DNS acts as a "phone book" in network access, helping users find the real IP address of a target server through a domain name. For ordinary users, simply entering the domain name allows them to access a website smoothly, but behind the scenes, this query process involves multiple layers of forwarding and caching. If the DNS resolution process fails, the website may become inaccessible, redirect to other pages, experience abnormally slow speeds, or even pose security risks. The two most common problems are DNS hijacking and DNS poisoning. Both are DNS anomalies, but they have completely different causes and manifestations. Many website owners and users often confuse the two when encountering similar problems for the first time, so understanding the difference is crucial for troubleshooting and taking the correct solution.

　　What is DNS Hijacking?

　　When a user accesses a website, the browser sends a query request to the DNS server. If this request is intercepted or tampered with during transmission, pointing the domain name to an incorrect IP address, redirecting the user to an advertising page, pushing ISP messages, or even a phishing website, this phenomenon is called DNS hijacking.

　　Characteristics of DNS Hijacking: Hijacking often involves "forced redirection" and "content replacement." For example, if you enter a news website and are suddenly redirected to a mobile network operator's recharge page, or encounter a screen full of advertisements, this usually means that the access path has been deliberately modified. The purpose of hijacking is usually commercial traffic diversion, but a small number have malicious purposes, such as guiding users to malicious websites, thus having a significant impact on website security and user experience.

　　What is DNS poisoning?

　　Compared to DNS hijacking, DNS poisoning does not target a specific user or network precisely. Instead, it is caused by network transmission, cross-regional communication, recursive server caching errors, etc., leading to inconsistent resolution results in different regions. Poisoning often occurs in cross-border access, network isolation environments, or incomplete DNS propagation. For example, a website may be accessible domestically, but many overseas nodes cannot resolve it; or the same domain name may resolve normally in Beijing, but show as non-existent in Guangzhou. These phenomena are usually not caused by human attacks, but by DNS poisoning.

　　Characteristics of DNS poisoning: Poisoning is unstable and random; sometimes it resolves, and sometimes it is completely inaccessible.

　　The Difference Between DNS Hijacking and DNS Poisoning:

　　On the surface, both hijacking and poisoning can cause websites to be inaccessible, but their symptoms differ. Hijacking often manifests as "accessible but with incorrect content," while poisoning tends to result in "complete inaccessibility or inconsistent DNS resolution results." If you enter a domain name and the page opens but the content is not what you expected, this is a typical characteristic of hijacking; conversely, if you encounter NXDOMAIN, SERVFAIL, or asynchronous DNS resolution, especially if the results are inconsistent across different regions, this is more likely due to poisoning. Beginners should remember this: if it opens but doesn't work correctly, it's likely hijacking; if it doesn't open or the results differ across regions, it's likely poisoning.

　　The simplest way to determine the type of problem is to compare the results from multiple DNS servers. You can use `dig` or `nslookup` to query authoritative DNS servers and check if the real IP address matches. If your local ISP's DNS returns an abnormal IP address, while the public DNS returns a normal one, then it's likely DNS hijacking. Conversely, if multiple DNS servers return inconsistent results—some returning normal, some returning failures—or even if globally distributed query tools show inconsistent resolution across different regions, it's very likely DNS poisoning. In addition, changing the network environment is a simple and effective method. For example, if access is abnormal under a certain WiFi network but works normally under a mobile hotspot, it is often because the local ISP's link has been hijacked.

　　Solutions for DNS Hijacking and DNS Poisoning:

　　Understanding the differences between the two allows for more targeted solutions. DNS hijacking is often a link-level interference, so changing the DNS server is the most direct solution. Users can switch to public DNS servers such as 8.8.8.8 or 1.1.1.1, or use encrypted DoH or DoT to avoid data interception during transmission. Website owners can also enable HTTPS and HSTS across the entire site to reduce the risk of man-in-the-middle attacks inserting ads or malicious redirects. If the hijacking originates from malware or an infected router, then system cleanup, firmware replacement, or device reset is required. If the ISP is forcibly injecting content for commercial purposes, complaints can be filed with the ISP or the service provider can be contacted for intervention.

　　Solutions for DNS poisoning are more focused on the server-side and resolution strategy level. Website pollution often occurs across regions, so website owners need to use DNS service providers that support multiple regions and employ intelligent resolution strategies to connect different regions to the nearest nodes. For cross-border access, DNS using Anycast technology can better avoid the impact of pollution because it allows requests from different regions to be distributed to the nearest DNS node. In addition, setting appropriate TTL times, enabling DNSSEC, enabling encrypted recursion, and deploying more regional nodes can effectively improve pollution problems. If pollution is severe enough to make some countries or regions completely unresolved, consider using alternative domains, alternative NS servers, or changing DNS providers to bypass the affected regions.

　　Important Notes:

　　For novice website owners, one of the most easily overlooked aspects is DNS health monitoring. Many DNS problems go undetected, causing prolonged website access failures without their knowledge. Regularly checking the global DNS resolution status, monitoring for resolution latency, global inconsistencies, and cross-regional failures is crucial to preventing hijacking and pollution. Many platforms now offer global DNS health checks to help website owners identify potential problems promptly. For individual users, maintaining device security, avoiding installing software from unknown sources, and using trusted DNS services are also necessary ways to reduce the risk of hijacking. While DNS may seem like a simple, fundamental technology, its impact on website access is exceptionally significant. For individual users, understanding the difference between hijacking and DNS poisoning helps in quickly identifying access anomalies; for website operators, properly handling DNS issues can prevent widespread access failures, keeping the website stable, fast, and secure. DNS hijacking is caused by human interference, while DNS poisoning is mostly due to abnormal propagation, and the solutions for the two are completely different. By mastering identification techniques and taking appropriate measures, the losses caused by DNS resolution failures can be significantly reduced, keeping the website system in optimal condition.