When we talk about software supply chain attacks, most people think about compromised packages, malicious commits, or tampered build pipelines. Rarely does the conversation turn to DNS -- the foundational protocol that makes the internet work. But DNS hijacking is one of the most dangerous and least discussed vectors for supply chain compromise.
What Is DNS Hijacking?
DNS hijacking occurs when an attacker manipulates DNS resolution so that domain names resolve to IP addresses controlled by the attacker instead of the legitimate server. There are several ways this happens:
- Compromised DNS servers: Attackers gain access to authoritative DNS servers and modify records directly.
- Man-in-the-middle attacks: DNS responses are intercepted and modified in transit.
- Router-level hijacking: Home or enterprise routers are compromised to serve malicious DNS responses.
- Registrar-level attacks: Attackers gain access to domain registrar accounts and change nameserver records.
- Cache poisoning: Recursive DNS resolvers are tricked into caching incorrect records.
Each of these methods can be leveraged to redirect traffic intended for legitimate software infrastructure to attacker-controlled servers.
Why DNS Matters to the Software Supply Chain
Think about every step in a typical software delivery pipeline that relies on DNS:
- Package registries:
npm installresolvesregistry.npmjs.org. If that resolution is hijacked, packages come from an attacker's server. - Build dependencies: Build systems download dependencies from remote servers, all resolved via DNS.
- Software updates: Applications check for updates by connecting to update servers via domain names.
- API endpoints: Microservices communicate via DNS-resolved endpoints. Hijack one, and you control inter-service communication.
- Container registries: Docker pulls resolve
registry-1.docker.ioand similar domains.
A single DNS hijack can redirect any of these to a malicious endpoint without modifying a single line of code in the target software.
Real-World DNS Hijacking Incidents
The Sea Turtle Campaign (2019)
One of the most sophisticated DNS hijacking campaigns ever documented, Sea Turtle targeted organizations across the Middle East and North Africa. Attackers compromised DNS registrars and registry operators to redirect traffic. They obtained legitimate TLS certificates for hijacked domains, making detection extremely difficult.
The campaign demonstrated that even organizations with strong endpoint security could be compromised through DNS infrastructure they didn't directly control.
MyEtherWallet BGP/DNS Attack (2018)
Attackers used BGP hijacking to redirect DNS traffic for Amazon's Route 53 service, which then allowed them to serve malicious DNS responses for MyEtherWallet.com. Users who visited the site were sent to a phishing page. The attackers stole approximately $17 million in cryptocurrency.
DNSpionage (2018-2019)
This campaign targeted government and telecommunications organizations by compromising DNS records. Attackers redirected email traffic to capture credentials, then used those credentials to access other systems. The attack chain showed how DNS compromise can cascade into full organizational compromise.
The Unique Danger to Supply Chains
DNS hijacking is particularly dangerous for software supply chains for several reasons:
Transparency Is Limited
Most build systems don't log or verify the IP addresses they connect to. When pip install requests runs, the system trusts DNS to return the correct address. There's no verification step that checks whether the resolved IP matches what PyPI should resolve to.
TLS Doesn't Always Help
Many people assume TLS solves this problem. It doesn't, fully. If an attacker can hijack DNS, they may also be able to:
- Obtain certificates from CAs that validate via DNS (DNS-01 challenge in ACME/Let's Encrypt).
- Use compromised certificates from a CA breach.
- Exploit systems that don't properly validate certificates.
Automation Amplifies the Blast Radius
Modern CI/CD pipelines run automated builds thousands of times per day. A brief DNS hijack during a build window can inject malicious code into hundreds of builds before anyone notices.
Caching Extends the Attack Window
DNS caching means that even a short hijack can have lasting effects. Once a malicious record is cached by a recursive resolver, it continues to redirect traffic for the duration of the TTL -- potentially hours.
Detection Challenges
DNS hijacking targeting supply chains is difficult to detect because:
- No file changes: Unlike a compromised package, there are no code diffs to review.
- Brief duration: Attacks can last minutes but affect builds running during that window.
- Legitimate certificates: Attackers may have valid TLS certificates for hijacked domains.
- Log gaps: Most systems don't log DNS resolution details.
Mitigation Strategies
Deploy DNSSEC
DNSSEC provides cryptographic verification of DNS responses. When properly configured, it prevents attackers from forging DNS records. However, adoption remains low -- less than 30% of top-level domains are signed.
For your software supply chain, ensure that:
- Your domains are DNSSEC-signed.
- Your resolvers validate DNSSEC signatures.
- Critical infrastructure domains use registrars that support DNSSEC.
Implement Certificate Transparency Monitoring
Monitor Certificate Transparency (CT) logs for certificates issued for your domains. If an attacker obtains a certificate for your domain via DNS hijacking, CT monitoring will flag it.
Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)
These protocols encrypt DNS queries, preventing interception and modification in transit. Configure build systems and CI/CD infrastructure to use encrypted DNS.
Pin DNS Resolutions for Critical Infrastructure
For critical supply chain infrastructure, consider pinning expected IP addresses or IP ranges. If registry.npmjs.org suddenly resolves to an IP in an unexpected ASN, that's a red flag.
Verify Package Integrity Beyond TLS
Don't rely solely on TLS for package integrity. Use:
- Hash verification for downloaded packages.
- Signature verification where available (e.g., GPG-signed packages).
- Reproducible builds to verify build outputs.
Monitor DNS Records Actively
Set up continuous monitoring for DNS records of critical domains. Any unexpected change should trigger an alert.
Isolate Build Networks
Use dedicated DNS resolvers for build infrastructure. These resolvers should be hardened, monitored, and isolated from general-purpose network infrastructure.
Building a DNS-Resilient Supply Chain
The key insight is that DNS is a dependency in your software supply chain, even though it doesn't appear in any dependency manifest. Treating it as such means:
- Inventory DNS dependencies: Map every domain your build process connects to.
- Monitor resolution: Log and alert on DNS resolution changes for those domains.
- Verify independently: Don't trust DNS alone -- verify package integrity through signatures and hashes.
- Plan for compromise: Have incident response plans for DNS hijacking scenarios.
- Audit registrar security: Ensure domain registrar accounts have strong authentication, ideally with hardware tokens.
How Safeguard.sh Helps
Safeguard.sh strengthens your supply chain against DNS-based attacks by providing comprehensive SBOM analysis that tracks every dependency and its expected sources. When packages are downloaded during builds, Safeguard.sh can verify their integrity against known-good hashes and signatures, catching substitutions that might result from DNS hijacking. The platform's continuous monitoring capabilities alert you to unexpected changes in your dependency graph, while policy gates can enforce integrity checks before any artifact enters your pipeline. By maintaining a verifiable record of what your software should contain, Safeguard.sh gives you the independent verification layer that DNS alone cannot provide.