down any unneeded ones quickly.


Educate staff on security best practices

Everyone working in your organization should be aware of what to do (and what not to do) to know how to prevent DNS hijacking. Thankfully, most of these best practices are in line with standard cybersecurity measures for good hygiene.

    • Avoid clicking on questionable links or links within emails from outside the organization
    • If unsure of an email, always verify
    • Don’t use public Wi-fi networks to share sensitive information or login credentials
    • Pay attention to any suspicious details in URLs (they should have a valid SSL certificate)
    • Use a reliable VPN
    • Embrace a robust password management policy that promotes strong passwords or frequent password changes (or both)

Restrict access to name servers

A name server is a server where your DNS information is stored, and it’s essential to keep these servers as protected as possible. Use physical security, multi-factor authentication, and a strong firewall to prevent malicious actors from gaining access.

In addition, separating the authoritative name server from the resolver ensures that an attack on one server won’t impact the other.


Immediately patch known vulnerabilities

Hackers are always on the lookout for the low-hanging fruit of vulnerable DNS servers. By taking simple steps, you’ll deter and defend against these attacks. 

A good patch management program within your organization is strongly recommended.


Cybersecurity solutions

How AT&T Cybersecurity Solutions and Services can help

Your feedback will help us to improve AT&T Business so you continue to have a great experience when visiting us!

This survey is conducted by an independent company ForeSee for AT&T.

Yes, I’ll give feedback!