Wait! We Have a Special Deal!
Get SmartyDNS for $3.74/mo!
Save 53% Now
30-Day Money-Back Guarantee

DNS Hijacking (Everything You Need to Know)

DNS Hijacking

As easier as DNS has made our lives by helping directly resolve connection requests between web-connected devices and websites, it’s not without its flaws. You see, cybercriminals can actually exploit DNS servers and addresses in many ways to get away with your precious data.

In this article, we’ll be focusing on DNS hijacking – what it is, how to test for it, and how to prevent it.

What Is DNS?

DNS stands for Domain Name System, and it’s a naming system that translates IP addresses into website names, effectively making communication between Internet-connected devices and online websites significantly more convenient (basically, you don’t have to type the IP address of a website in your browser to access it).

What Is DNS Hijacking?

DNS hijacking is a method cybercriminals use to interfere with your device’s attempts at resolving an IP address to establish a connection to a URL (website or webpage).

While a legitimate DNS server is attempting to resolve the URL for you, cybercriminals take advantage of the delay to send a fake IP address that actually belongs to them to your device. Sometimes, they outright send the fake addresses directly, without any genuine DNS server being involved.

Here’s How DNS Hijacking Works

Cybercriminals manage to do all of the above by infecting your computer/laptop/mobile device with malware (normally through phishing schemes).

Once the malware is on your device, it replaces the default trusted DNS so that your browser will contact the hackers’ fake DNS server instead of a legitimate one that belongs to ICANN (an organization responsible for registering and managing domains, as well as providing them with IP addresses – among other things) whenever it tries to resolve a URL.

When your device makes contact with the fake DNS server as your browser is resolving a URL, the fake server in question will give your device the wrong IP address. As a result, you’ll be redirected to a malicious/phishing website.

Sometimes, cybercriminals might also hack into your router and change its DNS settings. In rare cases (like the MEW DNS hijack), they might even hack into a DNS server belonging to an ISP, and change the web addresses to have users automatically redirected to a fake website when they look up certain domains.

Whichever the case, one of the following will always happen:

  • The phishing websites will imitate an actual website in an attempt to trick you into revealing sensitive information (like your Social Security Number and credit card information).
  • The website you originally intended to access will be replaced with a website that either mimics it or not, and which is covered in ads that can be malicious – for example, some ads can contain more malware, ransomware, spyware, and/or adware.
  • The website you’re redirected to is made to look like a genuine, well-known online banking platform or payment processor (like PayPal, for instance) that is programmed to scrape any data you enter (essentially logging passwords, account names, and other data).

Whichever the case, the end result is usually the same if you fall for the phishing attempts – your bank accounts get emptied, strange charges start popping up on your credit cards, and you might become a victim of identity theft (even worse, you might have your personal data sold off on the deep web).

Don’t Confuse DNS Hijacking With DNS Poisoning

Because these two types of attacks work somewhat similarly, it’s easy to get them mixed up.

Here’s the main point: unlike DNS hijacking, DNS poisoning targets your DNS Cache, and aims to overwhelm it with fake values whose ultimate goal is to redirect you to malicious or phishing websites.

DNS Hacking

Essentially, while the genuine DNS servers try to resolve the URLs you request, cybercriminals use fake DNS servers to bombard your device with tons of fake IP addresses in an attempt to get it to equate a fake IP address with the URL you requested.

Also, instead of relying on malware to achieve its goals, DNS poisoning uses methods like the following example:

Say you type in paypal.com. Until a genuine DNS server can look up the requested address, your device gets bombarded with multiple resolutions from cybercriminals’ own DNS servers claiming paypal.com can be found at various IP addresses. Even if the genuine DNS server sends the correct resolution to your device, there’s a chance it can get overwhelmed and believe one of the fake IP addresses it received was the correct one.

ISP DNS Hijacking Happens Too, But It’s Different

Of course, just because it isn’t detrimental to your online security, that doesn’t mean ISP DNS hijacking isn’t annoying, and quite intrusive to be honest.

Basically, some ISPs like to hijack users’ DNS traffic in an attempt to make a profit. They can do that since they control the DNS server their users connect to.

Here’s an example – you accidentally type in a website domain that doesn’t exist. Instead of just getting an error page telling you the website doesn’t exist or the domain is for sale, you’re redirected to a different website.

So what’s actually happening?

Well, your ISP likely has an affiliate deal with that website or owns it. By redirecting users there, it makes money off of exposing them to ads.

