Is DNS hijacking the same as DNS poisoning?

They overlap but aren't identical. DNS poisoning specifically means injecting a bad answer into a resolver's cache so future queries get the wrong reply. DNS hijacking is the broader category — it includes poisoning but also covers attacks where the resolver itself is changed (router compromise, registrar takeover, malware editing your DNS settings).

Does HTTPS protect me from DNS hijacking?

Mostly yes for the credential-theft case. If the attacker redirects bank.com to their server, the browser checks the certificate, sees it doesn't match bank.com, and warns you. But HTTPS does not protect against DNS-based censorship (the site simply becomes unreachable), ad injection on plaintext sites, or malware that ships its own bogus root certificate.

Can a VPN prevent DNS hijacking?

A VPN that handles DNS inside the tunnel removes the local network as an attack surface — your router, ISP, and any hostile Wi-Fi can't see or rewrite the queries. It does not protect against malware on your own device or against a hijack of the destination domain's registrar. Confirm there's no leak with our DNS leak test .

Why do some ISPs deliberately hijack NXDOMAIN responses?

Money. When you type a non-existent domain and the ISP returns its own search/ad page instead of an error, every typo becomes an ad impression. It also breaks software that expects a real NXDOMAIN, which is why most network engineers consider the practice user-hostile even when technically legal.

How do I know if my router has been hijacked?

Log into the router's admin interface and check the WAN/DNS settings — they should be "automatic" (from your ISP) or a public resolver you set. If they show unfamiliar IPs, the router has been touched. Then update firmware, change the admin password, and rotate the Wi-Fi password to evict any device that may have triggered the compromise.

DNS Hijacking: How Attackers Reroute Your Internet

DNS hijacking is the silent attack that doesn't break anything visible — your browser still loads pages, your apps still connect — but the destinations are no longer the ones you asked for. By corrupting the lookup that turns a domain name into an IP address, an attacker can quietly redirect you to phishing pages, inject ads, or surveil every site you visit.

Every connection you make starts with a question: "what is the IP address for this name?" Your device asks a DNS resolver, the resolver answers, and you connect. DNS hijacking is any attack that subverts this lookup so the answer points somewhere the attacker controls. Because the rest of the connection then proceeds normally, the damage is invisible — the URL bar looks right, the page looks right, and only an attentive look at the certificate or the IP reveals that something is wrong.

Where the hijack can happen

DNS resolution touches several systems, and any of them can be the attack surface. The most common variants:

Local hijacking. Malware on your device edits the OS resolver settings or the hosts file, pointing specific names at attacker IPs.
Router hijacking. The attacker logs into your home or office router — often through a default password or an unpatched CVE — and changes the DNS server pushed to every device by DHCP. One compromised router can redirect a hundred laptops, phones, and IoT devices.
ISP-level hijacking. Some ISPs intercept DNS queries and rewrite NXDOMAIN ("name doesn't exist") responses to point at a search/ad page, or block specific domains by serving a different answer. This is sometimes regulatory, often commercial, and always indistinguishable from an attack to the user.
Resolver poisoning. An attacker injects forged responses into an open recursive resolver's cache. Subsequent users of that resolver receive the bad answer until the cache expires.
Registrar hijacking. The attacker takes over the domain's account at a registrar and changes the authoritative nameservers — the most dangerous variant, because every resolver in the world will eventually pick up the bad records.

Why DNS is so easy to attack

The original DNS protocol from 1983 has no authentication. A resolver receiving a response checks little more than the transaction ID, which is 16 bits — guessable with enough attempts. There is no cryptographic seal saying "this answer really came from the authority for example.com." That is why DNS leaks are dangerous on hostile networks: even when your VPN tunnel is encrypted, a DNS query that escapes the tunnel can be answered by anyone who can see it. DNSSEC adds cryptographic signatures, but adoption is partial and most clients don't validate.

What a hijack lets the attacker do

Once you connect to an attacker's IP instead of the real one, several attacks open up. The attacker can stand up a phishing page that looks identical to your bank or email provider and harvest credentials. They can serve a man-in-the-middle proxy that forwards traffic to the real site while watching everything, although HTTPS usually prevents this unless the user clicks through a certificate warning. They can blackhole specific domains (an ad blocker uses this for good, an authoritarian censor for ill). And they can inject malware downloads in place of legitimate software updates.

How to detect that you're being hijacked

The signs are usually subtle. A certificate warning where one shouldn't exist is the loudest signal — browsers refuse to silently connect to an attacker's IP because the TLS certificate won't match the domain. Beyond that, run a DNS query against multiple resolvers and compare answers:

dig @1.1.1.1 example.com
dig @8.8.8.8 example.com
dig @9.9.9.9 example.com

If two well-known public resolvers give different answers, something is being intercepted between you and one of them. Our DNS leak test reveals which resolver your device is actually using — useful for spotting silent rerouting by a router or ISP.

How to harden against DNS hijacking

Three layers help most. First, encrypt your DNS — DNS over HTTPS and DNS over TLS prevent on-path observers from rewriting answers in flight, and pin the resolver to a known provider. Second, change every default password on your router and patch its firmware; router DNS hijacks are mass-exploited by botnets like DNSChanger and GhostDNS that scan the Internet for vulnerable models. Third, use DNSSEC-validating resolvers like 1.1.1.1 or 9.9.9.9 — when an authoritative domain signs its records, the resolver can mathematically verify the answer hasn't been tampered with.

The registrar layer matters too

If you own a domain, the most dangerous hijack isn't to your device — it's to your registrar account. Enable two-factor authentication, lock the domain so transfers require manual approval, and watch for nameserver changes. The 2018 MyEtherWallet hijack and the 2020 Twitter incident were both registrar/DNS infrastructure attacks, not endpoint attacks. Cloudflare's registrar service publishes records over signed channels for exactly this reason.

Frequently asked questions

Is DNS hijacking the same as DNS poisoning?: They overlap but aren't identical. DNS poisoning specifically means injecting a bad answer into a resolver's cache so future queries get the wrong reply. DNS hijacking is the broader category — it includes poisoning but also covers attacks where the resolver itself is changed (router compromise, registrar takeover, malware editing your DNS settings).
Does HTTPS protect me from DNS hijacking?: Mostly yes for the credential-theft case. If the attacker redirects bank.com to their server, the browser checks the certificate, sees it doesn't match bank.com, and warns you. But HTTPS does not protect against DNS-based censorship (the site simply becomes unreachable), ad injection on plaintext sites, or malware that ships its own bogus root certificate.
Can a VPN prevent DNS hijacking?: A VPN that handles DNS inside the tunnel removes the local network as an attack surface — your router, ISP, and any hostile Wi-Fi can't see or rewrite the queries. It does not protect against malware on your own device or against a hijack of the destination domain's registrar. Confirm there's no leak with our <a href="/dns-leak-test">DNS leak test</a>.
Why do some ISPs deliberately hijack NXDOMAIN responses?: Money. When you type a non-existent domain and the ISP returns its own search/ad page instead of an error, every typo becomes an ad impression. It also breaks software that expects a real NXDOMAIN, which is why most network engineers consider the practice user-hostile even when technically legal.
How do I know if my router has been hijacked?: Log into the router's admin interface and check the WAN/DNS settings — they should be "automatic" (from your ISP) or a public resolver you set. If they show unfamiliar IPs, the router has been touched. Then update firmware, change the admin password, and rotate the Wi-Fi password to evict any device that may have triggered the compromise.