DNS Hijacking Detector — Side-by-Side Record Comparison
Compare DNS records between Domain A and Domain B — mismatches flag possible hijack or drift
How to Use This Tool
- Enter Domain A — typically your trusted reference hostname.
- Enter Domain B — the label you suspect may be hijacked or drifted.
- Both domains are validated; two valid domain names are required.
- dns-compare fetches six record types for each name in parallel.
- comparison array shows per-type values A, values B, and match boolean.
- Investigate any match false on NS, A, or MX immediately.
About This Tool
DNS hijacking changes what users resolve — swapped A records, rogue MX paths, or unexpected NS delegations — without touching your intended zone file. Detecting hijack often means comparing what you expect against what appears live. VSPIC DNS hijacking detector runs dns-compare with domainA and domainB fields: parallel fetches for A, AAAA, MX, TXT, NS, and CNAME on both names, then marks each type match or different with sorted value lists per side.
Enter a known-good reference hostname in one field and the suspect label in the other — for example baseline.example.com versus production apex after an incident, or primary versus failover domain during DR drills. Match false on NS or A is urgent; intentional staging differences should be documented so compare does not false-alarm.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- Six critical record types compared in one run.
- Sorted comparison ignores benign answer order differences.
- Surfaces NS delegation drift — strong hijack indicator.
- Side-by-side values for ticket evidence.
- Free instant compare — no account required.
- Same dns-compare backend as DNS compare tool.
DNS hijacking signals compare catches
Hijacks often manifest as unexpected A records pointing offshore, MX redirected to attacker mail, TXT stripped of SPF, or NS delegations moved to attacker-controlled hosts. Comparing a trusted reference domain against the production label highlights those drifts per record type.
NS mismatch is especially severe — it suggests delegation itself changed at registrar or parent zone, not merely a record edit inside your zone file.
How dns-compare works
Both domains must pass domain validation. The handler queries A, AAAA, MX, TXT, NS, and CNAME for each, sorts values, and sets match true when lists are identical. Empty versus populated is a mismatch.
Results return domainA, domainB, and comparison array entries — same JSON shape as DNS compare tool.
Choosing Domain A and Domain B
Common patterns: compare documented baseline subdomain against apex after incident; compare failover hostname against primary during drills; compare acquired domain against corporate template hostname before integration.
Both inputs are domain names in the backend — not IP addresses. Use hostnames you control or have rights to investigate.
NS and A priority triage
A mismatch routes web traffic elsewhere — users see phishing or ad pages. MX mismatch redirects mail — credentials and MFA tokens may leak. NS mismatch means entire zone control may have shifted — escalate to registrar security immediately.
TXT mismatches may be benign during marketing token rotations — correlate timing with change tickets before declaring hijack.
Limits versus multi-resolver polling
True hijack detection sometimes requires comparing answers from multiple recursive resolvers and geographic vantage points. This tool compares two domain names on one resolver path each — powerful for baseline drift, not a global resolver mesh.
After suspected hijack, snapshot DNS with dns-history and open registrar case with WHOIS.
Incident response workflow
On alert, compare production against last known good baseline hostname. Export comparison JSON. Lock registrar account with MFA. Rotate DNS provider credentials. Lower TTL only after authoritative control restored.
Pair with historical DNS lookup snapshots if you saved exports before the incident.
Relationship to DNS compare tool
Identical dns-compare action. DNS compare tool emphasizes staging versus production parity; hijacking detector emphasizes security incident framing. API parameters: domainA and domainB.
Use compare tool language for release management; use this page for abuse desk searches.
API automation
GET /ip-tools/api/extended?action=dns-compare&domainA=baseline.example.com&domainB=example.com. Fail monitoring when match false on NS or A for production pairs.
Document intentional mismatches in config management so alerts exclude approved drift.
Privacy and authorization
Compare only domains you own or are contracted to investigate. Public DNS data only — read-only queries.
Mismatch results are leads, not automatic proof of malicious intent — verify with registrar logs.
Important notes & limitations
- Requires two valid domain names — not raw resolver IP comparison.
- Compares two QNAMEs, not answers from two different resolvers for one name.
- Six types only — SRV, CAA, DNSSEC not included.
- Single resolver path per side at query time.
- Intentional staging differences appear as mismatches — context required.
Frequently Asked Questions
Yes. VSPIC offers this DNS hijacking detector at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. Both fields require valid domain names. The backend compares two QNAMEs, not resolver endpoints.
dns-compare with domainA and domainB parameters.
No. Staging differences, intentional failover, and recent legitimate changes also mismatch. Correlate with change tickets and registrar access logs.
A, AAAA, MX, TXT, NS, and CNAME — six types with sorted value comparison.
NS controls which nameservers serve the zone. Unexpected NS changes suggest delegation hijack at registrar or parent zone.
Same backend and JSON. This page targets hijack investigation searches; the sibling page targets staging or production parity workflows.
Next step for your check
Continue with dns compare tool on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
DNS Compare Tool
Compare A, AAAA, MX, TXT, NS, CNAME between two domains
Use Free →Historical DNS Lookup
Historical DNS Lookup — free online tool
Use Free →WHOIS Lookup
Retrieve domain and IP registration WHOIS records
Use Free →Domain DNS Audit
Domain DNS Audit — free online tool
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS