What does DNS hijacking mean? How can I check if my network has been hijacked?

　　DNS hijacking happens without you noticing anything amiss on your computer. You type the familiar website address into the address bar, press enter, and the page opens normally—but this page might not be where you intended to go. The whole process is silent and more difficult to detect than a virus.

　　A few years ago, a well-known e-commerce platform encountered this issue during Singles' Day: many users reported that the website was "slow." After a long investigation, the technical team discovered that it wasn't a server problem, but rather that ISPs in some regions were manipulating users' DNS requests. Users' shopping carts and search requests were all redirected to proxy pages with ad plugins. Users thought they were still browsing the official website, but in reality, they were being "intercepted."

　　I. What exactly is DNS hijacking? In short: deception.

　　In the simplest terms: DNS hijacking is like someone changing the road signs during your internet browsing process.

　　Breaking down the working mechanism of DNS makes this clear. When you browse the internet normally, you enter a website address, such as www.example.com, into your browser. Your computer doesn't actually recognize this string of letters. It needs a "translator" called a DNS server to help translate the domain name into an IP address that the server can recognize (such as 110.242.68.66) before it can connect to the Baidu server.

　　This "translation" process normally works like this: you ask a server, and it honestly tells you the correct answer.

　　However, DNS hijacking is where someone sabotages this process. Attackers use various methods to direct you to a fake address when you ask for directions. For example, if you want to go to Baidu, you might be directed to a phishing website—the page looks exactly like the real Baidu website, even the URL looks similar, but anything you enter (username, password, verification code) will be directly taken by the attacker.

　　II. What are the types of DNS hijacking? How do attackers "change the road signs"?

　　Depending on the attack methods and the location of the attack, DNS hijacking can be roughly divided into the following categories. Understanding these points will help you determine where to start checking if you've been compromised.

　　**First Type: Local Hijacking—Your Computer Has Been Tampered With**

　　This is the simplest and most direct method. Attackers use malware or viruses to directly modify your computer's hosts file. This file is like a built-in "notebook" on your computer, recording the mapping between domain names and IP addresses. Normally, this file is empty, but if malware adds an entry like "www.example.com 123.45.67.89", then every time you access Baidu, your computer will directly access that malicious IP address, without ever consulting a DNS server.

　　Another method involves directly modifying your system's DNS server settings. For example, if you were using 114 DNS, malware might change it to a DNS server controlled by the attacker—all translation requests will then pass through this malicious server, receiving whatever address it wants.

　　You're more likely to encounter this type of attack in scenarios such as downloading unofficial cracked software, clicking on unknown links, or logging into online banking on public Wi-Fi without any protection.

　　The second type: Router hijacking – Your home network port is blocked

　　This is more insidious than the first type because your computer itself is fine; the problem lies with the router. Attackers exploit vulnerabilities or weak passwords to log into your router's management interface and change the router's DNS settings to a malicious DNS server.

　　The consequence is that all devices on your home or office network (phones, computers, tablets, smart TVs) connected to this Wi-Fi network are hijacked. You won't find anything by checking your computer's configuration or hosts file because the problem isn't with your device.

　　Real-world example: A 2026 security report revealed that the APT28 hacking group attacked routers to modify DHCP/DNS settings, redirecting all traffic to DNS servers they controlled, thereby launching man-in-the-middle attacks to steal OAuth tokens and various credentials.

　　You are more likely to encounter this type of attack if: your router password is still the factory default admin/admin, your router firmware has never been updated, or you are using a cheap router from an unknown brand.

　　The third type: Man-in-the-middle hijacking – You're "intercepted" on the road.

　　This is more sophisticated. The attacker doesn't need to control your computer or your router, but rather manipulates the "path" between you and the DNS server. For example, in public Wi-Fi, an attacker uses ARP spoofing to make all your network requests pass through their device first; they glance at it, modify it, and then allow it.

　　You're connecting to public Wi-Fi in a coffee shop, and you enter www.bank.com. The attacker intercepts this request, returns a fake IP address, and leads you to a phishing website—all without your knowledge.

