DNS Hijacking or Spoofing Attack Detected

Introduction DNS hijacking redirects users to malicious servers by corrupting DNS responses. This can lead to credential theft, malware distribution, and data exfiltration.

Symptoms - Domain resolves to unexpected IP address - Browser SSL certificate warnings for known sites - nslookup returns different IPs from different resolvers - DNS response time unusually slow - Unexpected redirects to phishing sites

Common Causes - Router DNS settings changed by attacker - DNS cache poisoning - Compromised DNS server - Hosts file modified - DNS resolver hijacked (ISP-level)

Step-by-Step Fix 1. **Verify DNS resolution from multiple sources': ```bash nslookup example.com 8.8.8.8 nslookup example.com 1.1.1.1 nslookup example.com <local-dns> # Compare results ```

1. 1.**Check local DNS configuration':
2. 2.```bash
3. 3.cat /etc/resolv.conf
4. 4.cat /etc/hosts
5. 5.# Check router DNS settings
6. 6.`
7. 7.**Enable DNS-over-HTTPS':
8. 8.```yaml
9. 9.# In application or OS settings
10. 10.# Use Cloudflare DoH: https://1.1.1.1/dns-query
11. 11.# Use Google DoH: https://dns.google/resolve
12. 12.`

Prevention - Use DNSSEC to validate DNS responses - Configure DNS-over-HTTPS or DNS-over-TLS - Monitor DNS resolution for unexpected changes - Use trusted DNS resolvers (8.8.8.8, 1.1.1.1) - Regularly audit DNS settings on all infrastructure