[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Network Security](https://www.paloaltonetworks.com/cyberpedia/network-security?ts=markdown) 3. [What Is DNS Hijacking? \[+ Examples \& Protection Tips\]](https://www.paloaltonetworks.com/cyberpedia/what-is-dns-hijacking?ts=markdown) Table of contents * [How does a DNS hijacking attack work?](#how-does-a-dns-hijacking-attack-work) * [What are the different types of DNS hijacking attacks?](#what-are-the-different-types-of-dns-hijacking-attacks) * [How to protect against DNS hijacking](#how-to-protect-against-dns-hijacking) * [What are the differences between DNS hijacking, DNS spoofing, and DNS cache poisoning?](#what-are-the-differences-between-dns-hijacking-dns-spoofing-and-dns-cache-poisoning) * [DNS hijacking FAQs](#dns-hijacking-faqs) # What Is DNS Hijacking? \[+ Examples \& Protection Tips\] 9 min. read Table of contents * [How does a DNS hijacking attack work?](#how-does-a-dns-hijacking-attack-work) * [What are the different types of DNS hijacking attacks?](#what-are-the-different-types-of-dns-hijacking-attacks) * [How to protect against DNS hijacking](#how-to-protect-against-dns-hijacking) * [What are the differences between DNS hijacking, DNS spoofing, and DNS cache poisoning?](#what-are-the-differences-between-dns-hijacking-dns-spoofing-and-dns-cache-poisoning) * [DNS hijacking FAQs](#dns-hijacking-faqs) 1. How does a DNS hijacking attack work? * [1. How does a DNS hijacking attack work?](#how-does-a-dns-hijacking-attack-work) * [2. What are the different types of DNS hijacking attacks?](#what-are-the-different-types-of-dns-hijacking-attacks) * [3. How to protect against DNS hijacking](#how-to-protect-against-dns-hijacking) * [4. What are the differences between DNS hijacking, DNS spoofing, and DNS cache poisoning?](#what-are-the-differences-between-dns-hijacking-dns-spoofing-and-dns-cache-poisoning) * [5. DNS hijacking FAQs](#dns-hijacking-faqs) DNS hijacking is a type of attack where attackers manipulate DNS responses to redirect users to unauthorized or malicious destinations. This can involve compromising DNS servers, altering domain records, or intercepting DNS traffic. The technique enables credential theft, malware distribution, and impersonation of legitimate services. DNS hijacking is a type of attack where attackers manipulate DNS responses to redirect users to unauthorized or malicious destinations. This can involve compromising DNS servers, altering domain records, or intercepting DNS traffic. The technique enables credential theft, malware distribution, and impersonation of legitimate services. ## How does a DNS hijacking attack work? DNS hijacking attacks manipulate how domain names resolve to IP addresses. Basically, the attacker interferes with [DNS](https://www.paloaltonetworks.com/cyberpedia/what-is-dns) responses to reroute users to a site under their control---and the user often doesn't notice the redirection. !\[Architecture diagram is divided vertically into two labeled sections: 'Normal DNS resolution' on the left in blue and 'DNS hijacking' on the right in red. In the 'Normal DNS resolution' section, a client labeled 'Example.com' sends two blue arrows labeled 1 and 2 to a DNS server. The DNS server then communicates with another DNS server labeled 'Example.com' using arrows labeled 3 and 4. In the 'DNS hijacking' section, a client labeled 'Example.com' sends two red arrows labeled 1 and 2 to a 'Hijacked DNS server.' That hijacked server then routes the request to a 'Malicious server' using red arrows labeled 3 and 4, bypassing the legitimate DNS server shown beneath it. The structure visually contrasts legitimate DNS resolution with a hijacked resolution that redirects traffic to a malicious server.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_1.png "Architecture diagram is divided vertically into two labeled sections: 'Normal DNS resolution' on the left in blue and 'DNS hijacking' on the right in red. In the 'Normal DNS resolution' section, a client labeled 'Example.com' sends two blue arrows labeled 1 and 2 to a DNS server. The DNS server then communicates with another DNS server labeled 'Example.com' using arrows labeled 3 and 4. In the 'DNS hijacking' section, a client labeled 'Example.com' sends two red arrows labeled 1 and 2 to a 'Hijacked DNS server.' That hijacked server then routes the request to a 'Malicious server' using red arrows labeled 3 and 4, bypassing the legitimate DNS server shown beneath it. The structure visually contrasts legitimate DNS resolution with a hijacked resolution that redirects traffic to a malicious server.") Here's how a typical DNS hijacking attack works, step by step: 1. **The attacker identifies a target** This could be a public website, internal domain, or DNS provider account. The attacker looks for weak points in the DNS infrastructure or admin access. 2. **The attacker gains access** They might steal credentials, exploit vulnerabilities, or use [social engineering](https://www.paloaltonetworks.com/cyberpedia/what-is-social-engineering) to compromise DNS servers, registrar accounts, or local routers. 3. **The attacker modifies DNS settings** They change DNS records or inject forged responses to redirect traffic from the legitimate IP address to a maliciousone. 4. **The user submits a DNS query** The user tries to visit a domain as usual---typing the address in a browser or using an app that initiates a connection. 5. **The query resolves to the attacker's IP** Instead of reaching the real server, the DNS response points to a server controlled by the attacker. 6. **The user reaches a fake or malicious destination** That could be a [phishing](https://www.paloaltonetworks.com/cyberpedia/what-is-phishing) site, [malware](https://www.paloaltonetworks.com/cyberpedia/what-is-malware) host, or an impersonation of the original service. Everything appears normal unless the user checks the certificate or inspects the site closely. In other cases, the attacker doesn't change official DNS records. Instead, they intercept queries in transit and respond with spoofed data. If the DNS traffic isn't [encrypted](https://www.paloaltonetworks.com/cyberpedia/data-encryption) or verified, the forged response is accepted. The user gets redirected silently, even though nothing changed in the DNS configuration itself. ## What are the different types of DNS hijacking attacks? !\[Diagram titled 'Types of DNS hijacking attacks' and shows four labeled blocks arranged in a horizontal sequence from left to right. Each block is enclosed in a dashed border and connected to the next with a small dotted line. The first block is labeled '1. Local DNS hijack' and is shaded in light red. The second block is labeled '2. Router DNS hijack' and is a slightly darker red. The third block is labeled '3. Meddler-in-the-middle attack' and is a bright red. The fourth block is labeled '4. Rogue DNS server' and is the darkest red of the group. The blocks sit on a light gray background that spans the lower half of the image.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_2.png "Diagram titled 'Types of DNS hijacking attacks' and shows four labeled blocks arranged in a horizontal sequence from left to right. Each block is enclosed in a dashed border and connected to the next with a small dotted line. The first block is labeled '1. Local DNS hijack' and is shaded in light red. The second block is labeled '2. Router DNS hijack' and is a slightly darker red. The third block is labeled '3. Meddler-in-the-middle attack' and is a bright red. The fourth block is labeled '4. Rogue DNS server' and is the darkest red of the group. The blocks sit on a light gray background that spans the lower half of the image.") There are several distinct techniques attackers use to carry out DNS hijacking. Each one targets a different part of the DNS resolution process---from individual devices to network infrastructure. Understanding how these attack types differ helps clarify the scale, risk, and response required for each. Let's take a closer look: ### Local DNS hijack In a local DNS hijack, the attacker compromises a specific device. This often involves installing malware that modifies DNS settings on the host system. Once the local resolver is changed, all DNS queries from that device can be redirected. !\[Diagram titled 'Local DNS hijack' shows a sequence where a device queries a recursive DNS resolver. The resolver checks the local device’s configuration and returns control to the device. However, the device has a corrupted local host file, which overrides normal DNS resolution. As a result, instead of forwarding the request to a legitimate DNS server, the device redirects the query to a fake website. The intended path to the legitimate DNS server is shown as inactive with a dotted line ending in an 'X,' indicating it is bypassed due to the local corruption.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_9.png "Diagram titled 'Local DNS hijack' shows a sequence where a device queries a recursive DNS resolver. The resolver checks the local device’s configuration and returns control to the device. However, the device has a corrupted local host file, which overrides normal DNS resolution. As a result, instead of forwarding the request to a legitimate DNS server, the device redirects the query to a fake website. The intended path to the legitimate DNS server is shown as inactive with a dotted line ending in an 'X,' indicating it is bypassed due to the local corruption.") Here's why that's important: Even if the organization's upstream DNS infrastructure remains secure, the infected device will still receive malicious responses. The attacker's DNS server can now return forged IP addresses for any domain the user attempts to reach. The user ends up on a spoofed site without realizing anything has changed. **Example: MyEtherWallet attack (2018)** In 2018, attackers used malware to alter local DNS settings on users' machines and redirect traffic from MyEtherWallet to a fake website. !