How to Tell If Your DNS Is Being Hijacked or Redirected

    There are few things more unsettling online than trying to visit a website, and ending up somewhere else entirely. If you suspect something fishy is going on, you might be right. This guide will help you calmly investigate if your computer or router has been compromised.

    Don't immediately assume you are the victim of a sophisticated attack. There are many reasons why a website might not load, or load incorrectly.

    What is DNS and DNS Hijacking?

    The 'Domain Name System' (or DNS) is like the internet's phone book. When you type a website address like 'google.com' into your browser, DNS translates that into a special numerical address (an 'IP address') that computers use to find each other.

    'DNS hijacking' is when a criminal changes those phone book entries so that 'google.com' (or any other website) actually sends you to their fake website instead. They might do this to show you unwanted ads, or to trick you into giving them your usernames and passwords.

    Signs Your DNS Might Be Compromised

    The clearest sign of DNS hijacking is when you try to visit a specific website, and either end up on a completely different site, or a strange version of the one you wanted. But be careful: sometimes websites change their addresses, or parts of a website might be broken.

    • You type in a familiar website address, but land on an unknown page, a search engine you don't recognise, or a website full of unexpected ads.
    • Websites you visit often suddenly look different, or parts of them don't work the way they should.
    • You weren't able to get to websites you *know* are online, but others can.
    • You're seeing a lot more pop-up ads than usual, even on sites that don't normally have them.

    Check Your Computer's DNS Settings

    Your computer automatically gets its DNS settings, usually from your internet router. But malicious software might change these settings directly on your computer to hijack your browsing.

    It's a good idea to check these settings to ensure they haven't been tampered with. If anything looks unusual, like an IP address you don't recognise, write it down and then change it to Google's public DNS servers (8.8.8.8 and 8.8.4.4) — these are safe and reliable.

    • On Windows: Go to 'Start > Settings > Network & Internet > Ethernet' (or Wi-Fi, depending on how you connect). Click on 'Change adapter options', then right-click your active connection, choose 'Properties', and select 'Internet Protocol Version 4 (TCP/IPv4)'. Click 'Properties' again and check the DNS server entries.
    • On Mac: Go to 'System Settings > Network'. Select your active connection (Wi-Fi or Ethernet), click 'Details', then 'DNS'.
    • Look for any unfamiliar or suspicious-looking numerical addresses in the DNS server fields.

    Check Your Router's DNS Settings

    Your internet router is usually the first place your devices look for DNS information. If a criminal has accessed your router, they could change its DNS settings so that *all* devices connected to it are redirected. This is a common and effective way for attackers to hijack DNS.

    Accessing your router's settings usually involves typing a special address into your web browser, often found on a sticker on the router itself. Once logged in, look for a 'DNS' or 'Network' section.

    • Find your router's IP address (often 192.168.1.1 or 192.168.0.1) and log in using the administrator username and password (change this if you haven't already!).
    • Navigate to the 'DNS' or 'Network' settings within your router's administration panel.
    • Look for any DNS server addresses that seem out of place. If in doubt, change them to Google's public DNS servers (8.8.8.8 and 8.8.4.4).
    • While you're there, change your router's administration password to a strong, unique one if you haven't already. This is a crucial step to prevent future compromises.

    Use an Online DNS Leak Test

    Another way to check if your DNS is behaving correctly is to use an online DNS leak test. These tools can show you which DNS servers your computer is currently using to access the internet. If you see unexpected servers, it could be a sign of a problem.

    • Visit a reputable DNS leak test website (you can search for 'DNS leak test' in your preferred search engine).
    • Run the test and compare the DNS servers listed with the ones you expect to be using (e.g., your internet provider's, or Google's if you set them up manually).
    • If the test shows DNS servers from an unknown or suspicious location, it's a strong indicator that your DNS might be hijacked.

    Key takeaway

    If you've found unexpected DNS settings on your computer or router, or an online test shows something odd, it’s a good idea to reset them to a trusted source like Google's public DNS. Then, change your router password and run a thorough scan for malware on your computer to ensure everything is clean and secure.

    More from Network Security

    No image

    How to Use Email and Social Apps Safely on Public Wi-Fi

    Reduce the chance of repeat exposure on public networks.
    No image

    How to Recover Email and Social Accounts After an Evil-Twin Wi-Fi Login

    Reset access on each affected account from a clean device.
    No image

    How to Tell If Your Email or Social Login Was Captured on a Fake Wi-Fi

    You signed into email or social on a fake hotspot — those credentials should be considered stolen.