For any website operating on the internet, proper DNS resolution is crucial. Whether a website is deployed on a cloud server, dedicated server, or shared hosting, if DNS resolution fails, users will be unable to access your legitimate pages. Once DNS is hijacked, users accessing your domain will be redirected to incorrect websites—potentially advertising pages, illegal redirects, malicious downloads, or even phishing scams. This not only damages brand image but can also lead to user data breaches, business losses, and search engine penalties. Therefore, when a website experiences DNS hijacking, it's essential to quickly identify the cause and implement the most effective solution to prevent the problem from escalating.

　　Before dealing with DNS hijacking, it's necessary to understand its possible forms. The most common is hijacking by the local ISP, where user DNS requests are intercepted and returned with incorrect IPs. Another possibility is malicious tampering of domain name resolution records by a third party, causing all users on the internet to be redirected to the wrong address. Yet another scenario is that the DNS server used by the website itself is attacked or altered, resulting in global resolution anomalies. To avoid misjudgments, test DNS resolution using multiple methods before starting any process, such as nslookup, dig, third-party DNS monitoring platforms, or global Ping tools, across multiple countries and network environments. A simple nslookup command can help you determine if there are any resolution anomalies:

nslookup yourdomain.com 8.8.8.8
nslookup yourdomain.com 1.1.1.1

　　If multiple authoritative DNS servers return the correct server IP, but users still see redirected pages, it may be due to ISP hijacking or a local network issue. If authoritative DNS servers return an incorrect IP, it indicates that domain name resolution has been tampered with, requiring immediate investigation with your DNS service provider.

　　To quickly mitigate the impact of hijacking, it is recommended to first check your domain's DNS service provider's console for abnormal resolution records, such as replaced A records, maliciously modified NS records, manually reduced TTL, or CNAME records redirecting to unfamiliar domains. If you find that resolution records have been altered by unauthorized personnel, you should immediately restore the correct records, change your DNS platform account password, enable two-factor authentication, and enable login alerts. To prevent further attacks, you should also check if your domain registrar's backend has enabled domain protection features, such as locking NS records, prohibiting unauthorized domain transfers, and activating advanced protection measures like Registry Lock.

　　When you confirm that the DNS resolution itself has not been tampered with, but most users still access fake pages, this usually indicates ISP-level DNS hijacking. This type of hijacking typically occurs in environments such as public Wi-Fi, high-speed rail, hotel networks, and campus networks. Users are forcibly redirected to advertising pages after requesting a domain name, or even have malicious scripts injected into their browsers. The most effective solution is to enable HTTPS and HSTS, forcing the browser to interact with the origin server in an encrypted manner, preventing tamperers from forging HTTPS certificates. You can force all access to redirect to HTTPS using the following Nginx configuration:

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://yourdomain.com$request_uri;
}

　　Adding HSTS to the HTTPS configuration can further reduce the possibility of hijacking.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

　　When a website enables HTTPS, even if the DNS is hijacked, users will see a certificate warning in their browser, preventing them from directly accessing a fake page and significantly reducing the risk of damage.

　　Besides HTTPS, using a trusted global DNS provider is also a core measure to prevent DNS hijacking. Many smaller DNS providers have inadequate security infrastructure, making their DNS servers more vulnerable to attack or hijacking. Therefore, it is recommended to use a DNS platform with a global Anycast network and industry security certifications. These platforms not only offer high stability but also feature DDoS protection, DNSSEC, and intelligent routing, effectively reducing the risk of hijacking. After upgrading your DNS provider, you also need to enable DNSSEC, which allows browsers to verify the integrity of DNS data during resolution. If someone tamperes with the resolution results en route, verification will fail, preventing malicious redirects.

　　Many websites overlook the role of CDNs after experiencing DNS hijacking. In fact, connecting a website to a CDN not only improves speed but also effectively hides the origin server's IP address, making it difficult for attackers to locate the real server. When DNS is configured with a CNAME record provided by a CDN platform, user requests will first reach the CDN node before returning to the origin server. Simultaneously, the CDN provides security verification and resolution protection, further reducing the probability of DNS resolution being tampered with by attackers. CDN can also work in conjunction with WAF, web security policies, anti-crawler measures, and anomaly analysis to block malicious traffic, making it more difficult for attackers to hijack or inject malicious data.

　　During the investigation and handling of DNS hijacking, security checks on the server and website itself should be performed simultaneously. Some DNS hijacking incidents are actually malicious redirects resulting from website or server intrusion, such as the injection of iframes, JS redirect code, or 301 redirects. When a server or website is attacked, attackers can directly add redirect scripts to website files, making the DNS appear normal, but users are still redirected to advertising pages. Therefore, it is necessary to use file verification tools, website security scanning tools, or manually review the source code to check for suspicious content. You can use the following command to search for files containing malicious JS:

grep -R "window.location" /var/www/html/

　　If abnormal code is found, files should be cleaned up immediately and security vulnerabilities patched.

　　To ensure the website is no longer vulnerable to DNS hijacking in the long term, a continuous monitoring mechanism should be established, including tools for DNS resolution monitoring, global access monitoring, ICP filing zone monitoring, and log behavior monitoring. This will allow for immediate notification and action in case of abnormal resolution, sudden redirects, or abnormal drops in traffic. You can use multi-location detection tools to automatically monitor whether the domain name is being abnormally resolved, checking DNS return values ​​from multiple regions globally every minute. If a resolution does not match expectations, an alert will be triggered immediately.

　　In summary, DNS hijacking is not an unavoidable disaster. By promptly detecting problems, locating the cause, and taking effective measures, losses can be minimized. From a long-term perspective, using HTTPS, HSTS, DNSSEC, authoritative DNS service providers, CDN, and server security hardening can reduce the probability of DNS hijacking to a minimum. For businesses, DNS security is not only a technical issue but also a guarantee of business continuity; for individual website operators, DNS is the gateway to traffic and brand reputation. Only by incorporating DNS security into the overall protection system can we truly ensure the long-term stable operation of a website in a complex and ever-changing network environment.