　　You're more likely to encounter this type of attack in public free Wi-Fi, hotel networks, and airport Wi-Fi—the network security protection in these places is practically zero.

　　The fourth type: DNS cache poisoning – polluting the "public translator's" memory.

　　The previous types all target the "person asking for directions" or the "path" itself. DNS cache poisoning, however, directly attacks the "translator"—the recursive DNS server.

　　Every time you visit a website, the recursive DNS server caches the translation results. The next time someone queries the same domain, it doesn't need to look up the root server again; it retrieves the result directly from the cache. Attackers exploit vulnerabilities in the DNS protocol, sending forged response packets to the recursive server and modifying the cache before the actual response. Afterward, all users using that DNS server will be redirected to a malicious address.

　　The most terrifying aspect of this attack is its scope—if a public DNS server (such as the DNS allocated by a certain ISP to users throughout the province) is compromised, millions of users across the province could be simultaneously hijacked.

　　Fifth type: Authoritative DNS hijacking—directly attacking the "root"

　　This is the highest level of hijacking. Attackers don't target ordinary users but directly attack domain registrars or DNS hosting platforms. Once they gain administrative privileges, they directly modify the domain's DNS records.

　　For example, if an attacker compromises the backend of a domain service provider and changes the NS record of example.com to one they control, then all websites, email services, and subdomains under that domain are compromised. This type of attack typically has an extremely wide impact and is the most difficult to recover from. III. How Harmful is DNS Hijacking? Don't Ignore It

　　Many people think, "Being hijacked is just a pop-up ad; you can just close it"—this is a huge misconception.

　　First Harm: Phishing Websites Stealing Account Passwords

　　This is the most common use. Attackers hijack the domains of banks, Alipay, WeChat, and cloud storage services to fake websites. These fake websites have interfaces exactly like the real ones. After you enter your account and password, this information is directly sent to the attacker, who then redirects you to the real website—you won't even know the previous step was fake; you'll just think it's a "slow login."

　　Second Harm: Downloading Infected Software

　　If your software download site is hijacked, clicking the "download" button won't get you the genuine software you want, but rather a malicious version bundled with Trojans, ransomware, or cryptocurrency mining programs.

　　Third Harm: Making Money Through Traffic Hijacking

　　Many hijackings aren't for stealing anything, but for "profiting from loopholes." Attackers insert cashback links, pop-up ads, and promotional codes into your web browsing. Each display or click earns the attacker money from the advertising network. You read a normal news article, but these extra ads on the page mean the attacker's profits go into their pocket, while your browsing experience suffers.

　　The fourth harm: Data theft by APT attacks

　　At the enterprise level, DNS hijacking is often part of a more complex attack. For example, a 2026 security report pointed out that an APT group used router hijacking to carry out man-in-the-middle attacks, specifically stealing OAuth tokens and various credentials for subsequent lateral movement.

　　IV. How to detect if your network has been hijacked? Let's get straight to the point.

　　Having discussed so many principles and harms, the most crucial question is—how do I know if I've been compromised?

　　Method 1: Cross-DNS comparison method (most practical and recommended)

　　This is currently recognized as the simplest and most effective detection method. The principle is simple: use different DNS servers to resolve the same domain name. If the results are different, it's highly likely that your network has been hijacked.

　　Operation Steps (Windows as an example):

　　Step 1: Open Command Prompt (cmd) and check your home network's default DNS resolution result:

　　nslookup www.example.com

　　Note the returned IP address.

　　Step 2: Check again using a public DNS server. Google's 8.8.8.8 is currently considered a relatively clean public DNS:

　　nslookup www.example.com 8.8.8.8

　　Step 3: Compare the two returned IP addresses. If they are exactly the same, it means you are temporarily safe; if they are different, and the IP address returned the first time is not within Baidu's official IP address range (you can confirm this by checking Baidu's official IP range), then your DNS request has been tampered with.

　　This method is very effective in detecting local hijacking, router hijacking, and DNS cache poisoning. Essentially, it uses a "trustworthy translator" (8.8.8.8) to verify whether your home network's "translator" is telling the truth.

