What Is DNS Hijacking? How to detect and fix it?
DNS hijacking is a common cyberattack technique known as domain name server reconfiguration. The attacker’s goal is to redirect the user to a bogus website created by them.
Domain Name Server Hijacking.
Also referred to as DNS redirection, the process is utilized by hackers to alter the resolution of a Domain Name System (DNS), using malware that ensures the authentic server is modified to not comply with the set internet standards.
DNS-based attacks have been on a high over the years. In fact, cybercriminals know that DNS is a trusted protocol used by organizations, and many of these organizations do not track their DNS traffic for unusual traffic or malignant activities. So, perpetrators leverage on this loophole and attack websites in order to pilfer information, carry out fraud or disrupt a website.
Nowadays, many organizations spend a lot of money and resources more than ever putting in place solutions for DNS monitoring and hiring and developing the talents required for a solid first line of defense. It is needless to say that this is because DNS has become commonplace in the business world.
What is a DNS?
The Domain Name System (DNS) is an integral part of the internet that everyone uses – knowingly or unknowingly. Just as contacts are saved on your phonebook to identify people when they call your phone, the internet has its own phonebook of computers, services, and other resources connected to it. This system of naming used by the internet is called DNS.
When trying to access information on the internet, humans enter domain names of websites like “google.com,” “supersport.com,” etc. After this is done, the web browsers used to initiate the search interact through the device’s Internet Protocol (IP) address. The DNS subsequently translates the domain names to IP Addresses, and the website loads the resources available on the internet.
DNS was an initiative that tech enthusiasts developed because without it; humans will have to memorize or continuously write down different numbers for different devices that they use to connect to the internet – laptops, mobile phones, tablets, etc.
In other words, a DNS is the internet’s record of names that it matches with numbers known as IP addresses. These numbers (IP addresses) are what computers use to communicate with each other over a network to eliminate the need for humans to memorize IP addresses.
How Does DNS Work?
Like every house with a street address, every device on the internet has an IP address linked to it. Without an IP address, the device cannot be found by other devices connected to the internet network. So, when a user types a human-friendly URL like “www.yoursite.com” into their web browser (using a computer-friendly IP address that looks like 18.104.22.168 – for IPv4 or 2606:1100:220:1:258:1893:25c8:1945 – for IPv6), there is a communication between the information typed into the browser (www.yoursite.com) and the IP address through lookup servers including recursive resolvers, root nameserver, top-level domain server (TLD), and authoritative nameserver, before the webpage can be located on the internet.
It is important to note that asides from the initial request sent from the computer, the DNS lookup process happens behind the scenes and does not require any further interaction from the computer.
What is DNS Hijacking?
DNS hijacking is an attack on a domain name system (DNS). In some cases, it could be an attack on the DNS to make it unavailable for use, while in others, it could be a stealth mode of redirecting the website’s users to go to an alternative website. Either way, DNS hijacking attacks use the DNS as a significant part of the attack process. Usually, during a DNS hijacking, attackers incorrectly resolve DNS queries sent by users and redirect them to bogus sites without the users’ notice. Afterward, the website user inadvertently proceeds to the linked harmful website or continues using the internet on a server that cyber attackers have compromised.
All over the world, there are significant waves of DNS hijacking attacks happening daily since numerous companies have domain names that link to their websites, which are intended to provide more information about their products and services to website visitors.
Usually, malwares are installed on users’ computers by the attackers, who subsequently redirect their queries to harmful websites where the cybercriminals can steal data such as the user’s login credentials and other information. In some other cases, the Domain Name Server communication is hacked to achieve the same result.
From a business perspective, a DNS hijacking attack could make you lose users who cannot trust your website’s security and are frustrated because they cannot access your website’s content. It could give hackers access to your customers’ sensitive information and put them and your business at risk of fraudulent activities.
Why Is a DNS Hijacked?
Cybercriminals hijack a domain name system for different reasons. In some cases, the hacker uses it for pharming – displaying unwanted ads to generate revenue from users’ redirection. In other cases, it is used for phishing – displaying fake websites that are harmful and aimed at stealing users’ credentials and other data. However, in many other cases, a hacker’s main aim of initiating a domain name system attack is quite apparent. They want to siphon money from the website users’ bank accounts to other channels, perform card fraud, sell users’ personal data obtained from such websites on the dark web.
It is also an open secret that quite a number of Internet Service Providers (ISPs) also use this domain redirection method to control users’ DNS queries, collect their data, and tailor ads in line with such data. In some unpopular cases, the ISPs later give their subscribers configurable settings to disable hijacking by themselves. If done correctly, the setting reverts DNS to its default status. But, in more often cases, other ISPs utilize a web browser cookie to store user’s preferences instead. In such a scenario, the user’s DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit DNS error page.
Some government agencies use DNS hijacking for redirecting users to a government website or for censorship purposes in a few other cases.
Types of DNS Hijacking Attacks
Cybercriminals can achieve DNS hijacking through four different ways:
- Local DNS Hijack: This DNS hijacking method is achieved when a cybercriminal installs a Trojan malware on a website user’s computer. This malware is built to disguise as a legitimate software. Once it is active, it gives hackers access to the network systems in use and allows them to steal data and alter DNS settings to redirect users to fake websites.
- Router DNS Hijack: This DNS hijacking method involves hackers using a vulnerable DNS router (a hardware device used by domain service providers to link their domain names to equivalent IP addresses) to launch a DNS attack by overriding and reconfiguring the router’s DNS settings. Once this is done, the attackers jam the website then redirect traffic to another malicious website, making the website inaccessible to users.