That’s not all – ISP DNS hijacking can also be used by governments whenever they want to censor online content. Essentially, whenever you try to access a website that’s blacklisted by the authorities, you will be redirected to an “approved” website instead.

It’s not “as bad” as regular DNS hijacking, but it certainly isn’t any better.

How to Diagnose DNS Hijacking

Some common DNS hijacking signs including slow-loading webpages, pop-up ads you’ve never seen before on pages you frequent often, and ads you are used to seeing being modified to contain malicious or indecent content.

However, all that is mostly guesswork, and doesn’t offer a clear answer.

One of the real best ways to diagnose DNS hijacking is to ping a domain that doesn’t exist. If it resolves, there’s a pretty big change your DNS traffic has been hijacked.

You can usually do that through your OS’s Command Prompt/Terminal, but there are online services that help you do that:

Also, there are tools you can use to check if you’re dealing with DNS hijacking or not.

WhoIsMyDNS.com is such an example. If you don’t recognize the DNS displayed (it should belong to your ISP), you might have a problem.

diagnose dns hijacking

Besides all that, you can use F-Secure Router Checker to see if you’re a victim of a DNS hijack. But keep in mind this tool is meant to be used to find out if your router has been exploited through DNS hijacking.

And, of course, a clear sign of ISP DNS hijacking is the fact that you’re redirected to ad-infested websites when you access an non-existing domain, or that you’re redirected from a website your government considers to be “problematic” to an “approved” one.

How to Prevent ISP DNS Hijacking – Use a Smart DNS

While a Smart DNS can’t really help with regular DNS hijacking perpetrated by cybercriminals, it can help you deal with ISP DNS hijacking that can get in the way of the online content you want to access.

If you’re not sure what a Smart DNS is, it’s a service that replaces your ISP-assigned DNS (that contains info revealing your geo-location) with a different DNS address that doesn’t leak your real geographical location. The service also intercepts your connection requests to various websites, and replaces any data in those requests that can leak your geo-location with other info that points to an “approved” geographical location.

Still, you should know that – sometimes – ISP DNS hijacking can actually interfere with your Smart DNS service, making it not work properly. There’s a way to fix that issue, luckily.

You just need to configure the Smart DNS on your router (it has to be a DD-WRT-enabled router that supports IP tables). Once it’s set up or if you already have the Smart DNS configured on your router, you just need to direct DNS requests from port 53 to port 54 to bypass ISP DNS hijacking.

To do that, you have to add the following commands to your IP firewall:

  • iptables -t nat -A PREROUTING -i br0 -p udp –dport 53 -j DNAT –to

In the example above we used the Google Public DNS address ( but you can use a SmartyDNS DNS address, OpenDNS, Cloudflare or any other DNS address you prefer.

In case that solution doesn’t help you prevent ISP DNS hijacking, your best bet is to use a VPN (we discussed it more in-depth below at #5).

How to Prevent DNS Hijacking

According to our research, these are the best things you can do to lower your chances of being exposed to DNS hacking:

1. Avoid Phishing Attempts

A very good way to prevent DNS hijacking is to steer clear of phishing attempts since that’s one of the main ways cybercriminals infect your device(s) with malware.

Avoid Phishing Attempts

Here are some useful tips:

  • Don’t reply to any emails that claim to be from your payment processor or bank which ask you to send over sensitive information (passwords, credit card numbers, Social Security Numbers, etc.). If you’re having doubts, contact your payment processor/bank to see what is happening.
  • Similarly, don’t reply to any unsolicited emails – especially emails asking you for the kind of information we previously mentioned. The best way to deal with these messages is to delete them, and block the email address that sent them if possible.
  • If you receive an email you think is a phishing attempt, Google parts of the email within quotes. If you get any results, it’s likely going to be from other people who were targeted by this phishing attempt complaining about it.
  • Don’t open up any attachments that might be sent to you in an unsolicited or shady email.
  • If the address in the header form of an email seems suspicious, don’t reply to that email, and just delete it.
  • Don’t click on any links that seem shady and which don’t seem official (they are shortened, they start with “http” instead of “https,” etc.).
  • If you’re redirected to a phishing website, leave immediately. If it’s not possible, type in a fake username and password.
  • Don’t interact with any ads that seem malicious (particularly ones you’ve never seen before, and ones that contain pornoghraphic or any similar content).
  • Use anti-phishing add-ons/extensions on your browser if they are supported. Stanford Web Security Research has a nice selection of tools you can use, and we also recommend trying out uMatrix (an extension that prevents scripts from loading on a webpage without your approval).
  • Make sure Two-Factor Authentication is turned on for all your accounts (those that support it, at least).
  • Don’t use unsecured WiFi – such networks can easily be taken over or exploited by cybercriminals.

