DNS Hijacking
highdns-hijacking
Adversary takes control of DNS resolution to redirect traffic to attacker-controlled infrastructure for credential capture, traffic interception, or malware delivery. Attack surfaces include compromised registrar accounts, unauthorised changes to authoritative records, resolver cache poisoning, and DNS rebinding attacks that abuse browser same-origin assumptions to reach internal services.
SpoofingTamperingInformation Disclosure
MITRE ATT&CK techniques
| ID | Name | Tactic |
|---|---|---|
| T1584.002 | Compromise Infrastructure: DNS Server | Resource Development |
| T1557 | Adversary-in-the-Middle | Credential Access |
| T1071.004 | Application Layer Protocol: DNS | Command and Control |
| T1565.002 | Transmitted Data Manipulation | Impact |
Common Weakness Enumeration
Mitigating controls
ctrl-dnshijack-1- Enable DNSSEC on authoritative zones and validate responses on resolvers
ctrl-dnshijack-2- Apply registrar lock and require MFA on domain-registrar and DNS-provider accounts
ctrl-dnshijack-3- Alert on unauthorised DNS record changes and monitor certificate transparency logs for unexpected issuance
ctrl-dnshijack-4- Mitigate DNS rebinding by validating Host headers server-side and rejecting RFC1918 answers from external resolvers
ctrl-dnshijack-5- Use private DNS zones for internal services and avoid resolving them via public resolvers
ctrl-dnshijack-6- Pin clients to trusted resolvers using DoH/DoT where feasible