Mass Home Router DNS Hijacking Detected by Tencent Cloud DNSPod

Tencent Cloud DNSPod reported a large‑scale intrusion of home routers, where attackers altered the routers' DNS settings to point to malicious servers, causing users to be redirected to phishing or illegal sites.

The attacks began in May 2024 and peaked on August 5, affecting many routers. Although the malicious DNS entries have been removed from the upstream servers, cached records may persist due to TTL.

Typical compromise methods include scanning for exposed routers, then exploiting default passwords, firmware vulnerabilities, or common passwords to gain admin access and replace the DNS server IPs.

DNSPod identified dozens of malicious DNS IP addresses, such as 122.9.187.125 , 8.140.21.95 , 101.37.71.80 , and others.

Users can verify if their router is infected by checking the DNS server IP in the router’s management page; any match with the listed IPs indicates compromise, and the router should be reset and passwords changed.

Additional diagnostic commands include: dig @122.9.187.125 dnspod.cn dig @ test.ip.dnspod.net dig @ version.bind chaos txt

If the dig output shows a TTL of 86400, an SOA record with unexpected values, or the string “unbound 1.16.2”, the router is likely hijacked.