- Man-in-the-middle DNS Hijack: This is done by hackers operating within the communication between a network user and a DNS server to obstruct such communication and eventually redirect the user to an unknown destination IP address leading to harmful websites. It is also referred to as DNS spoofing.
- Rogue DNS Hijack: This involves an attacker hacking the DNS server, altering its saved records, and redirecting subsequent DNS queries to malicious websites usually owned by them.
Methods of Mitigating DNS Hijacking
Since DNS hijacking is a frequent attack on websites, both website owners and users should put precautionary measures in place to prevent DNS hijacking. There are many ways to prevent DNS hijacking from the front-end and back-end of a website usage.
DNS Hijacking Mitigation Measures for Name Servers and Resolvers
To increase your DNS security:
- Install Firewalls around DNS resolvers: Since DNS resolvers are a part of every DNS and during a DNS hijacking attack, attackers install counterfeit resolvers in a DNS to counter the legitimate resolvers, your IT team must have your legitimate resolvers secured by a firewall to shut down every unknown resolver. This will block any external access and secure your DNS.
- Improve Name Server Access Restrictions: Since an attacker can be within your organization, it is essential that your IT team puts in place a physical security system and a multi-factor authentication access to reduce the risk of DNS hijacking.
- Put measures in place against Cache Poisoning: Website cache poisoning can be prevented by randomizing user identity, making query IDs random, using random source ports for your server, and randomly including both uppercase and lowercase characters in your website domain name.
- Fix known domain bugs immediately: Perpetrators of DNS hijacking know that there are domain vulnerabilities from time to time, and they leverage these vulnerabilities to carry out DNS hijacking attacks. Therefore, it is crucial to have your IT personnel assess your DNS for bugs frequently and immediately fix such bugs.
- Separately run Resolvers and Authoritative Name Server: Running both on the same server will put your DNS at the risk of a DNS hijacking because when there is a DDoS attack on one, the other automatically gets affected as well.
- Prevent Zone Transfers: Records stored in a DNS contain sensitive data that interest cybercriminals. To access these records, hackers usually disguise under slave name servers, which usually request for zone transfers. Once a zone transfer is initiated, the attacked server’s zone records are copied by hackers. Hence, preventing these transfers will mitigate DNS hijacking.
DNS Hijacking Mitigation Measures for End-Users
Aside from stuffing users’ devices with unsolicited product ads, during a DNS hijacking, the attacker also goes after users’ credentials and other personal data. So, as a website user, you can change your router password from time to time, installing an antivirus on your computer and keeping it up to date, only connect to reliable private and public networks, or use VPN channels to change your IP address to prevent DNS hijacking.
In a case where it is your ISP doing the DNS hijacking, you can opt for an alternative DNS service that obstructs any DNS hijacking attack.
DNS Hijacking Mitigation Measures for Website Owners
As a website owner, if you do not manage your DNS, nobody else will manage it for you unless you have a reliable third-party tech support services provider that your organization has hired to perform the task. Without either you or a third-party firm handling your website management and looking out for unusual activities, there is a significant probability that your website could have been hacked without your knowledge. When an attacker hijacks your DNS, they are able to intercept your entire web traffic and email communications.
In other words, the importance of putting measures in place to prevent DNS hijacking attacks cannot be overemphasized because of the potential monetary and customer loss involved when your website is attacked. When your website goes through DNS hijacking, customers are frustrated, you stand to lose their trust, and a lot of money is spent on getting your website back on track.
Therefore, to keep the chances of DNS hijacking at bay, your company’s IT personnel must do the following:
- Guarantee Secure Access: This can be done by restricting the number of your team members that have access to your company’s DNS. Website owners can also achieve this by utilizing a two-factor authentication process for access to be granted to the domain name server registrar.
In the same vein, you can have your IT team limit the number of IP addresses that have access to your organization’s DNS settings by creating a whitelist that includes these IP addresses. This method will prevent DNS hijacking attacks on your website by a mile.
- Deploy Client Lock: Using change lock or client lock is another way to prevent your website from DNS hijacking. If your DNS registrar is client lock enabled, locking it prevents alterations to your website’s DNS settings without approval from a particular IP address.
- Use a DNSSEC Domain Name Server: A DNSSEC deploys e-signatures and keys for DNS request verification. In other words, if your organization’s DNS register works with DNSSEC, it will act as another layer of protection for your DNS and make it more difficult for attackers to intercept traffic or spoof traffic from your website to their malicious websites. Thereby preventing DNS hijacking.
Do Not Give Room to DNS Hijacking on Your Website
Ultimately, DNS hijacking is the reality of many websites all around the globe today. Numerous enterprise-level businesses have been faced with DNS hijacking attacks by cybercriminals for different reasons. And despite all the measures and efforts put in place by many business owners to avert DNS attacks and spoofing, hackers evolve by the day and develop new ways to infiltrate any vulnerable DNS of choice – stealing data and compromising networks.
Therefore, to protect your company’s website from DNS hijacking, you must have IT professionals that stay on top of the game on your team. These personnel will ensure your security level is high and kept updated. They will also find out bugs and errors in order to fix them before perpetrators leverage them. In essence, following these highlighted measures will do you and your business greater good and help you prevent DNS Hijacking.
If you need more information or support on setting up secure DNS or need seasoned IT professionals on your team, contact us at (insert company name). Our team of experts will be more than willing to support you and your business.
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.