What is DNS Hijacking?

Thanks to the Domain Name System (DNS), Internet users can enter a web address into a browser and are redi­rect­ed to a website without having to specify the IP address. The DNS inquiry is passed directly to the DNS server which auto-responds with the correct IP address. It’s a simple method referred to as name res­o­lu­tion, similar to an automated directory inquiry that matches a name to a number.

The fact that this is such an essential foun­da­tion for surfing the World Wide Web, makes it all the scarier how easily DNS can be abused for malicious purposes. Cyber criminals are able to intercept browser requests and return an incorrect response. Con­se­quent­ly, the user is redi­rect­ed to a wrong or harmful website that could introduce viruses or malware and collect sensitive personal data. Because of this, DNS Hijacking can cause sig­nif­i­cant damage.

But how does it work? And how can you protect yourself against data breaches? Let’s find out.

The com­mu­ni­ca­tion with the server is the risky part because the exchange of query and response often occurs without en­cryp­tion and is based on our trust in the system. This allows attackers to intercept queries and redirect users.

Routers are the first point of attack for many cyber criminals, abusing the fact that few users change their routers’ login cre­den­tials. In many house­holds the router is con­fig­ured to use the username and password the hardware was orig­i­nal­ly delivered with. Many man­u­fac­tur­ers can’t be bothered to in­di­vid­u­al­ize the login details for each in­di­vid­ual device, which means attackers can gain access to a device using standard login details.

Once logged in, they’re able to modify DNS settings and specify a preferred DNS server. Attackers will usually point to their own server. Name res­o­lu­tion – i.e. the con­ver­sion of a web address to an IP address – is then con­trolled by the offender. From here website requests can be forwarded to a malicious site.

This variation affects the user’s computer. The attacker uses a Trojan to access the DNS settings of a device. For example, Windows allows users to enter their preferred DNS server. Criminals can harness this feature and change settings to point to their own DNS server. The computer sends a request directly to the harmful server. Every single website request can be diverted this way. In theory, device owners can check whether their settings have been tampered with, but most people don’t regularly monitor their DNS settings.

Rouge Hijacking is more com­pli­cat­ed. It doesn’t affect a user’s hardware and so can’t be con­trolled at the device level. Instead, a criminal will hijack an Internet provider’s existing name server. Devices are then tech­ni­cal­ly accessing the correct DNS server, but this is (partially) no longer under the control of the actual provider. Attackers tend to change select entries using Rouge Hijacking.

This type of attack is much harder to execute because most name server providers have adopted very high security standards. However, if a hacker does gain access, an enormous number of users could be affected. Any customer who would execute a name res­o­lu­tion via this server could become a victim of DNS Hijacking.

During a Man-in-the-Middle attack, a fraudster in­ter­cepts the com­mu­ni­ca­tion between a client and the server. Due to the lack of en­cryp­tion of many DNS requests, the criminal is able to read the com­mu­ni­ca­tion. A user’s website request is ma­nip­u­lat­ed and mapped to a malicious IP address. The original DNS server never actually receives the request.

With DNS Hijacking, users are redi­rect­ed to undesired websites, but what exactly are the harms involved? In theory, users may be redi­rect­ed to websites where their system is infected with malicious software. However, this type of attack rarely happens in practice. Far more common are two tech­niques known as phishing and pharming.

Phishing is a form of fraud that tricks a person into accessing a website mas­querad­ing as a serious web page in order to steal sensitive user in­for­ma­tion.

Financial in­sti­tu­tions are a top target for phishing attacks. For example, a user may think they’re accessing their bank’s homepage when in reality they’ve landed on a page imitating their bank. When they enter their username and password for online banking, a phisher can save the in­for­ma­tion and use it to take over the account.

DNS Hijacking is not required in phishing attacks because the latter relies on users accessing ma­nip­u­lat­ed links. However, when the Domain Name System is corrupted, a phishing attack can be even more malicious. Re­gard­less of whether a person entered the correct URL or even clicked through to a website from a bookmark, they will still be redi­rect­ed to a fake website. Because DNS enjoys huge trust, most users don’t check if they’re actually accessing the desired website or browsing a fraud­u­lent page.

Pharming, on the other hand, is less harmful to the end-user, but can be very lucrative for an attacker. The scam mis­di­rects users to a fake website filled with adverts. These web pages fulfill no real function, but the operator generates revenue each time they are visited – even if a user closes a page promptly after it opens. Money generated this way often flows back to fund other criminal ac­tiv­i­ties.

However, cyber criminals aren’t the only ones using DNS Hijacking. A growing number of gov­ern­ments are now employing the protocol to censor the Internet and suppress political op­po­si­tion or prohibit online adult content. Users accessing a censored website are informed that the page is in­ac­ces­si­ble and are redi­rect­ed to a different site.

Some Internet service providers oc­ca­sion­al­ly use DNS Hijacking to display error messages where domains do not exist. For example, if a user tries to open a web address that’s not DNS-reg­is­tered or misspells a URL, an error message referred to as NXDOMAIN is displayed. Before the NXDOMAIN response is displayed, the request passes through all levels of the Domain Name Systems. If no entry exists, the error message is returned.

At that moment, the Internet service provider can use DNS Hijacking to intercept the error message and redirect the query to a different website. Some service providers may redirect users to web pages with lots of ad­ver­tise­ments to increase their revenue or their own web shop. While this does not cause any real harm, users may find these ads annoying.

DNS Hijacking patterns are diverse, but so are the security options.

As a starting point you can change the login cre­den­tials of your router. It makes sense to choose a secure password, but the most important thing is that you change the default password. Few fraud­sters will go through the trouble of trying to crack a password.

In addition, you should keep your router’s firmware up to date. Man­u­fac­tur­ers regularly release updates to patch up security flaws.

You can protect your PC from Trojans by using anti-virus software and treating online files with caution. Never download or open files from unknown or sus­pi­cious sources.

For added security, you can also install a VPN. A virtual private network (VPN) secures the transport of sensitive data by passing a direct con­nec­tion between a user and a website through a separate, encrypted server of the VPN service provider. The en­cryp­tion ensures secure com­mu­ni­ca­tion of data and renders man-in-the-middle attacks in­fea­si­ble.

It’s worth treating online content with skep­ti­cism and caution. You can also double-check the au­then­tic­i­ty of websites that handle sensitive user data such as banks or web shops. SSL cer­tifi­cates offer some clues as to how secure a web page is.

At the same time, name res­o­lu­tion is becoming more secure. DNS over HTTPS and DNS over TLS are enhanced com­mu­ni­ca­tion protocols that provide ad­di­tion­al security through en­cryp­tion to prevent man-in-the-middle attacks and improve user privacy. But these protocols have yet to be adopted as standards for all systems.