The invention relates to the technical field of network safety, in particular to a DNS hijacking detection method and device. The method comprises the following steps: randomly generating an inexistent false domain name as a test main domain name; generating a plurality of test sub-domain names based on the test main domain name so as to form a first test sub-domain name set; initiating a batch DNS resolution request to a first DNS server by using the first test sub-domain name set, wherein the first DNS server is a real DNS server; checking a DNS response result, and judging whether DNS hijacking exists or not according to whether each test sub-domain name in the first test sub-domain name set is analyzed or not; If the test sub-domain name is analyzed, determining that the DNS hijackingexists, and determining the keywords of the DNS hijacking. According to the method, batch detection is carried out by using a large number of false sub-domain names through active DNS request detection, so that whether DNS hijacking exists or not can be quickly and accurately detected, and matching keywords of DNS hijacking can be identified.