How to detect and prevent DNS hijacking

How to detect DNS hijacking

Imagine trying to access a news website to catch up on the latest headlines. Still, instead of finding the articles you were looking for, you're secretly redirected to a clone site designed to spread misinformation or to gather your personal data.

This scenario has become a reality for some, thanks to the Sea Turtle cyber espionage campaign. Linked to Turkey, this group has engaged in DNS hijacking, targeting not just any websites but those connected to telecommunications, media, ISPs, IT services, and Kurdish platforms in the Netherlands.

Their goal was to collect sensitive data on political dissidents and minority groups. DNS hijacking is often state-sponsored and used by governments to surveil and collect data on political adversaries and minority groups. These actors exploit the DNS system—essentially the internet's phonebook—to manipulate how and where we access information online.

Businesses, too, face big risks from DNS hijacking. This threat can result in large financial losses, data breaches, and a decrease in customer trust. 

The cryptocurrency sector is especially at risk. Threat actors frequently hijack DNS to send users to fake websites and steal cryptocurrency assets. Because you can't reverse cryptocurrency transactions, this approach is particularly dangerous. 

In this article, we’ll explore how to detect DNS hijacking in simple steps.

Key takeaways

  • DNS hijacking is an attack where someone redirects you to a different site that they control, which might look like the one you wanted but can steal your information or harm your computer.

  • The attack uses the DNS system, which normally helps your browser find websites, to send you to a fake website instead of the real one you wanted to visit.

  • Look out for being sent to unexpected websites, your internet running slowly, or warnings about a website's security certificate to catch DNS hijacking early.

  • Protect yourself by using strong passwords for your router, updating its firmware, enabling DNSSEC validation, and using a VPN to encrypt your online activity.

  • Incidents like the Sea Turtle campaign and the attack on a Brazilian bank show how serious DNS hijacking can be and why strong security measures are important.

  • NordLayer helps protect against these threats with its DNS filtering service, which blocks harmful websites.

What is DNS hijacking?

Domain Name System (DNS) hijacking is a form of cyber-attack in which an attacker intercepts and redirects the DNS queries made by a user. Instead of reaching the intended website, the user is sent to a fraudulent site, often without realizing it. This technique can be used to steal personal information, distribute malware, or censor information.

How does DNS hijacking work?

DNS hijacking operates by using the DNS, which acts as the internet's phonebook. Normally, when you enter a website address into your browser, your computer sends a DNS query to a DNS server to translate the domain name into an IP address. This IP address is what allows your browser to connect to the website's server.

However, in a DNS hijacking scenario, an attacker intercepts or alters this query process. Instead of directing you to the correct IP address, the attacker redirects you to a fraudulent website or server that they control. This manipulated redirection can occur without any visible signs, making the user believe they are visiting a legitimate site.

For example, imagine you're trying to log into your online banking account. You type the bank's URL into your browser, expecting to be taken to your bank's login page. If you're a victim of DNS hijacking, you are sent to a counterfeit version of the bank's website instead of reaching the real banking site. This site looks identical to the real one, but when you enter your login credentials, they are captured by the attacker.

Types of DNS hijacking

Understanding the various types of DNS hijacking is crucial for maintaining our online safety. Let's explore the most popular ones.

Types of DNS hijacking attacks

Local DNS hijacking

This happens when malware changes the DNS settings on your device. If this occurs, your device might take you to places on the internet that you didn't intend to visit, risking your personal information. It's essential to keep your antivirus software up to date to catch and remove such malware.

Router DNS hijacking

Attackers target your internet router and change its DNS settings. This action affects all devices using that router. It's like someone redirecting all the mail from your house to somewhere else. 

Ensuring your router's firmware is regularly updated and its password is strong is a good practice to prevent DNS hijacking.

Man-in-the-middle DNS hijacking

In this scenario, attackers intercept your DNS requests. It's as if someone catches a letter you're sending out, opens it, and sends it somewhere else without you knowing. 

Using secure networks and VPN services can help safeguard against such interceptions.

DNS server hijacking

Here, the attackers take control of a DNS server and change its DNS records. This means they can redirect traffic from many users to malicious websites. It's a broad DNS attack, affecting many at once. 

Internet Service Providers and organizations managing DNS servers need to monitor and secure their servers diligently.

