CyberScout

DNS Hijacking: What It Is and Why It's a Threat

DNS hijack
Getty Images

One of the more sophisticated versions of a domain name cyberattack happens when hackers compromise an entire DNS server-- the online “switchboard” provided by major internet service providers and portals to translate domain name requests into corresponding IP addresses. 

While DNS servers are typically more secure and harder to hack than individual devices or networks, their role as a major hub for a core internet service means that they can be leveraged to compromise thousands, if not millions, of devices. 

“That moment when a name is matched to a number is where hackers can intervene,” says CyberScout founder Adam Levin. “There are a number of ways it can happen, but DNS hijacking is when your page request doesn't go to the site you asked for, or it takes a detour through a hacker's computer before it gets there. And the problem here is that there's no obvious way to tell that it's happening.”

A compromised DNS server ultimately provides hackers with complete control over where their targets connect online. They can redirect users, or block them from connecting to key services entirely. It’s this level of control that makes domain names and DNS a favorite avenue of attack for private and government-linked hacking groups alike. 

Threat actors connected to the Iranian government have launched successful DNS hijacking campaigns against public and private sector targets for the last several years; other hacking groups successfully hijacked Google’s DNS servers in 2014.