Defaults.Exposed › Reports
Domain and DNS Hijacking: How Domains Get Stolen and How to Lock Yours Down (2026)
Published 2026-07-01
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. Hijacking means taking control of your domain’s DNS or registration to redirect its traffic and mail. See how we grade.
Domain hijacking doesn’t touch your website — it takes over the DNS or registrar account that points to it, so your own visitors and email are quietly rerouted to an attacker. The two DNS controls that most reduce the risk are among the least deployed on the web: only 1.99% of domains have valid DNSSEC and just 1.56% publish a CAA record. Here’s how domains get stolen and how to lock yours down.
How domains actually get hijacked
- Registrar account takeover — a phished or reused password on your registrar login lets an attacker change nameservers or transfer the domain outright. The highest-impact vector, and the most preventable.
- DNS record tampering / cache poisoning — forged DNS answers point users and mail elsewhere. This is exactly what DNSSEC is designed to stop — and 1.99% of domains have it (with a further 3.02% signed but broken).
- Dangling records — a DNS entry left pointing at a cloud resource you no longer own lets someone else claim it (subdomain takeover).
- Expired-domain re-registration — let a domain lapse and anyone can re-register it, inheriting its residual traffic and trust. Across the census, 6.2% of domains no longer resolve — a large pool of lapsed names. See the internet’s dead domains.
- Rogue certificate issuance — without a CAA record restricting which authorities may issue for your domain, a mis-issued certificate is easier to obtain. Only 1.56% of domains set one.
Concentration adds a systemic angle
Most domains rely on a handful of DNS providers, so a single provider incident has outsized reach: the largest nameserver operator alone serves 15.4% of domains that use a recognised provider, and the top five together 42.1%. Concentration isn’t a flaw you can fix alone, but it’s a reason to get the controls you do own right. See nameserver concentration.
How to lock your domain down
- Secure the registrar account — unique password, strong MFA, and turn on registrar lock (transfer prohibited) so the domain can’t be moved without an explicit unlock.
- Enable DNSSEC where your host automates it — it stops forged DNS answers at the resolver.
- Publish a CAA record naming only the certificate authorities you use, so a rogue certificate can’t be issued.
- Audit DNS for dangling records — remove entries pointing at resources you no longer control.
- Never let key domains lapse — auto-renew registration and keep contact details current so a renewal notice never slips through.
Frequently asked questions
What is domain hijacking? Taking control of your domain’s registration or DNS to redirect its web and email traffic — without ever breaching your actual servers.
How is DNS hijacking different? DNS hijacking specifically tampers with the records that resolve your domain (via account takeover, cache poisoning, or a compromised DNS host). DNSSEC defends against forged answers; only 1.99% of domains have it.
What’s the single best protection? Locking down the registrar account — unique password, MFA, and registrar transfer-lock. Most hijackings start with account access, not clever attacks.
Does DNSSEC stop hijacking? It stops one important class — forged/poisoned DNS answers — but not registrar account takeover. Use it alongside account security and CAA.
Is any of this expensive? No. Registrar lock, DNSSEC, and CAA are free settings; the cost is the discipline to apply them.
Check your domain’s DNS defences free
See whether DNSSEC and CAA are in place and correctly configured — privately, and owner-only.
Check your domain → · Fix DNSSEC → · Fix CAA → · How we grade → · Aggregate data only. Data stored and processed in the EU.