ISP DNS hijacking

Sometimes, your Internet Service Provider might redirect your DNS queries. Although these redirects aren't always malicious, they can still introduce security risks. Using a custom DNS service can give you more control over where your queries go, enhancing your privacy and security.

Cache poisoning (DNS spoofing)

Cache poisoning, also known as DNS spoofing, is a technique where attackers insert false information into a DNS server's cache. When this happens, your computer, which relies on the DNS server to translate website names into IP addresses, gets misled. It takes you to a different website controlled by the attacker.

A DNS resolver is a crucial part of this process. It's the tool that your computer uses to ask the DNS server, ‘What is the IP address for this website?’ When the resolver receives incorrect information from a poisoned DNS cache, it unknowingly directs you to the wrong place.

The DNS cache is where the resolver stores IP addresses it has recently looked up. If the cache gets poisoned, even future DNS requests can lead to the wrong sites until the DNS cache is cleared or the false entries expire.

Preventing cache poisoning involves ensuring your DNS resolver uses DNSSEC (DNS Security Extensions). DNSSEC is a security measure that ensures the information your resolver receives is authentic.

Rogue DNS server

If you're tricked into using a rogue DNS server, it will intentionally mislead you by taking you to the wrong websites. This often leads to malicious websites. Being cautious about which DNS server you use and opting for reputable DNS providers can protect you.


Pharming redirects you to fake websites without your click or consent, exploiting vulnerabilities either in your device or in DNS servers. It's more sneaky than phishing. 

Employing robust security measures and staying vigilant about unusual browser behavior can help you stay clear of these traps.

DNS redirection by malware

When malware on your device redirects your DNS queries, it can make you think you're visiting safe websites when you're not. Regular scans with updated antivirus software can help detect and remove such malware.

DNS hijacking via trojan

A trojan can change your DNS settings or point you to a malicious DNS server. It often masquerades as legitimate software, tricking you into downloading it. Being cautious about what you download and keeping your security software up to date are good ways to avoid such threats.

Each type of DNS hijacking exploits our trust in the internet's infrastructure. Remember, detecting DNS hijacking early and taking steps to prevent it are key to keeping your internet experience safe and secure.

Examples of DNS hijacking

Brazilian bank attack

Back in 2016, a big bank in Brazil was hit by a DNS hijacking attack. The threat actors changed the bank's DNS settings, redirecting customers to fake websites instead of the bank's real ones. These sites mimicked the bank's authentic ones, tricking people into giving away their personal and banking info.

This incident showed how big of an impact DNS hijacking can have, especially on financial institutions, and showed the need to prevent DNS hijacking attacks. 

Sea Turtle campaign

The Sea Turtle campaign is a cyber espionage operation that started in 2019. It targets organizations across the globe to gather sensitive information. 

This group uses DNS hijacking because after redirecting internet traffic to malicious websites and stealing login credentials, they can spy on the data traffic of targeted entities. They opt for DNS hijacking because of its sneakiness; victims often don't realize they're visiting fake websites.

In 2024, Sea Turtle expanded its reach to include targets in the Netherlands, focusing on telecommunications, media, ISPs, IT services, and Kurdish websites. 

Iranian attack incidents

Iranian threat actors, known under the alias Lyceum, target the Middle East with DNS hijacking. They've introduced a new NET-based backdoor, evolving their tactics to manipulate DNS queries. 

The essence of this DNS hijacking lies in its execution through a macro-laced Microsoft Document, seemingly reporting legitimate news but actually serving as a trojan horse for the malware. It's designed not just for spying but also for full control over the compromised systems. 

Companies need robust measures to detect and prevent DNS spoofing and similar DNS hijacking attacks.

How to detect DNS hijacking?

Here's a guide on how to spot DNS hijacking, which includes simple steps that can help you figure out if a DNS attack has hit you.

Spot unexpected website redirects. Imagine you're trying to visit your favorite news site but end up on a completely different page that asks for personal details. This could be a sign of DNS hijacking, where attackers redirect you to fake sites to steal your info.

Notice if your internet feels slow. If your web pages suddenly start taking longer to load, it might mean someone is messing with your DNS queries. This slowing down happens because the hijack adds extra steps to reach websites.

Use tools to check your DNS server. There are tools online that let you see if the DNS server your computer is using matches the one your Internet Service Provider (ISP) gave you. A mismatch might mean your DNS settings have been changed without you knowing.

