Yes, that sounds exactly like what it is. Let's see if I understand this:
* When a user clicks a link, the user's ISP checks a local DNS server to find the domain's IP address. There are thousands of DNS servers all over the world, and there's no telling which DNS server the ISP will use.
* A hacker breaks into a DNS server's cache and changes the records, changing the IP address for example.com from the real IP address to some rogue site's IP address.
* Most users don't see any problem, but users whose ISP gets its IP info from a hacked DNS server will get directed to rogue sites when they click links to legitimate sites.
Do I have that right? If so, it seems like there's nothing I can do, since the compromised DNS server(s) are unknown to me and out of my control.