\[Architecture diagram titled 'BGP \& DNS hijacks targeting myetherwallet.com' shows how users are redirected to a fake website through a BGP hijack and DNS manipulation. On the left, a group of users issues a DNS query asking, 'What is myetherwallet.com?' The query is sent to a recursive DNS server, which typically would contact the root and .com servers and then forward the query to the legitimate authoritative DNS server shown on the far right in green. However, a red dotted line labeled 'BGP hijack' redirects traffic to an imposter authoritative DNS server in red instead. This server falsely resolves 'myetherwallet.com' to an IP in eastern Ukraine. The recursive DNS server caches this incorrect information and returns it to the users, who are then directed to an imposter website shown at the bottom left. All malicious elements in the diagram—including the recursive DNS server, imposter authoritative DNS server, and imposter website—are shaded in red. The legitimate authoritative DNS server is the only component in green. Arrows indicate the flow of the DNS query and resolution path.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_3.png "Architecture diagram titled 'BGP \& DNS hijacks targeting myetherwallet.com' shows how users are redirected to a fake website through a BGP hijack and DNS manipulation. On the left, a group of users issues a DNS query asking, 'What is myetherwallet.com?' The query is sent to a recursive DNS server, which typically would contact the root and .com servers and then forward the query to the legitimate authoritative DNS server shown on the far right in green. However, a red dotted line labeled 'BGP hijack' redirects traffic to an imposter authoritative DNS server in red instead. This server falsely resolves 'myetherwallet.com' to an IP in eastern Ukraine. The recursive DNS server caches this incorrect information and returns it to the users, who are then directed to an imposter website shown at the bottom left. All malicious elements in the diagram—including the recursive DNS server, imposter authoritative DNS server, and imposter website—are shaded in red. The legitimate authoritative DNS server is the only component in green. Arrows indicate the flow of the DNS query and resolution path.") The spoofed site prompted users to enter private wallet keys, which the attackers then used to steal their cryptocurrency. This local DNS hijack resulted in over $150,000 in reported losses. ### Router DNS hijack Router DNS hijacks target the network gateway instead of individual devices. Attackers scan for routers with default credentials or known firmware vulnerabilities. Once they gain access, they update the router's DNS configuration. !\[Architecture diagram titled 'Local DNS hijack' shows a sequence where a device queries a recursive DNS resolver. The resolver checks the local device’s configuration and returns control to the device. However, the device has a corrupted local host file, which overrides normal DNS resolution. As a result, instead of forwarding the request to a legitimate DNS server, the device redirects the query to a fake website. The intended path to the legitimate DNS server is shown as inactive with a dotted line ending in an 'X,' indicating it is bypassed due to the local corruption.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_10.png "Architecture diagram titled 'Local DNS hijack' shows a sequence where a device queries a recursive DNS resolver. The resolver checks the local device’s configuration and returns control to the device. However, the device has a corrupted local host file, which overrides normal DNS resolution. As a result, instead of forwarding the request to a legitimate DNS server, the device redirects the query to a fake website. The intended path to the legitimate DNS server is shown as inactive with a dotted line ending in an 'X,' indicating it is bypassed due to the local corruption.") The impact is broader. Every device on the network that uses the router's DNS settings will be redirected. That makes it especially dangerous in home or small office environments where users rarely check router settings. In other words: one compromised router can hijack DNS for an entire network. **Example: Unpatched D-Link Routers Targeted (2019)** In 2019, attackers exploited vulnerabilities in unpatched D-Link routers, altering their DNS settings to redirect users to malicious websites. !\[Image showing the web interface of a D-Link DSL-2640B router displaying device information under the 'Status' tab. The screen includes sections for device info, internet setup, wireless LAN, and LAN configuration. In the 'INTERNET SETUP' section, the 'Primary DNS Server' and 'Secondary DNS Server' fields are highlighted in red and display unauthorized IP addresses: 69.65.41.3 and 195.22.26.248. These DNS values appear beneath the authentication details and above the connection status. To the right of the router interface, a caption reads: 'Screenshot from a compromised D-Link DSL-2640B router showing unauthorized DNS settings.' The router interface uses a black, grey, and orange color scheme, with navigation tabs labeled Setup, Advanced, Maintenance, Status, and Help.