← DNS SecurityThreat / Critical

DNS Hijacking

Unauthorized redirection of DNS queries — through compromised registrar accounts, rogue resolvers, or BGP attacks — giving attackers control over where your domain points.

Overview

Attacking the Delegation Chain

While cache poisoning attacks the resolver's memory, DNS hijacking attacks the delegation chain itself — modifying authoritative records or the infrastructure that resolves them. Victims receive answers from attacker-controlled nameservers, but those answers appear completely legitimate to resolvers.

Unlike cache poisoning, which expires when the TTL runs out, DNS hijacking persists as long as the attacker maintains control of the registrar account, rogue nameservers, or hijacked BGP routes.

The impact can be devastating: valid TLS certificates can be issued for the hijacked domain (attackers pass ACME DNS-01 challenges), making phishing sites indistinguishable from legitimate ones — including the padlock in the browser.

TLS Certificates Don't Save YouA common misconception is that HTTPS protects against DNS hijacking. It does not. An attacker who controls your DNS can obtain a valid TLS certificate for your domain (via DNS-01 ACME challenge or by compromising a CA's domain validation process). Users will see the padlock — and still be on a phishing site.
DNSSEC Is the DefenseDNSSEC-signed domains are protected from forged authoritative responses, but not from registrar account compromise — if the attacker controls the registrar, they can replace the DS record and re-sign the zone with their own key. Registry Lock prevents even this.
Attack Vectors

Types of DNS Hijacking

Registrar Hijacking

Attacker gains access to your domain registrar account (via phishing, credential stuffing, or social engineering) and changes your NS records to attacker-controlled nameservers. All DNS for the domain is now attacker-controlled.

Real world: Sea Turtle campaign (2019) — nation-state attackers hijacked registrar accounts to redirect government and telecoms domains across the Middle East.
DNS Resolver Hijacking

Malware or a compromised router modifies the DNS resolver settings on a device or network, pointing queries to a rogue resolver. The rogue resolver returns attacker-chosen IPs for target domains.

Real world: DNSChanger malware (2012) — infected millions of systems, changing resolver settings to route traffic through attacker servers. FBI seizure caused brief internet outage for infected users.
BGP-Based NS Hijacking

Attackers hijack the BGP routes for nameserver IP addresses, diverting DNS queries for entire TLDs or large domains to attacker-controlled nameservers. Affects all users globally, not just those on specific networks.

Real world: MyEtherWallet BGP hijack (2018) — BGP routes for AWS Route 53 were hijacked, redirecting cryptocurrency wallet DNS queries to phishing servers for ~2 hours.
Rogue Authoritative NS

Attacker registers a domain with nameservers that share a name with legitimate nameservers but at a different IP. Targets resolvers that don't strictly validate NS glue records.

Real world: Lame delegation abuse — expired or orphaned NS delegations pointing to domains that attackers re-register, taking over authoritative control for forgotten subdomains.
Defense

Protecting Your Domain From Hijacking

Registry Lock (EPP Status Codes)

The strongest protection. Registry Lock sets server-side EPP status codes (clientTransferProhibited, serverTransferProhibited, serverUpdateProhibited, serverDeleteProhibited) that prevent any changes without an out-of-band verification process — typically a phone call to the registry. Available through most registrars for enterprise domains.

Registrar Two-Factor Authentication

Enable hardware key (FIDO2/WebAuthn) or TOTP 2FA on your registrar account. SMS-based 2FA is vulnerable to SIM swapping. Use dedicated email addresses for registrar accounts — not your company's main email domain, which could itself be hijacked.

DNSSEC with DS Record Monitoring

Sign your zone with DNSSEC and monitor DS records in the parent zone. If an attacker replaces your NS records and DS records, DNSSEC-validating resolvers will return SERVFAIL — a visible signal to users and monitoring systems rather than silently serving attacker content.

DNS Change Monitoring

Continuously monitor NS, A, MX, and TXT records for unexpected changes. Services like Cloudflare Radar, DNStwist, and custom monitoring scripts can alert on record changes within minutes. Set up monitoring from multiple global vantage points.

CAA Records

Certification Authority Authorization records restrict which CAs can issue certificates for your domain. Add "issue" and "issuewild" CAA records to prevent attackers from getting certificates from unauthorized CAs even if they temporarily control your DNS.

Eliminate Lame Delegations

Audit all NS delegations across your domains. Lame delegations (NS records pointing to nameservers that no longer exist or don't answer for the zone) are a common attack surface — attackers re-register orphaned nameserver domains to take over sub-zone authority.

Monitoring

Detecting Unauthorized Changes

Baseline and monitor NS records

# Record current NS records as baseline dig thedns.guru NS +short # Monitor from multiple resolvers dig thedns.guru NS @1.1.1.1 +short dig thedns.guru NS @8.8.8.8 +short dig thedns.guru NS @9.9.9.9 +short # Discrepancies indicate possible hijack

Check EPP status codes

# WHOIS shows EPP lock status whois thedns.guru | grep Status # Look for: # clientTransferProhibited # serverTransferProhibited # serverUpdateProhibited # serverDeleteProhibited

Verify DNSSEC chain is intact

# Check DS record exists in parent dig thedns.guru DS +short # Verify full chain from root delv thedns.guru A +vtrace # Online: dnsviz.net shows # visual chain of trust

Audit CAA records

# Check what CAs can issue certs dig thedns.guru CAA +short # Recommended baseline: # 0 issue "letsencrypt.org" # 0 issue "sectigo.com" # 0 issuewild ";" # (restrict wildcard issuance)

Related Topics

Cache Poisoning

Injecting false records into resolver caches is a transient form of DNS hijacking.

BGP Hijacking

BGP route manipulation can redirect traffic to attacker-controlled nameservers at a network level.

DNS Tunneling

Hijacked DNS infrastructure can be repurposed for covert data exfiltration channels.