Windows Updates are downloaded via HTTP but signed in the package themselves. This is why Delivery Optimization (peer to peer distribution) can be used. HTTP downloads for WU are also good because it allows upstream proxies to cache the content reducing overall network load.
Thus: Hijacking WU to download malicious content takes far, far more than just DNS hijacking. You'd also need to subvert the WU signing system. (This is more nation-state level stuff.)
Thus: Hijacking WU to download malicious content takes far, far more than just DNS hijacking. You'd also need to subvert the WU signing system. (This is more nation-state level stuff.)