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_4.png "Image showing the web interface of a D-Link DSL-2640B router displaying device information under the 'Status' tab. The screen includes sections for device info, internet setup, wireless LAN, and LAN configuration. In the 'INTERNET SETUP' section, the 'Primary DNS Server' and 'Secondary DNS Server' fields are highlighted in red and display unauthorized IP addresses: 69.65.41.3 and 195.22.26.248. These DNS values appear beneath the authentication details and above the connection status. To the right of the router interface, a caption reads: 'Screenshot from a compromised D-Link DSL-2640B router showing unauthorized DNS settings.' The router interface uses a black, grey, and orange color scheme, with navigation tabs labeled Setup, Advanced, Maintenance, Status, and Help.") The compromised routers pointed DNS requests to rogue servers hosted by OVH Canada and later to servers in Russia, affecting numerous users. ### Meddler-in-the-middle attacks These attacks exploit the space between a user's query and the DNS server's response. So, the attacker sits in the communication path and injects a forged DNS reply before the legitimate server can respond. !\[Architecture diagram illustrating a meddler-in-the-middle (MITM) attack during DNS resolution. A client or user attempts to access example.com by sending a DNS query to a server. The server then queries a DNS server for the IP address linked to example.com. Instead of receiving the legitimate response, the attacker intercepts the request and sends a forged DNS response pointing to IP address 203.0.113.77. This redirects the client to a spoofed site labeled 'Man-in-the-middle,' which mimics www.example.com using the attacker’s IP address. Meanwhile, the legitimate DNS server’s response, which points to the real site https://example.com at IP address 198.51.100.42, is never received by the client. The flow shows two possible paths, one ending with the attacker and the other with the legitimate website, highlighting how the false DNS response overrides the real one.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_5.png "Architecture diagram illustrating a meddler-in-the-middle (MITM) attack during DNS resolution. A client or user attempts to access example.com by sending a DNS query to a server. The server then queries a DNS server for the IP address linked to example.com. Instead of receiving the legitimate response, the attacker intercepts the request and sends a forged DNS response pointing to IP address 203.0.113.77. This redirects the client to a spoofed site labeled 'Man-in-the-middle,' which mimics www.example.com using the attacker’s IP address. Meanwhile, the legitimate DNS server’s response, which points to the real site https://example.com at IP address 198.51.100.42, is never received by the client. The flow shows two possible paths, one ending with the attacker and the other with the legitimate website, highlighting how the false DNS response overrides the real one.") That forged response is accepted if the client doesn't validate it. As a result, the user is redirected to a site controlled by the attacker. This attack is more likely to succeed on networks that lack DNS [encryption](https://www.paloaltonetworks.com/cyberpedia/data-encryption) or DNSSEC validation. It can also happen without the attacker needing access to any endpoint or server. **Example: TrickBot's shaDll Module (2023)** In 2023, [cybersecurity](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-security) researchers identified a TrickBot module named "shaDll" that facilitated MitM attacks. | Module name | SHA256 hash | |-------------|------------------------------------------------------------------| | shadDll32 | 3f9c1b749e6d1e88aa45e8a274c1b5c1a213e0d46e672a5c029c5e79974db7f3 | | shadDll64 | e8743c1fc51d2e49f79a1a3a4c7d99e713b217de08b5d2cd2f1d3f6c6436a8c4 | This module installed illegitimate SSL certificates on infected computers, allowing attackers to intercept and manipulate web traffic. By redirecting web activity and injecting malicious code, the attackers could capture sensitive information from unsuspecting users. ### Rogue DNS server A rogue DNS server is a legitimate-appearing server that has been compromised or intentionally deployed by the attacker. When a user query reaches that server, it returns forged IP addresses for legitimate domains. !\[Architecture diagram titled 'Rogue DNS server' illustrates a DNS resolution flow involving a user, a recursive DNS resolver, and a compromised authoritative DNS server. The user sends a query to the recursive DNS resolver, which then queries the authoritative DNS server. The authoritative server has been compromised, as indicated by an icon labeled 'Altered DNS record' above it. The server responds with a forged DNS record, sending an altered response that resolves to a malicious IP. The recursive resolver relays this malicious response back to the user. A dotted line between the resolver and the user is labeled 'Altered response to malicious IP.'