Guide

DNS hijacking detection

Suggest Edits

DNS hijacking is an attack method where a threat actor manipulates the domain resolution process to redirect traffic, block access, and more. To achieve this, an attacker often tampers with a public name server or sets up a malicious recursive name server to return an incorrect value for a domain.

DNS hijacking detection scans for the following:

  • Domains that resolve to answers different from the ones defined in the authoritative zone record.
  • Domains that resolve to a nonexistent domain (NXDOMAIN).

You can enable DNS hijacking detection for up to five zones.

Enable DNS hijacking detection

Complete this procedure to enable DNS hijacking detection.

To enable DNS hijacking detection:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list appears.
  2. Click Security analytics at the top of the page.
  3. Go to the zone where you want to enable DNS hijacking detection. If you need to filter the list of zones, see Filter list of zones.
  4. In the Actions menu, select Settings.
  5. In the zone settings window, go to the DNS Hijacking tab.
  6. Select a domain to monitor for DNS hijacking. You can select domains that are an A record type only.
  7. Enable the DNS Hijacking toggle.

    📘

    This toggle is disabled if the zone does not contain an A record or if the account has reached the limit of zones for this feature. Currently, AKAMAITLC and AKAMAICDN zones are not supported with this feature.

  8. Click Confirm.

View and download list of hijacked domains

You can view a list of hijacked domains and download a CSV that contains these domains.

Before you begin:

Make sure you enable DNS hijacking. See Enable DNS hijacking detection.

To view and download a list of hijacked domains:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics. A list of zones appears in a table.
  3. If you need to filter the list of zones, see Filter list of zones. You can also sort the DNS Hijacking Detection column of the table to show zones where DNS hijacking detection is enabled.
  4. If hijacked domains were detected, click View in the DNS Hijacking detection column of the table. This View button is not available if no hijacked domains were detected in the zone.
    A window appears with hijacked domains.
  5. Click the download icon to download a CSV that contains hijacked domains with their corresponding name server IP addresses and origin.

Updated 11 days ago