When DNS links are compromised, the two most common forms of interference are DNS poisoning and DNS cache hijacking. Both problems manifest as abnormal access, redirect errors, connection failures, and occasionally even "domain does not exist" messages, but their underlying mechanisms, causes, scope of impact, and handling methods are completely different. Understanding the relationship between the two helps in quickly locating problems when business failures occur, avoiding futile troubleshooting on servers, websites, or network devices, and helping users build a more secure and reliable access environment.

　　DNS poisoning typically occurs when a domain name resolution request is tampered with just after leaving the local network, on an upstream ISP or certain public links. It doesn't happen on a specific DNS server, but rather an erroneous response is injected into the request during transmission. The true authoritative DNS does not return these spoofed records, but because the erroneous data arrives at the client earlier, the browser or application directly uses incorrect IP information, ultimately accessing a non-existent target or redirecting to an abnormal page. Because poisoning occurs along the transmission path, this type of problem is often regional; different ISPs, different lines, and different exit points may yield different results when accessing the same domain name. Because it occurs in a link beyond the user's control, ordinary users find it difficult to avoid pollution at the source and can only circumvent it by taking detours, encrypting transmissions, or changing DNS.

　　DNS cache hijacking, however, is entirely different. It typically occurs on local ISPs, LANs, home routers, carrier DNS nodes, and even some public DNS services with malicious intent. Simply put, DNS cache hijacking means that the DNS server replaces the correct IP address with an incorrect result and caches the error record, returning the wrong address to all queries for the same region. Since the DNS resolution process itself has a caching mechanism, attackers or black-box devices only need to control one DNS server to affect the resolution results of a large number of users. Compared to pollution, cache hijacking has a more stable and persistent impact; as long as the cache hasn't expired or the problem isn't fixed, all resolutions will continue to be abnormal. Symptoms encountered by users typically include being redirected to advertising pages, receiving pop-up injections, being forcibly redirected to certain carrier promotional pages, and even being redirected to phishing addresses on some malicious networks.

　　Therefore, it can be seen that the most crucial difference between the two lies in the location and the method of control. DNS poisoning originates at the network link level, representing interference in the transmission process. Essentially, it involves the injection of erroneous data, while the authoritative DNS itself remains normal. DNS cache hijacking, on the other hand, occurs at the resolution node itself; the DNS server returns tampered, erroneous data, and this error persists over time. Poisoning is an upstream link-level effect, potentially exhibiting randomness and regional variations; cache hijacking, however, is consistent and persistent. Users can use this as a starting point to determine the source of the problem: if changing the DNS immediately resolves the issue, it's likely cache hijacking; if changing the DNS doesn't work, but changing the network or using encrypted DNS restores normal operation, it's likely DNS poisoning.

　　Once the problem can be clearly categorized, users can choose more practical countermeasures. The most effective way to combat DNS poisoning is to prevent DNS requests from being intercepted in plaintext during transmission. This is why DoH, DoT, and HTTP/3 DNS resolution are becoming increasingly popular. Encrypted DNS queries are transmitted via TLS or HTTPS, no longer using the traditional port 53, thus preventing the injection of erroneous records. Users can manually enable trusted encrypted DNS servers on their computers, browsers, routers, and even server systems, such as Google, Cloudflare, Quad9, and Alibaba DNS encrypted channels. Additionally, in some cases, changing network exit points, choosing international lines can bypass compromised regional links.

　　If it's DNS cache hijacking, the solution needs to be addressed from the DNS server itself. Ordinary users can directly change the default DNS provided by their ISP; using globally available public DNS servers is more secure, such as 8.8.8.8, 1.1.1.1, and 9.9.9.9. However, in some LAN environments, malicious DNS hijacking scripts are more common in routers, requiring manual checks for abnormal settings, including DNS pointing to suspicious addresses, bypassing traffic devices, and unknown firmware plugins. For enterprises or server administrators, a better approach is to build their own recursive DNS or deploy a local encrypted DNS, avoiding reliance on ISP DNS servers with higher risks of corruption. Furthermore, forcibly enabling HTTPS and HSTS and correctly configuring SSL certificates can reduce the security risks of users being redirected to malicious sites due to incorrect DNS resolution, because even if hijacking is successful, a trusted SSL certificate cannot be forged.

　　In production environments, when businesses experience access anomalies, server failures are often suspected first. However, many seemingly unresponsive servers, connection failures, 503 errors, and websites redirecting to the wrong machine are actually caused by DNS anomalies. To reduce access losses due to DNS issues, enterprises typically implement more preventative measures. These include introducing multi-line DNS resolution in their business architecture, setting up different authoritative DNS clusters domestically and internationally, using CDNs to ensure user requests are processed at the nearest node whenever possible, and using monitoring platforms to compare DNS resolution consistency across the globe in real time. When necessary, different TTL values ​​in DNS records are tested to prevent hijacking and long-term interference. Simultaneously, business teams need to prepare backup domain name plans. If the primary domain name resolution is poisoned, causing inaccessibility, the backup domain can be quickly switched to ensure user availability.

　　Overall, both DNS poisoning and DNS cache hijacking can cause users to receive incorrect results when accessing target websites, but they differ significantly in their causes, scope of impact, and handling methods. DNS poisoning originates from link injection, which is more externally driven and difficult for users to control directly. Users can only rely on encrypted DNS or bypassing it across networks. Cache hijacking, on the other hand, occurs directly on the DNS server side and can usually be eradicated by changing DNS servers, checking routers, or configuring self-built DNS services. Correctly identifying the source of the problem can significantly improve troubleshooting efficiency, make network management smoother, and reduce the chance of misdiagnosing problems as website failures.

　　In the context of increasingly diverse network security threats, DNS security is no longer an option but a crucial component of business stability. Both individual users and businesses should avoid using DNS nodes from unknown sources and refrain from installing browser extensions, router plugins, or proxy tools from unknown sources to prevent them from silently rewriting DNS configurations in the background. Meanwhile, more and more platforms are promoting encrypted DNS, multi-node recursive resolution, and intelligent acceleration technologies, making DNS resolution not only faster but also more secure. With the widespread adoption of IPv6 and the development of the QUIC protocol, encrypted DNS will become the default standard, and the space for DNS poisoning and cache hijacking will continue to shrink. However, until then, users still need to proactively possess certain identification and handling capabilities.

　　By fully understanding the fundamental differences between DNS poisoning and DNS cache hijacking, and mastering appropriate countermeasures, users can significantly reduce the probability of their access being interfered with. Regardless of how the network environment changes in the future, security and stability will always be the foundation of internet services. And as the first link in the entire access chain, the security of DNS always deserves attention and effort.