\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_11.png "Architecture diagram titled 'Rogue DNS server' illustrates a DNS resolution flow involving a user, a recursive DNS resolver, and a compromised authoritative DNS server. The user sends a query to the recursive DNS resolver, which then queries the authoritative DNS server. The authoritative server has been compromised, as indicated by an icon labeled 'Altered DNS record' above it. The server responds with a forged DNS record, sending an altered response that resolves to a malicious IP. The recursive resolver relays this malicious response back to the user. A dotted line between the resolver and the user is labeled 'Altered response to malicious IP.'") This technique works well when attackers can trick users or systems into using the rogue server. That could happen via malware, misconfiguration, or even upstream compromise of a public resolver. Once the rogue server is in place, the attacker controls the resolution process and can redirect as needed. **Example: DNS Predators Hijack Domains (2024)** In 2024, researchers uncovered that approximately 70,000 domains had been hijacked through compromised DNS servers. !\[A timeline diagram shows the sequence of events for two domains hijacked in 2024 during a DNS record manipulation campaign. The top half is labeled 'TDS: aphecalenterprises\[.\]com' and lists four events. On March 7, 2019, La Container Inc. registers the domain with TierraNet. On December 6, 2021, La Container changes the domain registrant organization name to Aphecal Enterprises. On June 26, 2022, TierraNet transfers the domain to GoDaddy, though nameservers remain with TierraNet. On October 15, 2024, an entity named Horrid Hawk hijacks the domain and changes A records to malicious M247 IP addresses 38\[.\]180\[.\]226\[.\]70. The bottom half is labeled 'Landing: agbizwichita\[.\]prg' and also lists four events. On July 28, 2008, the Agri-Business Council of Wichita purchases the domain. On July 15, 2015, an unknown user creates a domain. On October 1, 2021, another unknown user registers the domain with GoDaddy and uses Linode DNS services. On October 17, 2024, Horrid Hawk hijacks the domain and changes A records to malicious DigitalOcean IP addresses 167\[.\]71\[.\]65\[.\]159. A caption at the bottom reads: 'Timeline of two domains hijacked in 2024 as part of a large-scale DNS record manipulation campaign.'\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_6.png) Attackers altered DNS records to redirect legitimate traffic to malicious sites, exploiting vulnerabilities in domain management practices. This large-scale hijacking highlighted the critical need for robust DNS security measures. ## How to protect against DNS hijacking !\[The diagram titled 'How to protect against DNS hijacking' is divided into three color-coded sections: mitigation in red, detection in light blue, and prevention in dark teal. Under the red 'Mitigation' section, four bullet points branch out listing: identify and restore affected DNS settings, flush DNS caches across all layers, investigate the cause of compromise, and communicate with stakeholders. The light blue 'Detection' section lists five items: monitor for unusual DNS behavior, analyze DNS records at scale, use automated detection systems, apply machine learning for scoring, and look for endpoint-level indicators. The dark teal 'Prevention' section includes: secure DNS management systems, enable DNS-level protections, harden DNS infrastructure and endpoints, and audit for misconfigurations. Each category is displayed with its associated tasks branching out horizontally from the central vertical flow of the diagram. The Palo Alto Networks logo appears in the upper left corner.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_12.png "The diagram titled 'How to protect against DNS hijacking' is divided into three color-coded sections: mitigation in red, detection in light blue, and prevention in dark teal. Under the red 'Mitigation' section, four bullet points branch out listing: identify and restore affected DNS settings, flush DNS caches across all layers, investigate the cause of compromise, and communicate with stakeholders. The light blue 'Detection' section lists five items: monitor for unusual DNS behavior, analyze DNS records at scale, use automated detection systems, apply machine learning for scoring, and look for endpoint-level indicators. The dark teal 'Prevention' section includes: secure DNS management systems, enable DNS-level protections, harden DNS infrastructure and endpoints, and audit for misconfigurations. Each category is displayed with its associated tasks branching out horizontally from the central vertical flow of the diagram. The Palo Alto Networks logo appears in the upper left corner.") DNS hijacking isn't always easy to spot---and it's even harder to recover from once in motion. Which means the best defense is a layered approach that spans detection, mitigation, and prevention. Each plays a different role: * **Detection** focuses on spotting signs of tampering. * **Mitigation** addresses what to do if a hijack is already underway. * And **prevention** aims to block attacks before they start. Let's break each one down. ### Detection Detecting DNS hijacking requires a mix of behavioral monitoring, network analysis, and system-level audits. Here's how to break it down: 1. **Monitor for unusual DNS behavior** Look for signs that DNS resolution isn't functioning as expected, such as: * Redirects to unfamiliar domains * SSL certificate mismatches on trusted sites * [Browser security](https://www.paloaltonetworks.com/cyberpedia/what-is-an-enterprise-browser) warnings despite no recent changes ***Tip:*** *Cross-reference browser warning events with DNS logs. If multiple endpoints show cert mismatches for the same domain, it may signal tampering upstream---not isolated client issues.