During the last two weeks, you probably started to hear more frequently about DNS hijacking.
In this article, we will define what DNS hijacking is and how to prevent it.
Let’s start by understanding what DNS is and its importance.
The essential function of a Domain Name System (DNS) is to convert human-friendly domain names into machine-friendly IP addresses and connect internet users to websites. The first step in this process is a DNS resolver or a recursive DNS server that deals with the initial request and ultimately translates the domain into an IP address.
By searching for DNS records on one or more DNS name servers, the DNS resolver finds the corresponding IP addresses that machines can read. DNS name server is an intrinsic part of the lookup process. That is because it answers the recursive DNS server about where specific websites can be found.
Now we can move to the part of the DNS hijacking process.
During DNS hijacking attacks or DNS redirection, DNS requests are resolved incorrectly to redirect users to malicious websites. This happens if a DNS server is under a hacker’s control and they divert the traffic to a fake DNS server. Then, the server translates a legitimate IP address into the IP address of a malicious website.
Hackers can achieve DNS hijacking in different ways. Here are the most popular:
Router DNS Hijack
This DNS hijacking method involves hackers using a vulnerable DNS router (a hardware device used by domain service providers to link their domain names to equivalent IP addresses) to launch a DNS attack by overriding and reconfiguring the router’s DNS settings. Once this is done, the attackers jam the website and then redirect traffic to another malicious website, making the website inaccessible to users.
Man-in-the-middle DNS Hijack
This is done by hackers operating within the communication between a network user and a DNS server to obstruct such communication and eventually redirect the user to an unknown destination IP address leading to harmful websites. It is also referred to as DNS spoofing.
Rogue DNS Hijack
This involves an attacker hacking the DNS server, altering its saved records, and redirecting subsequent DNS queries to malicious websites usually owned by them.
Local DNS Hijack
This DNS hijacking method is achieved when a cybercriminal installs Trojan malware on a website user’s computer. This malware is built to disguise as legitimate software. Once it is active, it gives hackers access to the network systems in use and allows them to steal data and alter DNS settings to redirect users to fake websites.
There are multiple options for securing your website from such a situation. The most common are:
Installing a firewall for the DNS resolver prevents the installation of a fake resolver and blocks unauthorized access. A firewall acts as an additional protective layer preventing DNS hijacking.
Restrict access to DNS name servers by using multifactor authentication, firewalls, and other physical and network security measures.
Separating the name server from the resolver
Run authoritative DNS name servers separately from the resolver to avoid cache poisoning. You need to separate the name server from the DNS resolver. Note that if they both run on the same server, they could be affected simultaneously.
Cache poisoning preventions
Prevent cache poisoning by randomizing user identity, using randomized query IDs, and using random source ports.
As a user, the only way to protect yourself from being a victim of such a hijack is by installing antivirus software and always keeping it updated. Moreover, there are some other specific software exists that helps you to detect DNS hijacks and avoid visiting malicious websites.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.