The Internet’s Hidden Fault Lines: Domain Hijacking & DNS Poisoning

The Internet’s Hidden Fault Lines:
Domain Hijacking & DNS Poisoning

From APT28’s global router campaign to the CoW Swap crypto heist, attackers have weaponized the Domain Name System at unprecedented scale. This report dissects the technical attack chains, corrects circulating inaccuracies, and provides a verified defense guide.

I. How DNS Works — and Where It Breaks

The Domain Name System is the internet’s address book, translating human-readable domain names into the IP addresses that computers use to route traffic. Every time a browser navigates to a website, a layered query process unfolds: the device first checks its local cache, then a recursive resolver (usually provided by the ISP), which in turn queries root name servers, top-level domain servers, and finally the authoritative name server for the domain.

The original DNS protocol, designed in the 1980s, was built for reliability — not security. Three structural weaknesses persist to this day, and attackers have never stopped exploiting them.

The Three Fundamental Flaws

Plaintext transmission: Traditional DNS queries and responses are sent over UDP without encryption, making them trivially interceptable by anyone with a position on the network path — a coffee-shop router, a compromised ISP node, or a nation-state wiretap.

No source authentication: A recursive resolver has no built-in way to confirm that a DNS response genuinely came from the authoritative server it queried. A faster, forged reply from an attacker can win the race.

Caching amplifies damage: Because resolvers cache records and serve them to all users for a configured time-to-live (TTL), a single successful poisoning event can silently redirect thousands of users before the record expires.

II. Domain Hijacking: Seizing the Name Itself

Domain hijacking refers to attackers gaining enough control over a domain name’s administrative record to modify its DNS settings directly — no need to compromise routers or forge packets. The attack surface is wherever domain ownership can be changed.

Type 1 — Registrar & Registry Social Engineering

The most impactful hijacks in 2025–2026 exploited the human element of domain registrars and country-code TLD registries. Rather than cracking passwords, attackers forge identity documents and impersonate domain owners to convince registrars or registry operators to transfer control.

Type 2 — Authoritative DNS Server Compromise

When an attacker directly compromises the authoritative DNS server for a domain — through default credentials, unpatched software, or server exploitation — they can silently rewrite the zone file containing all DNS records. This is particularly dangerous because the malicious records carry the full authority of the legitimate server, and resolvers worldwide will cache and serve them without suspicion.

Type 3 — Dangling CNAME (Subdomain Takeover)

One of the subtlest and fastest-growing attack categories exploits what security researchers call “dangling DNS records.” When an organization decommissions a cloud service — an AWS S3 bucket, an Azure web app, a Cloudflare endpoint — its engineers often forget to delete the corresponding DNS CNAME record. The old record still points to a now-unclaimed cloud resource. An attacker simply re-registers that resource and instantly inherits all DNS traffic to the subdomain, no account breach required.

Type 4 — Router DNS Hijacking (AitM at the Network Edge)

Rather than attacking a domain’s registration records, router DNS hijacking compromises the device that all traffic on a local network passes through. By altering a router’s DHCP and DNS settings to point to attacker-controlled servers, every DNS query from every device on that network is silently intercepted and answered with fraudulent responses. The attack is exceptionally stealthy: browsers show no warnings, HTTPS padlocks appear intact, and users have no reason to suspect their router.

III. DNS Cache Poisoning: Forging the Answer

Where domain hijacking seizes control of the domain itself, DNS cache poisoning achieves a similar outcome through deception — feeding false records to recursive resolvers so they cache and serve malicious IP addresses to all downstream users. No ownership of the domain is required.

Classic Cache Poisoning

Traditional cache poisoning, formalized by Dan Kaminsky’s landmark 2008 research, works by racing the legitimate authoritative server. An attacker floods a recursive resolver with forged response packets, each guessing a different combination of UDP source port and DNS transaction ID (TXID). If a forged packet arrives before the legitimate reply and guesses both values correctly, the resolver accepts it and caches the false record.

New High-Severity BIND9 Vulnerabilities (October 2025)

In October 2025, the Internet Systems Consortium (ISC) disclosed three high-severity vulnerabilities in BIND 9, the most widely deployed DNS server software on the internet. Two of them directly enable cache poisoning at scale.

CVE-2025-40780CVSS 8.6 exploits a weakness in BIND’s pseudo-random number generator (PRNG): under specific conditions, an off-path attacker can predict both the UDP source port and the DNS query ID that BIND will use, eliminating the need to brute-force those values. Researchers from Hebrew University of Jerusalem identified this flaw.

CVE-2025-40778CVSS 8.6 stems from BIND’s overly permissive acceptance of unsolicited resource records in DNS responses. BIND’s “bailiwick checking” — the logic that should reject records not belonging to the queried zone — contained a logic error that allowed attackers to inject forged records into the cache during a legitimate query. Researchers from Tsinghua University and Nankai University identified this flaw. A proof-of-concept exploit was published on GitHub on October 28, 2025, with Censys scanning identifying over 706,000 exposed BIND resolvers. ISC released patched versions (BIND 9.18.41, 9.20.15, 9.21.14) and urged immediate upgrades.

Man-in-the-Middle DNS Poisoning

In network environments where an attacker can insert themselves between a client and its resolver — through ARP spoofing on a local network, a compromised Wi-Fi access point, or BGP route hijacking at an ISP level — DNS query interception becomes trivially simple. The attacker reads each outbound DNS query and returns a forged response before the legitimate reply can arrive. Public Wi-Fi environments remain a common venue for this technique.

