Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. DNS Hijacking

Author: Government Cyber Unit (DSIT)

DNS Hijacking

What this means

DNS hijacking occurs when an attacker manipulates the DNS resolution process to redirect users from legitimate websites to malicious ones.

This is done by altering DNS settings or responses, often without the user’s knowledge, to facilitate phishing, malware distribution or censorship.

Why this is a problem

DNS acts as the internet’s phonebook, translating human-friendly domain names (like security.gov.uk) into machine-readable IP addresses and a DNS hijacking attack tries to swap a legitimate IP address for a fraudulent one controlled by the attacker.

When a user attempts to visit the legitimate site, their browser is unknowingly directed to the attacker’s server, which can often host a fake, look-alike website.

Attackers use several methods to achieve this including:

  • local DNS Hijacking – attackers install malware (like a Trojan) on a user’s computer that modifies the local DNS settings or “hosts” file, redirecting requests for specific domains to a malicious IP address
  • router DNS Hijacking – attackers compromise a router, often by exploiting weak default passwords or firmware vulnerabilities, and change its DNS settings. This affects every device that connects to that router, redirecting all network users to malicious destinations
  • Man-in-the-Middle (MitM) attacks – in unsecured public Wi-Fi networks, an attacker can intercept the communication between a user’s device and the DNS server, injecting a forged DNS response that points the user to a malicious site
  • rogue DNS Server or Domain Registrar Compromise: hackers may compromise the authoritative DNS server for a domain or the domain registrar account itself, allowing them to change the official DNS records (for example, A records) for a website. This impacts all users of that DNS server or website

How to check if the problem is there

Common signs that indicate DNS may have been hijacked include:

  • unexpected website redirects when typing in a correct URL
  • frequent, unusual pop-up advertisements on trusted websites
  • web pages loading slowly or failing to load
  • browser security warnings, such as SSL/TLS certificate mismatches, on sites you know are legitimate

How to fix this

Resolving DNS Hijacking depends on the user role and responsibility.

If you suspect your device has been compromised, follow these steps:

  • scan for malware
  • change router credentials, update router firmware, and follow manufacturer advice to restore factory settings if tampering of configuration is suspected
  • verify that your router’s DNS configuration has not been altered by an attacker

If your website’s domain records have been hijacked, you should:

  • enable two-factor authentication (2FA) on the DNS and registrar accounts
  • implement a “Client Lock” or “Registry Lock”
  • enable DNSSEC (Domain Name System Security Extensions) if supported
  • review who has access to make DNS changes
  • setup monitoring and alerting on configuration changes to your DNS settings

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now