Home Network Security
Imagine typing your bank's web address into the browser, seeing the padlock icon, and landing on what looks like your bank's login page, but it's actually a fake site designed to steal your credentials. You did everything right. You typed the correct address. You checked for HTTPS. And you still ended up somewhere dangerous.
That is what DNS hijacking looks like when it works well. It's one of the more unsettling attacks on home networks because it operates completely silently, it doesn't require you to click anything suspicious, and it can affect every device on your network simultaneously.
Before understanding how DNS hijacking works, it helps to understand what DNS is. DNS stands for Domain Name System and it functions essentially as the phone book of the internet.
When you type google.com into your browser, your computer doesn't actually know what that means at the network level. Networks communicate using IP addresses, numbers like 142.250.80.46. DNS translates the human-readable name into the IP address your computer needs to make the connection.
This translation happens automatically and invisibly every time you visit any website. Your router handles most of these DNS lookups, forwarding them to your ISP's DNS servers or to a service like Google's 8.8.8.8.
DNS hijacking means someone has tampered with this translation process so that certain domain names resolve to the wrong IP addresses, IP addresses controlled by an attacker.
There are several ways this can happen on a home network:
The reason DNS hijacking is particularly effective is that everything looks normal from the user's perspective. The URL in your browser shows the correct address. The page loads quickly. If the attacker is sophisticated, the fake site looks identical to the real one.
Even HTTPS doesn't fully protect you. While a proper HTTPS implementation will show a certificate warning if the fake site's certificate does not match the domain, attackers who control DNS can also use fraudulently obtained certificates, or they may target sites where users ignore certificate warnings.
The most dangerous DNS hijacking attacks target your router rather than individual devices. A compromised router affects every device on your network, phones, laptops, tablets, smart TVs, everything.
Log into your router's admin interface (type your Default Gateway address into a browser). Find the DNS settings, usually under WAN settings, Internet settings, or Advanced network settings.
Your DNS servers should be one of these well-known legitimate services:
8.8.8.8 and 8.8.4.41.1.1.1 and 1.0.0.1208.67.222.222 and 208.67.220.220If you see any other IP addresses as your DNS servers, especially ones in unusual ranges, that warrants immediate investigation.
Open Command Prompt and run:
nslookup google.comThe response will show which DNS server answered the query and what IP address it returned for google.com. You can verify the returned IP is legitimate by comparing it with a trusted source like Shodan or by running the same lookup from your phone on a mobile data connection (not WiFi) and comparing the results.
DNS over HTTPS in Windows 11: Go to Settings → Network and Internet → your WiFi or Ethernet connection → DNS server assignment → Edit → Manual → enable "Preferred DNS encryption: Encrypted only."
Manually checking your DNS settings requires knowing what to look for and doing it regularly. SentinelHome101 automates this as part of its network security scan. It checks your DNS server configuration, verifies that known domain lookups return expected results, tests for DNS over HTTPS status, and flags any anomalies for your review.
It also checks for rogue DHCP servers, one of the other methods attackers use to push malicious DNS settings to devices on your network.
SentinelHome101 detects DNS hijacking, rogue DHCP servers, and 99 other security issues. Free for Windows.
Download Free1.1.1.1DNS hijacking is one of those attacks that sounds technical but is ultimately fairly straightforward to check for and defend against. The combination of a strong router password, current firmware, and DNS over HTTPS covers the vast majority of attack vectors available to someone targeting a typical home network.