Domain Name System (DNS) hijacking, sometimes called DNS redirection, is a type of cyberattack in which a user is redirected to a malicious site without their knowledge. Attackers execute DNS attacks by installing malware on a user’s computer or by hacking DNS communications.
DNS redirection changes how a DNS transaction is handled by “hijacking” it, leading the user’s system to connect with a server that is not the intended destination on the internet. This malicious exploit takes the user’s traffic and then redirects it to a rogue DNS server. The server then conducts the DNS attack by changing the IP address that the user is attempting to access (Palo Alto Networks, n.d.).
What Is DNS?
Understanding what DNS traffic is and how it works is the essential first step in combating DNS hijacking. Learning these underlying concepts will give you a strong understanding of how DNS hijacking attacks work and the tools available for executing them.
The DNS is an internet protocol that makes it possible for users to reach websites. DNS enables connection among web-connected devices and facilitates communication with websites (Cloudflare, n.d.). When a user sends a connection request, the normal behavior of a DNS server is to return the requested website’s IP address. This DNS traffic may, however, be vulnerable to DNS hijacking attacks.
How Does DNS Traffic Work? When you type a website address into your browser’s URL bar, your device sends a query to the DNS server for that website’s IP address. The DNS server then returns that IP address, and your device notes the DNS server’s IP address, allowing it to connect to the website.
What Is DNS Hijacking?
DNS hijacking involves making changes to a user’s DNS queries that result in redirection to a destination of the attacker’s choice. Cybercriminals use DNS attacks and hijacking tools to steal money from targets’ bank accounts, commit credit card fraud, sell personally identifiable information on the dark web, and take other malicious actions.
Hackers can use DNS hijacking to complement other cyberattack techniques, such as pharming (the display of unwanted ads to generate revenue) and phishing (enticing users to click on links to malicious websites to steal their data and credentials). These types of cyberattacks can be significantly disruptive and can impact DNS traffic (Cloudflare, n.d.).
Types of DNS Hijacking Attacks
Local DNS HijackingBy installing Trojan malware on a user’s system, the attacker can change the regional DNS settings and redirect the user to a malicious site. These uses of DNS hijacking can lead to identity theft.
Router DNS Hijacking
A router DNS attack occurs when attackers take over a router with a default password, overwrite its DNS settings, and redirect users connected to the device (EC-Council, 2020).
OnPath DNS Hijacking
DNS hijacking is an OnPath attack in which attackers obstruct communication between a DNS server and user and provide multiple IP addresses pointing to malicious sites.
Rogue Server DNS Hijacking
In rogue server DNS attacks, the attacker change how a DNS server works by hacking the server, changing DNS records, and redirecting requests to malicious sites.
In DNS spoofing attacks, a request is redirected from a legitimate website to a malicious website. An attacker can compromise a DNS server to redirect users to a malicious website that superficially imitates a legitimate site.
DNS spoofing is also known as cache poisoning. Servers, systems, and routers store DNS records in a cache. In this type of cyberattack, hackers insert a forged DNS entry to poison the cache, leaving an alternate IP destination for a given domain (Borges, 2018).
How to Stop DNS Hijacking and Stay Safe
To prevent DNS hijacking, it’s essential to expand your cybersecurity knowledge so that you can take proactive action.
- Shut down DNS resolvers before placing legitimate resolvers behind a firewall with no link to external communication.
- Restrict access to DNS name servers by using multifactor authentication, firewalls, and other physical and network security measures.
- Combat cache poisoning by using randomized query IDs, random source ports, and random alphabetic cases.
- Don’t run authoritative DNS name servers from the resolver; run them separately to avoid cache poisoning.
- Patch vulnerabilities immediately to prevent DNS hijacking, as hackers often look for vulnerable DNS servers.
- Restrict zone transfer records, as they contain valuable information for attackers using DNS hijacking tools (Wallarm, n.d.).
The Simplest and Best Way to Protect Yourself
The best way to protect your organization from DNS hijacking attacks is to improve employees’ awareness of DNS attacks and ensure that you have the right professionals on hand to prevent and respond to cyberattacks.
EC-Council’s Certified Network Defender (C|ND) certification program teaches cybersecurity professionals the latest network security skills. The C|ND certification prepares learners to protect systems and networks, detect threats and vulnerabilities, and respond appropriately. Upskill your team and seek C|ND-certified professionals to keep your organization safe. Get in touch with EC-Council today!
Borges, E. (2018, November 22). The most popular types of DNS attacks. Security Trails. https://securitytrails.com/blog/most-popular-types-dns-attacks
Cloudflare. (n.d.). What is DNS? | How DNS works. https://www.cloudflare.com/learning/dns/what-is-dns/
EC-Council. (2020, August 24). What is DNS hijacking and how to combat it. Response Marketing Association. https://responsema.org/email-marketing/what-is-dns-hijacking-and-how-to-combat-it/
Palo Alto Networks. (n.d.). What is DNS hijacking? https://www.paloaltonetworks.com/cyberpedia/what-is-dns-hijacking
Wallarm. (n.d.). What is DNS hijacking? Basic methods of protection. https://www.wallarm.com/what/what-is-dns-hijacking-basic-methods-of-protection