Community Tip - Best Practices to Address DNS Hijacking

In DNS hijacking, the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Try the suggestions in this Community Tip for best practices for dealing with DNS hijacking.

Domain Registrar


past tense: hijacked; past participle: hijacked
unlawfully seize (an aircraft, ship, or vehicle) in transit and force it to go to a different destination or use it for one’s own purposes.

  • steal (goods) by seizing them in transit.
  • take over (something) and use it for a different purpose.

You may be familiar with the term hijack and understand the meaning, DNS Hijacking may be a twist you’re unfamiliar with. Wikipedia says DNS hijacking, or DNS redirection, is the practice of subverting the resolution of Domain Name System (DNS) queries. When this happens, your domain has effectively been hijacked. Note, some amount of DNS modification or redirection is normal for some organizations and for ISPs implementing government-level blocking. This tip considers DNS hijacking to be malicious changes to the DNS path between the user and the server but it does also address issues of non-malicious redirection.

Quick Fix Ideas for Malicious Hijacking

  1. Rotate your API key, especially if you believe the key has been compromised.

  2. While browsing, your session is hijacked by your ISP. Check if your privacy is compromised.

  3. Turn on DNSSEC to address redirection due to cache poisoning. DNSSEC ensures the supporting client will get a validated DNS respons to combat cache poisoning. (This is where a malicious actor between the client and the DNS server intercepts the DNS request then responds with a fake response to direct the client to another location.)

  4. Do not point to Cloudflare name servers without having your domain signed up in your account first. When you point to Cloudflare name servers without claiming the site first (or the site is deleted), you are effectively opening up DNS control to whomever signs up the domain first or re-signs the zone on our platform. The fix is to add the zone to your account first and then point it to your Cloudflare assigned name servers.

  5. If you believe your Cloudflare account is compromised and you don’t want to, or are unable to login, email support AT cloudflare DOT com.

  6. It’s best to avoid the issue altogether, enable two-factor authentication for your domain registrar, Cloudflare dashboard, third-party web hosting/cPanel, and all domain-related administrative email accounts.

  7. Consider using or other (encrypted) DNS provider.

Quick Fix Ideas for Non-Malicious Redirection

  1. Verify you are using the correct IP address for your origin server for your DNS records.

  2. Flush your DNS cache and/or check your router to ensure it’s not forcing clients to use it’s DNS.

  3. DNS resolution is not happening properly, check to see if you have any typos in DNS details you shared with your registrar.

  4. You’re seeing errors like DNS_PROBE_FINISHED_NXDOMAIN or ERR_CONNECTION_REFUSED in certain geographic locations. Your ISP or local authorities are blocking access and there is little that Cloudflare can do. (If the local government blocks any particular website but a request reaches Cloudflare, we will not block them.) And note that DNSSEC does not help with government blocks.

Lite Reading

Learning Center DNS Cache Poisoning

Learning Center DNS Security

Community Tutorial

Detecting HTTPS Interception

Background Resources
Help Center
Featured Video

Research The Issue

If You Need More Help
This community of other Cloudflare users may be able to assist you, login to Cloudflare and post your question to the Community. When you post on the Community make sure to include as much of this information as possible: the specific error message you are seeing, the URLs this is happening on, screen shot of the error, and the steps to reproduce the error. Please indicate what troubleshooting steps you’ve tried in order to help us help you.
This is a Cloudflare Community Tip, to review other tips click here.

Çevirme…traduzir…翻译…traducir…Traduire…Übersetzen…:greyg: Translate this Tip

BPHJCT 110719


One of the best ways to minimize your risk is to enable two-factor authentication for your Registrar, Cloudflare, Web hosting/cPanel and all administrative Email accounts.


Thank you @Withheld, added. And thank you @publicarray for suggesting the tip topic and review as long the way.

Tip topic ideas and improvements are always appreciated, thank you!