Client lock
Check if your authoritative DNS provider and your registrar support client lock (also known as change
lock), which prevents changes to your DNS records without approval from a specific named individual.
Mitigation for end users
End users can protect themselves against DNS hijacking by changing router passwords, installing
antivirus, and using an encrypted VPN channel. If the user’s ISP is hijacking their DNS, they can use a
free, alternative DNS service such as Google Public DNS, Google DNS over HTTPS, and Cisco
OpenDNS.
External Monitoring of DNS resolution
Even if end users are protected and your authoritative DNS is secure, a local ISP can be compromised,
affecting millions of end users. Run continuous DNS resolution tests from as many locations as feasible,
and alert your security team on suspicious changes.
Whilst DNS hijacking has become a serious problem for many enterprises and end users, implementing
the correct mitigation method goes a long way towards solving the problem.
About the Author
Yair Green is the CTO of GlobalDots, and a Cloud, Security and Web
Performance Evangelist.http://www.globaldots.com