* 2. **Analyze DNS records at scale** At the network level, inspect DNS records for inconsistencies. * Watch for new A or NS records pointing to unusual IP addresses * Check for geographic or hosting shifts that don't align with past patterns * Use passive DNS (pDNS) to see how domains have resolved over time ***Tip:*** *Tag and track high-risk domains (e.g., those tied to financial apps or sensitive internal portals) for more aggressive change monitoring and alerting.* 3. **Use automated detection systems** Well-tuned systems can catch anomalies before they escalate. * Filter out known-good domains to reduce noise * Flag records with unexpected changes, like long-established domains suddenly pointing to obscure IPs * Correlate findings with WHOIS data and registrar updates ***Tip:*** *Add change detection rules that monitor TTL values. A sudden drop in TTL on a previously stable record may suggest an attacker trying to force faster propagation of forged entries.* 4. **Apply machine learning for scoring** For large DNS datasets, models can help prioritize alerts. * Analyze patterns across dozens of features, such as hosting churn or domain age * Assign a risk score to each suspicious record * Reduce false positives and surface high-likelihood threats for human review ***Tip:*** *Weight scoring models to favor anomalies in critical domains over low-risk ones. It helps prevent alert fatigue and ensures high-value assets get more scrutiny.* 5. **Look for endpoint-level indicators** In smaller environments, detection often happens closer to the user. * Notice slow-loading pages, pop-ups, or unfamiliar redirects * Inspect local DNS settings for unauthorized changes * Review resolver logs and DNS query paths regularly ***Tip:*** *Automate periodic collection of DNS configuration from endpoints and compare it against known-good baselines. This helps flag silent local changes made by malware.* ![Server icon.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-hijacking/unit-42-server-icon.svg) ## Not sure if your DNS is already compromised? Unit 42 offers compromise assessments to help identify silent exposures. [Learn More](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment) ### Mitigation Mitigating DNS hijacking means taking quick, focused action to stop the redirection and limit the damage. Here's how to approach it step by step: 1. **Identify and restore affected DNS settings** Start by pinpointing where the redirection occurred: * Check registrar accounts, DNS provider consoles, and router configuration * Restore the correct DNS records for all impacted domains * Temporarily redirect traffic away from attacker-controlled infrastructure if needed 2. **Flush DNS caches across all layers** Remember: Correcting DNS settings isn't enough on its own. Hijacked entries may remain in local and upstream caches. Clear caches on browsers, local resolvers, recursive resolvers, and CDNs. Otherwise, users may still be routed to malicious destinations. ***Tip:*** *Don't forget application-level caches. Some browsers or apps cache DNS separately from the OS or resolver. Validate behavior in critical apps after the flush.* 3. **Investigate the cause of compromise** Understanding how the attack happened is critical for closing gaps. * Review registrar access logs and audit recent DNS changes * Check endpoints and routers for signs of malware or credential theft * If an account was compromised, reset credentials and enforce [MFA](https://www.paloaltonetworks.com/cyberpedia/what-is-mfa-implementation) and IP allowlisting ***Tip:*** *Correlate login times from registrar activity logs with [threat intel](https://www.paloaltonetworks.com/cyberpedia/what-is-cyberthreat-intelligence-cti) feeds. If access came from IPs tied to known attacker infrastructure, it strengthens your attribution and remediation path.* 4. **Communicate with stakeholders** If users interact with a spoofed site, fast communication helps reduce further impact. * Notify users, partners, or customers who may have been exposed * Coordinate with internal security and legal teams * In some cases, report the incident to DNS authorities or law enforcement ### Prevention Preventing DNS hijacking means reducing exposure across the systems and services that manage DNS. Here's how to build a strong defense: 1. **Secure DNS management systems** Start by locking down the accounts and infrastructure that control DNS: * Use strong, regularly rotated passwords * Enable multi-factor authentication on registrar, provider, and router accounts * Limit access to only trusted personnel and systems ***Tip:*** *Use a dedicated account with no email access or web browsing capability for managing DNS records. This reduces phishing exposure on critical admin credentials.