What Is DNS Hijacking? How Routers Get Compromised

DNS hijacking is one of the most effective router attacks - it silently redirects all your internet traffic through attacker-controlled servers. Here's exactly how it works and what protects against it.

What is DNS hijacking?

DNS (Domain Name System) is the internet's phone book - it translates domain names (google.com) into IP addresses (142.250.80.46). Every time you visit a website, your device asks a DNS server for the IP address. DNS hijacking occurs when an attacker alters your DNS settings - either on your device or your router - to point your DNS queries to a malicious server they control.

How does DNS hijacking work through your router?

When an attacker compromises your router (through a CVE, default password, or malware), they can change the DNS server your router tells all connected devices to use. Your devices trust your router's DNS settings - so without knowing it, every website lookup goes through the attacker's DNS server. The attacker can then redirect banking websites, email logins, or any other site to fake versions they control.

Invisible to most users: DNS hijacking shows no visible sign of compromise. Your internet appears to work normally. The attacker silently intercepts and redirects specific traffic without you seeing anything wrong.

Signs your router DNS may be hijacked

You are redirected to unexpected pages when browsing normal sites

Your browser shows SSL certificate warnings on sites that should be trusted

Ads appear on sites that don't normally show ads (DNS-level ad injection)

You cannot reach certain websites (DNS blocking)

Your router's DNS settings show an unfamiliar IP address

How to protect against DNS hijacking

Keep router firmware updated - most DNS hijacking exploits use known CVEs that patches fix

Change your router's admin password from the default to a strong, unique password

Disable remote management unless you specifically need it (Admin → Remote Management → Disable)

Use DNS-over-HTTPS (DoH) or DNS-over-TLS on your devices - this encrypts DNS queries so they can't be intercepted even if redirected

Set your own DNS server in your router (1.1.1.1 for Cloudflare, 8.8.8.8 for Google) - this doesn't prevent hijacking but lets you detect it if the router overrides these

Frequently Asked Questions

How do I check if my router's DNS is hijacked?

Log into your router admin panel and check the DNS server settings (usually under WAN Settings or Internet Settings). Your DNS should show either your ISP's DNS (assigned automatically) or a trusted DNS like 1.1.1.1 or 8.8.8.8. An unfamiliar IP address in the DNS field - especially one you didn't set - may indicate DNS hijacking.

Can HTTPS protect me from DNS hijacking?

Partially. HTTPS encrypts the content of your web traffic, and browsers show SSL certificate warnings when a site's certificate doesn't match. A sophisticated DNS hijacking attack with fraudulent SSL certificates (possible if an attacker has a trusted certificate) can still intercept HTTPS traffic. HTTPS is important but not a complete defense against DNS hijacking.

What is DNS-over-HTTPS (DoH)?

DNS-over-HTTPS sends DNS queries encrypted over HTTPS instead of in plain text. This prevents ISPs, attackers, or compromised routers from seeing or modifying your DNS queries in transit. Most major browsers (Chrome, Firefox, Edge) support DoH. Enable it in your browser's security settings for improved DNS privacy.

Is DNS hijacking the same as a man-in-the-middle attack?

DNS hijacking is a type of man-in-the-middle (MITM) attack specifically targeting DNS. A MITM attack broadly refers to an attacker positioning themselves between two communicating parties. DNS hijacking achieves this by redirecting traffic at the DNS resolution stage before the connection is even established.

CHECK YOUR ROUTER

See how your router scores

Enter your model to get a full security report - FCC status, CVEs, grade, and your action plan.

Check a Router → Top 10 Safe Routers

What Is DNS Hijacking? How Routers Get Compromised