How to Detect and Prevent DNS Hijacking?

DNS hijacking

DNS monitoring has never been more essential for a number of reasons, especially when DNS attacks cost companies at least 2 million dollars annually.

IT and Network Operations Center (NOC) teams must realize that Domain Name System (DNS) attacks will become commonplace. With a diverse DNS security threat landscape, financial services, telecom, ecommerce companies and government organizations would be most affected due to interruption of business, information and data breaches.

With the growing shift towards a more mobile workforce, few cybersecurity specialists need to be informed that DNS hijacking is a critical issue, one that is paramount to protecting a company’s financial assets and reputation. Companies are spending more than ever to deploy DNS monitoring solutions and to hire or hone the talent necessary for a strong first line of defense. This blog post covers the different types of DNS hijacking attacks, costs and impacts of such attacks, and how companies can detect and prevent potential DNS attacks.

What is a DNS attack?

Domain Name System, the address of a web resource, can be attacked by hackers through vulnerabilities such as cache poisoning, denial of service, or DNS flooding and amplification.

Possible DNS attacks

DNS has an important role in how end users in an enterprise connect to the internet. Each connection made to a domain by the client devices is recorded in the DNS logs. Inspecting DNS traffic between client devices and the local recursive resolver could reveal a wealth of information for forensic analysis.

On the forefront, DNS queries can reveal the following:

  • Botnets/Malware connecting to C&C servers
  • Websites visited by employees or agents
  • Malicious and DGA domains accessed
  • Dynamic domains (DynDNS) accessed
  • DDOS attack detection like NXDomain, phantom domain. random subdomain


A familiar pattern always emerges in the post-mortem, forensic analysis of DNS attacks. Time and again, our research have always pointed us at any one format of the following DNS hijacking attacks:

  • DNS Hijacking
  • Cache Poisoning or DNS Spoofing
  • DNS Tunneling
  • Random Sub-Domain attack
  • NXDOMAIN attack

The costs and impacts of DNS attacks

Business cannot be made possible without a DNS in this digital world. As more domain names are created with an ever-increasing number of devices hooking up to the business networks (Edge and IoT devices, mobile, remote working endpoints), actionable data and valuable information is always at stake due to frequent DNS hijacking attempts. As a result, majority of organizations have fallen victim to DNS-based attacks, so much so that the cost of each attack has averaged an approximate 1 million dollars.

Worldwide the DNS hijacking threats are growing both in numbers and intensity. Consider these figures from an IDC research sponsored by efficient iP.

  • 82% organizations suffered significant application downtime (cloud & in-house)
  • Websites of 46% companies were compromised out of which 43% were retail and ecommerce
  • Sensitive information of 16% companies were stolen through measured DNS attacks
  • In the case of financial services industry, the highest cost per DNS-based cyberattack is $1.275M


Many companies duly report thousands of DNS hijacking attacks every year, with targets ranging from trivial internal channels to extremely serious data compromises. However, the significance of a DNS attack cannot always be quantified in terms of the economic value associated to it.

For instance, hackers have already started exploiting the 2020 US Presidential election as virtual campaigning during the Covid-19 pandemic open up many endpoints. For a large base of electorate relying on digital channels, a simple DNS hijacking attack can manipulate essential information or corrupt sources of primary data. Little wonder, then, that cybersecurity, IT and network operations teams must now consider a comprehensive solution to detecting and preventing DNS hijacking attacks.

How to detect DNS threats using SIEM?

A key factor in many cyber breaches followed by a DNS-based attack is that cybersecurity agents fundamentally misunderstand the transacting traffic through DNS logs.

While parsing each DNS log, each domain is accessed against:

  • Malicious domain database (updated on regular basis)
  • Domain Generation Algorithm (DGA)


Any domain which matches any of the above-mentioned criteria, warrants attention and an alert is generated along with the client which accessed it, and the geological information of the domain (IP, Country). Using behavior analytics, SIEM tracks the volume of connections to each domain accessed in the enterprise. If the volume of traffic to a specific domain is more than average, alert conditions are triggered. When a domain is accessed for the first time, the following is checked for:

  • Is it a dynamic domain?
  • Is the domain registered recently or expiring soon?
  • Does the domain have a known malicious TLD?

How to prevent DNS hijacking attacks?

With the rising number of DNS attacks on companies, what should cybersecurity teams do? Keep calm and carry on? That no more looks like a choice, at least not after how a consumer insurance company suffered.

One of the remotely working agents in the claims department of a leading health insurance company was steadfastly working on reviews and commits around corporate insurance coverages. In order to stay abreast of latest news and trends in the health insurance industry, the agent subscribed and opened an email attachment what appeared to be a legitimate knowledge resource. As per the forensic investigation, the event turned out to be a local DNS hijacking attack through a trojan malware that gave away personnel data and insurers’ personal information.

In an attempt to prevent DNS hijacking attempts, infosecurity managers can avoid the false alarms by looking at actionable data and events for forensic examination. These datapoints can be derived from DNS security solutions that are designed with a zero-trust strategy approach. An important feature of any advanced threat detection capacity for preventing DNS hijacking attacks is user behavioral analytics powered by ML and AI.

Recommendations to consider

  • Reduce risk of false positive by analyzing traffic behavior to elevate end-to-end intelligence.
  • Setup holistic and comprehensive detection and response system to ensure business continuity with purpose-built DNS security layers.


With DNS hijacking attempts mounting in number and sophistication, the threats posing most damage to businesses must be detected and prevented first. For this to happen, a zero-trust approach must be accompanied by a set of tools and best practices, all consolidated into a holistic detection and response system.


Nitin Bhatnagar
SISA’s Latest
close slider