* 2. **Enable DNS-level protections** Add safeguards that validate DNS activity: * Turn on DNSSEC to authenticate DNS responses and reduce spoofing * Use client lock features at your registrar to prevent unauthorized changes 3. **Harden DNS infrastructure and endpoints** Stop attackers from gaining a foothold: * Separate authoritative name servers from resolvers * Patch known vulnerabilities in DNS software and router firmware * Restrict zone transfers to trusted hosts * Scan endpoints regularly for malware 4. **Audit for misconfigurations** Mismanaged records create easy openings. * Remove stale, incorrect, or expired DNS entries * Review DNS zones periodically to ensure everything is current * Clean up unused records to reduce attack surface ***Tip:*** *Mark unused DNS records as "quarantined" before deletion. If nothing breaks after a predefined period (e.g., 30 days), you can safely remove them---without risk.* ![Assessment icon.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-hijacking/unit-42-assessment-icon.svg) ## Validate your readiness against DNS hijacking. Explore the Unit 42 Threat Cyber Risk Assessment. [Learn More](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment) ## What are the differences between DNS hijacking, DNS spoofing, and DNS cache poisoning? *Scroll the table to read further.* | Attack type | Goal | Common methods | Target | Detection difficulity | Mitigation approach | Prevention approach | |-------------------------|-----------------------------------------------------------------------------|--------------------------------------------------------------|-------------------------------------------------------------|---------------------------------|----------------------------------------------------------|-----------------------------------------------------------------| | **DNS hijacking** | Redirect users to a malicious site by taking over or modifying DNS settings | Router compromise, DNS registrar account takeover, malware | DNS settings at the user, router, or domain registrar level | Moderate to high | Restore DNS settings, flush caches, secure access points | Use MFA, strong passwords, DNSSEC, regular audits | | **DNS spoofing** | Alter DNS responses to mislead users without changing DNS settings | Man-in-the-middle attacks, forged DNS responses, redirection | DNS responses in transit or systems interpreting them | Moderate | Stop redirection, block malicious IPs or domains | Use encrypted DNS, monitor for spoofed responses | | **DNS cache poisoning** | Insert forged DNS records into a resolver's cache to mislead multiple users | Flooding resolvers with fake responses, query ID prediction | Caching resolvers that serve DNS responses to many users | High, especially without DNSSEC | Flush cache, use DNSSEC, patch vulnerabilities | Deploy DNSSEC, use randomized query parameters, patch resolvers | These terms are often used interchangeably---but they don't mean the same thing. Each one describes a different technique for redirecting users to the wrong destination by manipulating the DNS resolution process. Knowing the differences can help teams understand the scope of an attack and respond appropriately. **DNS hijacking is the broadest category. It refers to any situation where DNS settings or behavior are maliciously altered to reroute traffic.** That could mean changing router settings, compromising a DNS registrar account, or redirecting queries at the resolver level. The goal is to send users to an attacker-controlled destination while everything else appears normal. **DNS spoofing is a specific tactic used within hijacking. In spoofing attacks, the attacker forges a DNS response to trick a client or server into accepting a fake IP address for a domain.** It's often used in meddler-in-the-middle scenarios or captive networks to intercept traffic. Spoofing doesn't necessarily require persistent access---it just needs the fake response to arrive before the real one. !\[Architecture diagram titled 'DNS spoofing' shows a user attempting to access a website through a DNS server. Step 1 indicates the attacker injecting a fake DNS entry into the DNS server. Step 2 shows the user issuing a request to the real website, which is intercepted by the DNS server. Step 3 shows the request resolving to a fake website, represented by a red icon with a warning symbol. The legitimate path to the real website is shown but not followed, as the DNS server redirects the user based on the attacker’s injected entry.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_7-1.png "Architecture diagram titled 'DNS spoofing' shows a user attempting to access a website through a DNS server. Step 1 indicates the attacker injecting a fake DNS entry into the DNS server. Step 2 shows the user issuing a request to the real website, which is intercepted by the DNS server. Step 3 shows the request resolving to a fake website, represented by a red icon with a warning symbol. The legitimate path to the real website is shown but not followed, as the DNS server redirects the user based on the attacker’s injected entry.") **DNS cache poisoning targets recursive resolvers by injecting false DNS records into their cache.** Once poisoned, the resolver returns the attacker's response to every client until the entry expires or is cleared. This approach can impact many users at once and is especially dangerous when DNSSEC is not in use. Cache poisoning is one way to achieve DNS spoofing, but it's not the only method. !