　　Method 2: Direct IP Address Access

　　If you suspect a website has been hijacked, try accessing it directly by entering its IP address (if the website supports direct IP access).

　　How to do it: Use the nslookup command above to find the website's real IP address from public DNS, then enter that IP address directly into your browser. If it opens normally and the page looks the same as usual, the website itself is normal; if the IP address opens but the domain name doesn't or redirects to a strange location, it's almost certainly DNS hijacking.

　　Method 3: Check the hosts file

　　This operation is very simple and takes only a minute, suitable for ruling out local hijacking.

　　Windows system: Open the C:\Windows\System32\drivers\etc\hosts file with Notepad. Normally, there shouldn't be any valid records except for comment lines starting with a #. If you see lines like 127.0.0.1 www.example.com or 123.45.67.89 www.example.com, it means it has been modified.

　　Mac/Linux Systems: Open the `/etc/hosts` file and check if the rules are normal.

　　Method Four: Check the DNS Server Address

　　Confirm that your computer is using a legitimate DNS server.

　　Windows: Open "Control Panel" → "Network and Sharing Center" → "Change adapter settings" → Right-click the network you are using → "Properties" → Double-click "Internet Protocol Version 4 (TCP/IPv4)" → View the address of "Preferred DNS server".

　　Mac: "System Preferences" → "Network" → "Advanced" → "DNS" tab.

　　Normal DNS addresses include: 114DNS, Alibaba DNS, Google DNS, and Cloudflare DNS. If the address displayed here is an unfamiliar IP address, especially from a small ISP or an unknown service provider, be wary.

　　Method Five: Browser Warnings

　　If you are using mainstream browsers like Chrome or Edge, when a website you visit is detected to have a certificate problem, the browser will display a large red warning screen. Do not force access—this warning is often the result of DNS hijacking combined with HTTPS certificate forgery.

　　Method Six: Using Professional Detection Tools

　　If you find manual operation too cumbersome, you can also use readily available tools.

　　AdGuard DNS: This tool added a "misplaced domain name protection" function in its April 2026 update, which can automatically detect and block spoofed domain names at the DNS level.

　　Palo Alto's Advanced DNS Security: An enterprise-grade solution that analyzes DNS responses through machine learning to detect various types of DNS hijacking in real time.

　　V. How to Prevent DNS Hijacking? Several Habits for Daily Protection

　　Detection is for discovering problems, but prevention is even more important. The following habits don't take much time but can avoid the vast majority of hijacking attacks.

　　First, change the default DNS to a public DNS. The DNS assigned by the ISP by default is often the most vulnerable to hijacking; it is recommended to manually change it to a public DNS.

　　Second, don't be lazy with your router. Change the factory default password (don't use combinations like admin/admin anymore), regularly update the router firmware, and disable the router's remote management function. These three actions can basically eliminate router-level hijacking.

　　Third, avoid using public Wi-Fi for sensitive operations. Avoid performing actions like entering passwords, transferring funds, and logging into admin panels on public Wi-Fi in cafes, airports, and hotels. If you must use them, remember to use a encrypted tunnel—even if your DNS is hijacked, encrypted tunnel can ensure your requests are not tampered with.

　　Fourth, website administrators should enable DNSSEC. If you run your own website, you can enable DNSSEC with your domain registrar to add digital signatures to DNS responses, preventing tampering with resolution results.

　　Fifth, develop a habit of regular checks. Every so often, use the "cross-DNS comparison method" mentioned above to randomly check a few frequently used websites. It takes less than a minute but can detect problems promptly.

　　The danger of DNS hijacking lies not in its advanced technology, but in the fact that it redirects traffic without the user's knowledge. You see a normal page and enter the correct URL, but every request and every password is being silently watched or tampered with by a "man-in-the-middle."

　　Fortunately, detection and prevention are not complicated. Cross-DNS comparison, checking hosts, changing public DNS, and hardening the router—doing these things can block more than 90% of common hijacking attacks.