What Is DNS Hijacking?
DNS Hijacking—Definition and Examples
Domain Name Server (DNS) hijacking is a type of DNS attack. An attacker purposefully manipulates how DNS queries are resolved, thereby redirecting users to malicious websites. Hackers either install malware on user PCs, seize control of routers, or intercept or hack DNS connections to carry out the attack.
DNS hijacking can also be used for phishing or pharming. After hijacking the real site’s DNS, attackers direct users to a fake site where they are invited to enter login credentials or sensitive financial information. Some governments also use DNS hijacking to reroute users to state-approved sites as part of a censorship strategy.
How Does a DNS Hijacking Attack Work?
When you register a website with a domain registrar, you select an available domain name, and your site's IP address will be registered with the domain name. For illustration purposes, let us say you choose the domain name BusinessSite.com.
A DNS record contains your site's unique IP address, and your domain name is linked to your site's IP address. In a DNS hijacking attack, hackers gain access to your DNS, then switch your unique IP address to another one. As a result, your domain name BusinessSite.com will point to the attacker's servers when retrieved via the DNS record.
In other words, when someone types "BusinessSite.com" into Chrome, Firefox, or another browser, they are not taken to your site. Instead, they are routed to a site the attacker controls. If the visitor thinks the site they are seeing is legitimate, they may mistakenly enter sensitive information or download malware.
How To Detect DNS Hijacking?
Common signs of DNS hijacking include web pages that load slowly, frequent pop-up advertisements on websites where there should not be any, and pop-ups informing the user that their machine is infected with malware. Fortunately, in addition to these telltale signs, there are several internet tools you can use to check if your DNS has been hijacked, including:
- Pinging a network: You can identify DNS hijacking by using a ping program and pinging the questionable domain. You will know your DNS has not been hijacked if the results show that the IP address does not exist. On the other hand, if you ping the suspicious domain and an IP address comes up, there is a good chance that your DNS has been hijacked.
- Checking your router: Attackers can use malware to gain access to your router's administration page. Once inside, they can change the DNS settings so the router uses a server the attacker manages. To check for this kind of attack, simply go to your router’s admin page and check its DNS settings.
- Check WhoIsMyDNS: Another great online tool is WhoIsMyDNS, which allows you to find the real server responding to DNS requests on your behalf. If the DNS displayed is unfamiliar to you, you may have fallen victim to DNS hijacking.
Also learn about DNS Firewall here.
Types of DNS Hijacking Attacks
To prevent DNS hijacking, first, you have to know the different kinds of attacks. DNS hijacking can take four different forms:
- Local DNS hijacking: An attacker installs Trojan software on a user's computer, then modifies the local DNS settings to reroute the user to harmful websites.
- DNS hijacking using a router: Many routers have weak firmware or use the default passwords they were shipped with. Attackers can take advantage of this to hack a router and change its DNS settings, which will affect everyone that uses that router.
- Man-in-the-middle (MITM) attacks: Attackers use man-in-the-middle attack techniques to intercept communications between users and a DNS server. They then direct the target to malicious websites.
- Rogue DNS server: Hackers can alter DNS records on a DNS server, enabling them to reroute DNS requests to malicious websites. If the site looks legitimate, the user may not even know they are in the wrong place.
DNS Hijacking vs. DNS Spoofing vs. DNS Cache Poisoning
Although spoofing and hijacking are similar, there are a few differences.
DNS Spoofing
Unlike hijacking, spoofing does not intentionally take the victim's site offline to carry out the attack. Instead, the hacker alters information in the DNS so a user ends up at a fake site.
DNS Hijacking
An attacker who hijacks a session uses a different technique. They need the legitimate user to establish a connection and provide authentication. At that point, the attacker takes over.
DNS Cache Poisoning
With cache poisoning, hackers target caching name servers to manipulate the DNS cache's stored responses. This attack can be carried out in a variety of ways, but it commonly involves flooding the server with forged DNS responses while altering the query ID of each response.
Unless Domain Name System Security Extensions (DNSSEC) is implemented, cache poisoning can be difficult to identify and defend against. DNSSEC refers to a collection of extension specifications set up by the Internet Engineering Task Force (IETF) to safeguard data exchanged in the DNS and IP systems. Without DNSSEC, hackers are more likely to execute a successful attack and impact thousands of users who access a nameserver with compromised responses.
How To Secure Your Network Against DNS Hijacking
Here are a few strategies to protect your web server from DNS hijacking.
1. Check Your Router's DNS Settings
Routers are susceptible to attacks, and hijackers use this weakness to prey on unsuspecting victims. Check your router's DNS settings to ensure they have not been changed. You can do this on the administration page. Additionally, routinely update your router’s password.
2. Use Registry Lock for Your Domain's Account
A registry lock service, offered by a domain name registry, can safeguard domains from unwanted modifications, transfers, and deletion. This can stop hackers from redirecting people to malicious sites after they type in a domain name.
3. Use Anti-malware
DNS hijackers can target users' login information using malware that reveals passwords. Installing antivirus software can help you catch any attacker trying to leverage this type of malware. But to reduce the likelihood of data being compromised, use secure virtual private networks (VPNs).
4. Implement Good Password Hygiene
Create complex passwords as part of a password hygiene strategy. Complicated passwords consisting of random strings of characters or nonsensical phrases are less likely to show up on a list of compromised passwords a hacker can find on the dark web. Additionally, even if your passwords are strong, update them frequently. In this way, if someone cracks the password you use to access your site's DNS settings, they will have trouble getting in because the password has since been changed.
How Fortinet Can Help
With the FortiDDoS protection solution, you get a thorough DNS traffic inspection. This protects your organization from DNS attacks, ensuring that visitors are sent to your domain instead of a fraudulent website. Further, FortiDDoS provides high throughput because it inspects DNS traffic at a rate of 12 million queries per second. It also protects your systems from distributed denial-of-service (DDoS) attacks.
FAQs
What is DNS Hijacking?
Domain Name System (DNS) hijacking is a type of DNS attack in which users are redirected to malicious sites instead of the actual website they are trying to reach. Hackers either install malware on user PCs, seize control of routers, or intercept or hack DNS connections to carry out the attack.
What are the types of DNS Hijacking?
The different types of DNS hijacking include:
- Local DNS hijacking
- DNS hijacking using a router
- Man-in-the-middle (MITM) attacks
- Rogue DNS server attacks
How to detect DNS Hijacking?
Common signs of DNS hijacking include web pages that load slowly, frequent pop-up advertisements on websites where there should not be any, and pop-ups informing you that your machine is infected with malware. You can also identify DNS hijacking by pinging a network, checking your router, or checking WhoIsMyDNS.
How to prevent DNS Hijacking?
The different types of DNS hijacking include:
- Local DNS hijacking
- DNS hijacking using a router
- Man-in-the-middle (MITM) attacks
- Rogue DNS server attacks