Watch for SSL certificate warnings. When you visit a secure site, your browser checks its SSL certificate to ensure it's safe. If you get a warning that something's off, like the certificate doesn't match the site's name, it could mean you've been redirected to a harmful site by DNS hijacking.

Use network monitoring tools. These tools can spot odd behavior in your DNS traffic, like a sudden spike in DNS requests or visits to known bad sites. This can clue you in on possible DNS hijacking attempts.

Audit your DNS records. Check your domain's DNS records with your registrar every so often. If you find changes you didn't make, it might mean someone has hijacked your DNS.

Talk to your ISP. If you're worried about DNS hijacking, a call to your ISP can be reassuring. They can check if the DNS servers you're using are legit and offer tips on keeping your connection secure.

How to prevent DNS hijacking for businesses?

Keeping your online world safe from DNS hijacking is really important. Here's a guide on how to prevent DNS hijacking attacks.

How to prevent DNS hijacking

Pick secure DNS servers. DNSSEC stands for Domain Name System Security Extensions. It's a set of protocols that add a layer of security to the DNS lookup process, ensuring the information your network receives hasn't been tampered with. Opting for DNS servers that support DNSSEC minimizes the risk of your business being directed to fraudulent websites.

Update your router's password. Routers often come with default passwords that are easily predictable. Changing these passwords to something strong and unique is crucial for keeping attackers out. 

Keep your router's firmware fresh. Router makers often fix security holes with new firmware updates. Staying up-to-date helps block paths that threat actors could use for DNS hijacking.

Turn on DNSSEC validation. Enabling DNSSEC validation across your network means that DNS responses are checked for authenticity before being accepted. This prevents attackers from redirecting your internet traffic to malicious sites through spoofed DNS responses, a common tactic in DNS hijacking. 

Use a business VPN. A Virtual Private Network encrypts what you do online, shielding you from certain DNS hijacking methods. Choosing a trusted VPN service adds a solid layer of protection.

Install and update security software. Antivirus and anti-malware programs can catch and delete harmful software that might change your DNS settings. Keeping this software up to date is key to fighting off new threats. 

Update everything. Software updates often patch up security weaknesses. Regularly updating your system and applications protects you from being an easy target for DNS hijacking.

Watch your DNS settings. Keep an eye on the DNS settings on your company’s devices and router. If something looks off, dig deeper and fix it to ensure you're not under attack.

Learn and share knowledge. Understanding this issue is key to keeping your network safe. Explain to your employees what DNS hijacking is, why it's a problem, and how to spot if the network might be compromised. When people know what to look out for, they can help stop these attacks before they do harm.

Think about DNS filtering. These services stop your network from connecting to websites that are known to be harmful. They can also block attempts to contact servers that spread malware. Adding DNS filtering to your security plan is a good way to keep out threats that could lead to DNS hijacking. 

Beef up your network security. Using firewalls and following best practices for network security build a strong defense against unauthorized entries and various cyber threats, including DNS hijacking. These actions add extra layers of protection, which makes it harder for attackers to break into your network or carry out harmful activities.

Customize your DNS settings. Instead of sticking with your Internet Service Provider's DNS, switch to custom DNS servers known for being secure. This gives you more control and reduces hijacking risks. 

How NordLayer can help

NordLayer steps in to help your company stay safe online with its DNS filtering service. This tool stops access to malicious websites and screens out content that might be harmful or distracting for your team.

Managers can set rules on what's not allowed on the company's networks. It acts like a shield, keeping team members safe from phishing and other harmful online stuff. This way, everyone can focus on their work without worrying about online threats.

Using NordLayer's DNS filtering is easy and effective. Whenever someone tries to visit a website, NordLayer checks it against a list of safe and approved sites. If it finds a website that's unsafe or on a blocklist, it won't let the site load.

This step is great for stopping online threats before they can do any harm. Plus, NordLayer has a feature called ThreatBlock, which finds and blocks dangerous domains by pulling information from many places. Along with keeping your internet traffic safe with strong encryption and the ability to filter out more than 50 types of not-so-great content, NordLayer gives you a powerful way to keep your organization's online space secure and productive. No matter the size of your team, NordLayer is ready to help you manage and protect your remote workers in a simple and effective way. Contact our sales team to talk.

Share article


Copy failed

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.