Supply Chain: A Related but Distinct Threat

In March 2026, the SlowMist security team detected a supply-chain attack on the Apifox desktop client — a popular API development tool. Attackers compromised an official CDN-hosted JavaScript file (apifox-app-event-tracking.min.js), injecting malicious code disguised as analytics functionality. While widely reported alongside DNS incidents, this was a CDN-level supply-chain compromise, not a DNS poisoning attack. It is included here because it illustrates how attackers increasingly target the delivery infrastructure that sits above DNS, and the effects — silently malicious code reaching users through trusted channels — are similar in consequence.

IV. The Complete Attack Chain

Regardless of which entry point attackers exploit, the overall campaign arc follows a consistent pattern. Understanding the full chain helps defenders identify where intervention is most effective.

V. Harms Across the Threat Landscape

DNS-layer attacks are unusual in that their consequences scale with the prominence of the target. Individual users of a hijacked DeFi protocol lose savings. Customers of a hijacked corporate domain lose credentials. When a nation-state compromises the DNS infrastructure of government agencies, the harm extends to intelligence assets, critical infrastructure, and geopolitical stability.

For individual users: account theft, financial loss, malware infection, and exposure of personal data — often with no visible warning during the attack.

For businesses: brand damage, customer loss, regulatory exposure (GDPR, HIPAA violations if user data is intercepted), and the reputational cost of having a “trusted” domain weaponized against customers.

For decentralized protocols: the CoW Swap incident highlighted that smart contract security is insufficient when the web infrastructure connecting users to the protocol is centralized and vulnerable. $1.2 million was stolen without touching a single line of audited on-chain code.

For governments and critical infrastructure: the APT28 campaign demonstrated that router-level DNS hijacking enables passive, persistent intelligence collection against diplomatic, law enforcement, and energy sector targets — at scale, across 120 countries simultaneously.

VI. Defense: A Practical Mitigation Guide

For Organizations & Domain Owners

• Enable DNSSEC — Cryptographically sign your DNS zones so resolvers can verify the authenticity of your records. DNSSEC does not encrypt queries but does prevent forged responses from being accepted.
• Enable domain lock (Registry Lock / EPP Lock) — Request that your registrar apply a server-side lock that prevents any DNS or registrar changes without out-of-band verification. This defeats social-engineering attacks on registrars.
• Audit and remove dangling CNAME records — Maintain a documented DNS inventory. Whenever a cloud service is decommissioned, deleting the corresponding DNS record must be part of the offboarding process. Tools such as dnsReaper can automate detection.
• Use registrars and registries with strong identity verification — After CoW Swap, the .fi registry Traficom reviewed its dispute-transfer procedures. Choose registrars that require multi-factor authentication and out-of-band confirmation for any record change.
• Monitor DNS records continuously — Services like DNS monitoring APIs or in-house tooling should alert on any unexpected record change within minutes. The CoW Swap attack was detected within the same hour; faster detection means less damage.
• Deploy DNS over HTTPS (DoH) or DNS over TLS (DoT) — Encrypts DNS queries between clients and resolvers, eliminating plaintext interception on untrusted networks.
• Patch DNS software immediately — CVE-2025-40780 and CVE-2025-40778 in BIND 9 were disclosed with working PoC code. Recursive resolvers running unpatched BIND 9 remain at significant risk. Upgrade to BIND 9.18.41, 9.20.15, or 9.21.14 or later.

For Network & Router Administrators

• Perform hardware factory resets on any potentially affected SOHO routers — The FBI’s advisory for Operation Masquerade explicitly notes that a reboot alone does not remove APT28’s implants. A factory reset followed by firmware upgrade is required.
• Change all default usernames and passwords — APT28’s FrostArmada primarily exploited credential reuse and default credentials on TP-Link and MikroTik devices.
• Restrict WAN-side remote management access via firewall rules — No router’s management interface should be reachable from the internet unless strictly necessary.
• Verify DNS server settings across all network segments — Especially on VPN-connected endpoints, confirm that the DNS servers configured by DHCP are the ones you intended to use.
• Establish firmware update monitoring — SOHO routers rarely auto-update. Create a process for tracking and applying firmware releases.

For Individual Users

• Check your router’s DNS settings — Log into your router’s administration panel and confirm the DNS servers listed are your ISP’s or a trusted public resolver (e.g., 1.1.1.1, 8.8.8.8), not an unknown IP.
• Use a browser with built-in DoH — Modern browsers support DNS over HTTPS, bypassing router-level DNS redirection for browser traffic.
• Verify SSL certificate details on sensitive sites — On banking, exchange, or DeFi sites, click the padlock and confirm the certificate is issued to the organization you expect. A hijacked domain may have a valid cert for the wrong entity.
• For DeFi users: bookmark the official URL and verify the domain on every visit — The CoW Swap attack served a pixel-perfect clone. Always confirm the full domain (not just the page appearance) before connecting a wallet or signing transactions.

Conclusion

The events of the past year have demonstrated that DNS is not a solved problem — it is an active battlefield. Nation-state actors like APT28 are weaponizing millions of home routers at a time. Financially motivated attackers are defrauding DeFi users by exploiting the gap between blockchain security and web-layer vulnerability. Opportunistic actors like Hazy Hawk are systematically harvesting organizations’ forgotten cloud resources, quietly redirecting trusted domains to malware for years before detection.

The defenses exist: DNSSEC, domain locks, DoH/DoT, CNAME auditing, patched resolvers, and hardened routers. What has historically been lacking is urgency. The APT28 campaign, CoW Swap’s $1.2M loss, and 706,000 exposed BIND resolvers make the urgency undeniable. DNS security is not an IT backlog item — it is the front door of the internet, and it is under sustained, sophisticated attack.