What is DNS Hijacking?

DNS hijacking (also called DNS redirection) is any attack that subverts the normal DNS resolution process so that a domain resolves to an address the attacker chooses. The victim's browser still shows the correct domain, but the traffic is sent somewhere else — often a convincing clone built to steal credentials, payment details, or session cookies.

Hijacking can target almost any point in the resolution chain:

• Registrar or DNS account compromise — the attacker logs into your registrar or DNS provider (often via phishing or a reused password) and edits records or repoints nameservers. This is the most damaging form because the change is authoritative.
• Local hijacking — malware on a device changes its configured DNS server to a malicious resolver.
• Router hijacking — an attacker changes the DNS settings on a vulnerable home or office router, affecting everyone on the network.
• Man-in-the-middle — DNS queries are intercepted on the network and answered with forged responses.
• Cache poisoning — a resolver is tricked into caching a forged record, so it serves the bad answer to many users until the TTL expires.

• Records or nameservers that change without an authorized request.
• Visitors redirected to unexpected or scam pages.
• Sudden TLS certificate warnings, or a new certificate you did not request.
• Email delivery failing or being routed through an unfamiliar mail server.

• Secure your accounts — enforce two-factor authentication and strong, unique passwords on your registrar and DNS provider, and limit who has edit access.
• Enable a registrar lock — a domain lock blocks unauthorized transfers and nameserver changes. ZoneWatcher's domain lock monitor alerts you if the lock state changes.
• Turn on DNSSEC — signing your zone lets resolvers detect forged answers and defeats most cache-poisoning attacks. The DNSSEC monitor watches for broken or missing signatures.
• Restrict certificate issuance — a CAA record limits which authorities may issue certificates for your domain.

See DNS security best practices for the full checklist.

Prevention reduces the odds, but no control is perfect — and a hijack that slips through is most dangerous in the window before anyone notices. Continuous monitoring closes that window. ZoneWatcher checks your records and nameservers around the clock and alerts you the instant anything changes, whether it is a malicious edit or an honest mistake. A related risk worth understanding is subdomain takeover, where a forgotten record hands an attacker a subdomain.