\[Architecture diagram titled 'DNS cache poisoning' illustrates a four-step sequence. In step 1, a user sends a DNS request for a domain such as example.com to their local DNS resolver. In step 2, because the server lacks a cached record, it forwards the request to a root authoritative DNS server. In step 3, before the legitimate response arrives, an attacker inserts a forged DNS entry into the local server. In step 4, the local DNS server stores the forged record and resolves the user’s request to the attacker-controlled IP address, which leads to a fake website. The real website remains unused.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-dns-hijacking/DNS Hijacking 2025\_8.png "Architecture diagram titled 'DNS cache poisoning' illustrates a four-step sequence. In step 1, a user sends a DNS request for a domain such as example.com to their local DNS resolver. In step 2, because the server lacks a cached record, it forwards the request to a root authoritative DNS server. In step 3, before the legitimate response arrives, an attacker inserts a forged DNS entry into the local server. In step 4, the local DNS server stores the forged record and resolves the user’s request to the attacker-controlled IP address, which leads to a fake website. The real website remains unused.") In other words: DNS hijacking describes the overall compromise. DNS spoofing is how fake answers get delivered. And cache poisoning is one way those fake answers get stored and spread. ![Web of DNS icon.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-dns-hijacking/dns-web-icon.svg) ## Stop new DNS-layer attacks today. Get a 90-day DNS Security free trial. [Start your free trial](https://start.paloaltonetworks.com/dns-security-free-trial.html) ## DNS hijacking FAQs #### What is the difference between DNS hijacking and DNS tunneling? DNS hijacking redirects users to malicious destinations by altering DNS resolution. [DNS tunneling](https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling) uses DNS requests to exfiltrate data or maintain command-and-control channels by embedding payloads in DNS queries. Hijacking targets resolution. DNS tunneling abuses DNS as a covert communication method. #### What is a DNS attack? A [DNS attack](https://www.paloaltonetworks.com/cyberpedia/what-is-a-dns-attack) exploits weaknesses in the Domain Name System to disrupt resolution, redirect traffic, exfiltrate data, or impersonate domains. Techniques include DNS hijacking, spoofing, cache poisoning, and tunneling. #### What is an example of a domain hijacking? In 2024, attackers compromised DNS servers managing ~70,000 domains, altering DNS records to redirect traffic to malicious sites. This large-scale hijacking exploited poor domain management and outdated DNS protections. #### What is a real-life example of a DNS attack? In 2018, attackers used malware to alter local DNS settings and redirect MyEtherWallet users to a fake site. They harvested private keys and stole over $150,000 in cryptocurrency. #### How do I know if my DNS has been hijacked? Look for unexpected redirects, browser warnings, mismatched SSL certificates, or DNS settings pointing to unknown servers. Sudden slowness, pop-ups, or login prompts on trusted sites can also signal hijacking. #### How do you detect DNS tunnels? Detecting DNS tunnels involves inspecting DNS traffic for anomalies like unusual query lengths, consistent subdomain patterns, or large volumes of outbound requests. Machine learning and behavioral baselines help identify covert channels. #### What are the types of DNS abuse? Common types include DNS hijacking, spoofing, cache poisoning, tunneling, typosquatting, and domain takeovers. Each abuses DNS to redirect traffic, steal data, or disrupt services through manipulation or misconfiguration. Related content [White paper: Stop Attackers from Using DNS Against You See how to regain control of your DNS traffic.](https://www.paloaltonetworks.com/resources/whitepapers/stop-attackers-from-using-dns-against-you?ts=markdown) [Blog: Strengthening Your DNS Protection with Advanced DNS Security Find out how to squash the threat of DNS hijacking with real-time AI-powered analysis of the DNS response.](https://www.paloaltonetworks.com/blog/network-security/precision-ai-advanced-dns/) [Blog: Getting to Know DNS Hijacking Learn more about how adversaries abuse DNS.](https://www.paloaltonetworks.com/blog/network-security/dns-hijacking-threat-actors/) [Threat research: Automatically Detecting DNS Hijacking in Passive DNS Discover the PANW process for detecting DNS hijacking, plus a few notable examples.](https://unit42.paloaltonetworks.com/detect-dns-hijacking-passive-dns/) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20DNS%20Hijacking%3F&body=DNS%20hijacking%20has%20been%20used%20to%20take%20over%20the%20web%20domain%20of%20The%20New%20York%20Times.%20What%20is%20it%2C%20and%20how%20does%20it%20work%3F%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/what-is-dns-hijacking) Back to Top {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language