2. Use Reliable Anti-Virus/Anti-Malware Software

Even if you do your best to avoid malware, it’s always a good idea to use anti-virus/anti-malware software as a backup plan just in case. Plus, some malware might make its way into your device without you even realizing until it’s too late.

Here are some of the best anti-virus/anti-malware software providers on the market:

By the way, you should know that there’s virtually no difference between anti-malware and anti-virus software. Both do the same thing – a virus is, in fact, a self-replicating malware, after all.

3. Keep Your OS and Security Software Up-to-Date

Since malware is released on an almost constant basis (back in 2017, new malware popped up every 4.2 seconds), it’s important to keep up with operating system and security software updates. Why? Because it’s those updates (specifically security updates) that upgrade the OS/security software to ensure it can deal with new threats.

We recommend setting up the OS/security software to update automatically on a regular basis. Alternatively, you should actively check for updates at least once a week or every couple of days.

Oh, and you should keep your router’s firmware updated too since hackers can exploit security weaknesses in routers as well. Speaking of which …

4. Protect Your Router

Since hackers can exploit router security flaws to expose you to DNS hijacking, it’s best to change your router’s default username and password. Note we’re not referring to your WiFi network password, but the password/username that give you access to your router’s administrative settings.

Protect your router

Usually, you just have to type a default IP address (like or, though it can vary so check with the manufacturer) into your browser, and use the password and username that are written on your router to gain access. Once you’re in, replace the username and password.

Make them hard to guess, and either write them down in a notepad or agenda, or use a password manager (like KeePass or LastPass) to keep track of everything (or do both).

Don’t forget – it’s very easy for a hacker to find the manufacturer-issued password and username for your router on the Internet. That’s why it’s so important to change them ASAP.

5. Use a VPN (Virtual Private Network)

A VPN is a service you can use to secure your online traffic on the Internet by encrypting it. Besides that, it can also help you hide your online identity and bypass geo-blocks by masking your real IP address (which can actually help you bypass ISP DNS hijacking).

How does it help you prevent DNS hijacking, though?

Well, here are the main ways:

  • Since a VPN encrypts your traffic, cybercriminals (or your ISP, for that matter) can’t see what you are doing on the Internet (what websites you access, what files you download, what you search for, etc.). A VPN also encrypts your DNS traffic, making it harder for hackers to target you with annoying redirects.
  • VPN providers generally use their own DNS servers which end up replacing your ISP’s DNS servers when you use the service. VPN providers make sure to maintain fast, accurate DNS lookups to prevent the risk of your device being exposed to DNS hijacking attempts.
  • A VPN can be configured on your router to secure its traffic, as well as protect any other device in your home that connects to the Internet through said router. Couple this with the advice we offered above regarding router security, and you’re a lot less likely to become the victim of DNS hacking.

Please keep in mind that a VPN won’t protect you against malware, so it’s paramount you use a VPN alongside reliable anti-malware/anti-virus software for extra protection.

Need a Reliable VPN Service?

We here at SmartyDNS offer high-speed VPN servers with military-grade 256 bit AES encryption and highly-secure VPN protocols (OpenVPN, SoftEther and IKEv2) and we adhere to a strict no-log policy.

Our VPN servers double as proxy servers and we also offer a Smart DNS service that lets you unblock 300+ worldwide geo-restricted websites.

We offer user-friendly VPN apps for Windows, Mac, iPhone/iPad, Android, and Fire TV/Stick and browser extensions for Chrome and Firefox.

Special Deal! Get SmartyDNS for $3.7/mo!

Oh, and we’ll also have your back with our 30-day money-back guarantee.

Save 53% Now


DNS hijacking is a method used by cybercriminals to commit identity theft and harvest/steal sensitive information (like bank account details, login credentials, credit card numbers, etc.). It usually involves infecting your device with malware which then changes your DNS. Alternatively, hackers could exploit security flaws in your router to change its DNS, or they could target ISP DNS servers directly.

The end result is the same – your device and browser are tricked into accessing malicious or phishing websites when trying to connect to legitimate websites instead.

The best way to protect yourself against a DNS hijack attempt is to properly secure your router, avoid phishing websites and emails, use anti-malware/anti-virus software, regularly install security updates, and use a VPN service.

Posted by on

Special Deal!

Get SmartyDNS for $3.7/mo!

Save 53% Now