Domainee
Sign inGet started

DNS hijacking

Attacker takes control of a domain's DNS to redirect traffic. Happens via stolen registrar credentials, BGP attacks, or compromised DNS hosts.

DNS hijacking is when an attacker takes control of where a domain's traffic goes. Different from DNS spoofing/cache poisoning which messes with individual responses; hijacking changes the actual authoritative records (or redirects requests away from them).

The flavors

Registrar account hijacking

The most common. Attacker phishes or otherwise steals the registrant's credentials at the registrar, logs in, changes the nameservers to ones they control, points the domain at their own server. The domain serves attacker content until the legitimate owner notices and recovers the account.

Defenses:

  • 2FA on the registrar account (TOTP minimum, hardware key better).
  • Registrar lock (clientTransferProhibited) prevents transfer-out but not nameserver change.
  • Registry lock (paid service from .com's Verisign and similar registries) requires phone/fax + PIN for any change. Defends against this entirely.

DNS provider compromise

Attacker compromises your DNS host (e.g., your Cloudflare account) and edits records directly. Effects are the same as registrar hijacking but the change is at the zone level, not the registry level.

Defenses:

  • 2FA on the DNS host.
  • Audit logs (review who changed what).
  • Restricted API token scopes (your CI deploys can edit only the records they need).
  • Alerting on unexpected zone changes (Cloudflare, Route53 support change notifications).

Router-level hijacking (man-in-the-middle)

Attacker on the same network (cafe wifi, compromised home router, malicious ISP) sets the user's DNS resolver to one they control. Every DNS query from the user goes to the attacker, who returns whatever they want. User thinks they're going to bank.com; they're going to a phishing site that looks like it.

Defenses (user-side):

  • DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) bypasses the local resolver. Browser uses Cloudflare's or Google's resolver directly over encrypted HTTP/TLS.
  • DNSSEC validation at the resolver. Even with DoH, DNSSEC catches forged responses.

BGP hijacking (network-layer attack)

Attacker advertises bad routes via BGP, so packets destined for the legitimate authoritative nameservers go to the attacker's IPs instead. Then attacker responds with hijacked DNS. Used in high-stakes attacks (BGP hijack of Amazon Route53 in 2018 redirected MyEtherWallet traffic).

Defenses (operator-side):

  • RPKI (Resource Public Key Infrastructure) for BGP origin authentication.
  • Anycast for authoritative nameservers (Cloudflare, NS1, others use this).
  • Multiple geographically diverse upstream peers for the DNS provider.

These are network-level defenses; you delegate them to your DNS provider.

In a SaaS

Three concrete things to do for your own domain:

  1. Hardware-key 2FA on registrar and DNS host accounts. Not TOTP. Hardware keys for shared admin accounts.
  2. Registry lock if your domain is high-value or business-critical. .com, .net, .io all support it through the registry partner.
  3. Monthly review of DNS record changes. Tools: Cloudflare audit log, Route53 CloudTrail events, third-party services like SecurityTrails change history.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.