DNS is a protocol that makes it possible for web-connected devices to connect to and communicate with websites. It runs on various servers, and a DNS server is responsible for returning a website’s IP address when your device sends connection requests it’s the way. when you enter a website’s name into your browser, your device needs its IP address to establish a connection, and it gets that info from DNS servers that contain databases of IP addresses and their associated domain names.

What is a DNS Hijacking attack?

Domain Name Server (DNS) hijacking, also named DNS redirection, is a type of DNS attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites. To perform the attack, perpetrators either install malware on user computers, take over routers, or intercept or hack DNS communication.

DNS hijacking can be used for pharming (in this context, attackers typically display unwanted ads to generate revenue) or for phishing (displaying fake versions of sites users access and stealing data or credentials).

Many Internet Service Providers (ISPs) also use a type of DNS hijacking, to take over a user’s DNS requests, collect statistics and return ads when users access an unknown domain. Some governments use DNS hijacking for censorship, redirecting users to government-authorized sites.

DNS Hijacking attack types

There are four basic types of DNS redirection:

  • Local DNS hijack— attackers install Trojan malware on a user’s computer, and change the local DNS settings to redirect the user to malicious sites.
  • Router DNS hijack— many routers have default passwords or firmware vulnerabilities. Attackers can take over a router and overwrite DNS settings, affecting all users connected to that router.
  • Man in the middle DNS attacks— attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.
  • Rogue DNS Server— attackers can hack a DNS server, and change DNS records to redirect DNS requests to malicious sites.

What is a DNS Hijacking work?

DNS hijacking redirects IP query results so that your device connects to the wrong website. But let’s take a look at how most cybercriminals manage to perform DNS hijacking:

1. Through Malware

Malware attacks can infect your router, and change its DNS settings so that it uses hacker-owned DNS servers instead of legit ones. That way, you’re automatically redirected to any website the server owner wants. One of the best examples of this was the DNSChanger malware. It changed router DNS settings to force online users to visit websites where cybercriminals displayed dozens of ads. Luckily, none of those ads were malicious since they were only used to drive advertising revenue.

Something much worse can happen if a hacker uses such malware to infect your router, though. You could be redirected to a malicious website that monitors your keystrokes, traffic or installs adware, spyware, or keyloggers on your device. Interacting with malicious ads, links and downloads can often result in your device and your router is infected.

2. By Compromising DNS Servers

Hacking DNS servers is pretty complicated, but a skilled cybercriminal can pull it off. When they break through the server’s security, they just alter some of the IP addresses in the database and wait for unsuspecting online users to be redirected to the wrong websites.

Sometimes, hackers might even be able to compromise ISP DNS servers. If that happens, all the ISP’s users will be at risk of having their personal and financial info stolen.

Mitigation of DNS Hijacking

  • End users can protect themselves against DNS hijacking by changing router passwords, installing antivirus, and using an encrypted VPN channel. If the user’s ISP is hijacking their DNS, they can use a free, alternative DNS service such as Google Public DNS, Google DNS over HTTPS, and Cisco OpenDNS.

Site owners who use a Domain Name Registrar can take steps to avoid DNS redirection of their DNS records:

  • Secure access – use two-factor authentication when accessing the DNS registrar, to avoid compromise. If possible, define a whitelist of IP addresses that are allowed to access DNS settings.
  • Client lock -check if your DNS registrar supports client lock (also known as change lock), which prevents changes to your DNS records without approval from a specifically named individual.
  • DNSSEC – use a DNS registrar that supports DNSSEC, and enable it. DNSSEC digitally signs DNS communication, making it more difficult (but not impossible) for hackers to intercept and spoof.
  • Use Imperva’s Name Server Protection – a service providing a network of secure DNS proxies, based on Imperva’s global CDN. Each DNS zone receives alternative name server hostnames so that all DNS queries are redirected to the Imperva network. The service will not only prevent DNS hijacking and poisoning but also protect from distributed denial of service attacks (DDoS attacks) against your DNS infrastructure.

 For any Cyber Security information contact help@theweborion.com