Hijack DNS traffic on routers


What is DNS Hijacking?

In simple term, DNS hijack is the practice of redirecting DNS queries. You request a URL – What is the IP of google.com? – but a third party steers the URL the wrong way. As a result, you get a false IP address, and the wrong page loads on your screen.

Over the last three months, a hackers group has been hijacking the home routers mostly D-Link routers and change the DNS settings. After the changing DNS settings hackers hijacked the traffic means end user redirect the wrong URL and redirect it to malicious clone.

The first DNS hijacking attack multiple models of D-Link DSL modems.

  • D-Link DSL-2740R
  • D-Link DSL-2780B
  • D-Link DSL-2640B
  • D-Link DSL-526B

There are other vendors router also including in this attack.

  • ARG-W4 ADSL routers
  • DSLink 260E routers
  • Secutech routers
  • TOTOLINK routers

Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, said he detected three distinct waves during which hackers have launched attacks to poison routers’ DNS settings –late December 2018, early February 2019, and late March 2019.

The attack is still running, Troy Murch has given a detailed report about DNS hijacking attack.

Have you been PWN?

If you have been seen the following four IP addresses in your router’s DNS setting then you have already compromised by this campaign. Also, users need to update the firmware as soon as possible.



Please enter your comment!
Please enter your name here