Domain hijacking — how it works and how to prevent it

A domain hijack can redirect your website, intercept your email, and destroy your sender reputation — overnight, with no warning. Attackers who control your domain control everything underneath it: your DNS records, your SSL certificates, your MX routing. Your customers see your brand name in the URL bar while talking to someone else.

The damage is fast and the recovery is slow. Reclaiming a hijacked domain can take days of registrar escalation while your business email is either dead or compromised.

This article explains how domain hijacking actually happens, what signals to watch for, and what to do to make your domain genuinely difficult to steal.

What domain hijacking looks like in practice

Domain hijacking is not one attack — it is any method that results in an attacker gaining control of your domain registration or DNS configuration. The most common vectors:

Registrar account compromise. The attacker gains access to your registrar account (via phishing, credential stuffing, or a leaked password) and transfers the domain to a registrar they control, or simply changes the nameservers to ones they operate. Account access is all they need — most registrars process nameserver changes immediately.

DNS provider compromise. Your domain registration may stay untouched while the attacker compromises your DNS provider account instead. They change A records, MX records, or nameservers directly. The registrar never sees a transfer request; the attack happens entirely at the DNS layer.

Social engineering the registrar. Some registrars have been successfully manipulated into transferring domains by attackers who impersonate the domain owner via support tickets or phone calls. High-profile domains are targeted specifically because support staff may make exceptions for "urgent" requests.

Expired domain seizure. If you let a domain expire, it enters a grace period, then a redemption period, then becomes available for anyone to register. An attacker who registers your lapsed domain instantly inherits your brand identity in that TLD.

BGP hijacking and cache poisoning. Sophisticated attackers can redirect DNS queries at the network level without touching your registrar or DNS provider. These attacks are rarer and require more resources but can affect large IP ranges.

The 5 signals that something's wrong

Most hijacks produce detectable changes in DNS or registry data. Watch for these:

1. NS records changed. Your nameservers are the root of all DNS control for your domain. If they change and you did not make that change, an attacker may have redirected all your DNS to nameservers they control. Every other record — A, MX, TXT — can then be changed at will.

2. MX records changed. Changed MX records redirect incoming email to servers the attacker controls. They can read your email, intercept password resets, and impersonate your staff. This often follows a nameserver change.

3. DMARC, SPF, or DKIM records altered. An attacker may delete SPF to re-enable spoofing, remove DMARC to stop you getting reports, or replace DKIM keys to enable signing with their own key. Any unexpected change to email deliverability records is a serious signal.

4. WHOIS contact email changed. Registrars send transfer authorisation emails to the contact address on file. An attacker who changes the contact email to one they control can then approve outbound transfers without your knowledge.

5. Domain status drops clientTransferProhibited. Registry status codes like clientTransferProhibited and clientUpdateProhibited are locks that prevent unauthorised transfers and changes. If those status codes disappear from your WHOIS record, the locks have been removed — either by you, or by someone who shouldn't have.

Hardening checklist

1. Lock your domain at the registrar

   Enable every registrar-level lock available on your domain:

   • clientTransferProhibited — prevents outbound transfers to another registrar. This is the most important lock. Without it, a compromised registrar account can transfer your domain in minutes.
   • clientUpdateProhibited — prevents nameserver changes and contact updates.
   • clientDeleteProhibited — prevents domain deletion.

   Log in to your registrar and look for a "Domain Lock" or "Registrar Lock" toggle. It should be on. Some registrars enable it by default; many do not.

   For high-value domains, ask your registrar about Registry Lock (also called "Server Lock" or "Elite Lock"). This is a stronger lock applied at the registry level (e.g. Verisign for .com), not just the registrar level. It requires a phone call or out-of-band verification to unlock, making social engineering attacks much harder.

2. Enable 2FA on your registrar account

   Your registrar account is the master key to your domain. If an attacker logs in, they can unlock the domain and transfer it regardless of what DNS locks you have.

   Enable two-factor authentication (2FA) on your registrar account immediately. Prefer an authenticator app (TOTP) over SMS — SMS 2FA is vulnerable to SIM-swapping attacks.

   Use a strong, unique password for your registrar account. Do not reuse it anywhere else. Consider a hardware security key (FIDO2/WebAuthn) if your registrar supports it — this is the strongest option and defeats most phishing attacks.

3. Rotate your transfer authorisation code periodically

   Registrars issue an "auth code" (also called an EPP code or transfer authorisation code) required to transfer a domain outbound. Some registrars issue the same code indefinitely; others rotate it on request.

   Request a rotation from your registrar annually or after any team member with access leaves your organisation. Store the current code in your password manager, not in email.

4. Audit DNS provider account access

   Your DNS provider account is a separate attack surface from your registrar. A compromised DNS provider account can change A, MX, TXT, and NS records directly without touching the registrar.

   • Remove any team members who no longer need access.
   • Use the minimum permission level required. Most DNS providers support read-only and record-specific permission levels.
   • Rotate API tokens that have write access to your DNS zone, especially if you have had any team turnover.
   • Enable 2FA on your DNS provider account with the same rigor as your registrar account.
5. Monitor DNS records continuously

   The five warning signals above are all detectable if you are watching. Set up continuous monitoring so that any change to your NS, MX, A, or TXT records triggers an alert immediately — not when a customer reports that your website is down or email stopped working.

   DomainCare's DNS check runs every hour by default and fires an alert the moment NS, MX, A, or TXT records change from their last known values. The dns_records_changed and mx_records_changed alerts are your early warning system for hijack attempts.

6. Monitor domain expiry and WHOIS contact changes

   Never let a domain expire. Set up auto-renew at your registrar and verify the payment method on file is current. Monitor expiry dates independently of the registrar so you catch failures in the auto-renew process.

   DomainCare's registry check reads your domain's expiry date and registry status codes every 12 hours. The domain_expiry_warning alert fires at 30 days remaining. The domain_hold_detected alert fires if the registry places a hold on your domain — which happens when status locks are removed or a registrar billing issue arises.

   Also monitor your WHOIS contact email. Any change to the contact address on file at the registrar should be investigated immediately — a changed contact email is the prerequisite for a social-engineering-based transfer attack.

How DomainCare helps

DomainCare gives you three layers of detection that together cover the most common hijack vectors:

Registry check (/docs/checks/registry) — monitors your domain's expiry date and registry status codes every 12 hours. Fires alerts when the domain approaches expiry or a registry hold appears, including the removal of transfer-prohibit locks.

DNS check (/docs/checks/dns) — monitors A, AAAA, MX, NS, TXT, CNAME, CAA, and SOA records every hour. Fires the moment any record changes from its last known snapshot, giving you a window to act before an attacker finishes redirecting traffic.

Email deliverability check (/docs/checks/email-deliverability) — monitors SPF, DKIM, and DMARC records every 6 hours. Detects deletions, structural changes, and policy downgrades that would re-enable spoofing or compromise your email deliverability posture.

Together, these three checks cover the full attack surface visible in DNS and registry data. They do not replace strong account security at your registrar and DNS provider, but they give you detection if those controls fail.

---