Domain Name System (DNS) hijacking is a serious threat to your system and can have very costly consequences. As the attack enables a malicious third party to take over the DNS settings and reroute users to fraudulent websites, this can affect a variety of different users. In order to fully understand DNS hijacking, it’s important to have a general idea of what the DNS is and what it does.
In short, the DNS is used to track, catalog and regulate websites all over the world. It allows users to access information by translating a domain name (like k aspersky.com) into the IP address needed by the user’s browser to load internet resources (like webpages or blog articles). If you want a more in-depth look at how the DNS works, check out our article on DNS spoofing and cache poisoning.Now you have a better idea of what the DNS is and its purpose, let’s investigate DNS hijacking further.
Domain Name System hijacking, also known as a DNS redirection attack, is where the DNS queries sent from a victim’s browser are incorrectly resolved, redirecting the user to a malicious website.
Whereas some DNS spoofing attacks, like DNS cache poisoning (where your system logs the fraudulent IP address in your local memory cache), are focused on modifying the DNS records, DNS hijacking involves changing the DNS settings themselves, often by installing malware on the victim’s computers. This allows the hacker to take over your routers, intercept DNS signals or simply hack DNS communications. DNS hijacking is usually one of the more disruptive kinds of attacks on the wider Domain Name System.
It is a large problem for both personal users and enterprises alike. In the case of a single user, it allows hijackers to enact a phishing scam (where victims are displayed fake versions of legitimate websites, which steal user data, like passwords, login credentials and credit card information). However, in the case of a consumer-facing webpage (belonging to a business, for example), it allows cybercriminals to forward your company's website visitors to fraudulent pages that they’ve created. Once your users are there, these hacker-built webpages can be used again to steal login credentials and confidential personal data. This could include employee information pertinent to the inner workings of your business or even sensitive financial data. As a result of this attack, they can even harvest information from official inbound emails. Overall, DNS hijacking can be a costly attack on data and privacy.
Interestingly, many recognized ISPs (Internet Service Providers) and governments use a type of DNS hijacking to take over their users’ DNS requests. ISPs will do this to collect statistics and provide ads when users are visiting unknown domain spaces. They do this by redirecting you to their website, where their ads are, instead of giving you an error message. Governments will use DNS hijacking for censorship and for safely redirecting their users to government-authorized web domains or pages.
When you type a website address into your browser, it will gather information for the webpage from your local browser cache (if you visited the site recently), or it will send a DNS query to the name server (usually provided by a reputable Internet Service Provider). The point of communication between your browser sending the DNS request and the name server’s response is the most vulnerable to attack because it is not encrypted. It’s at this point that hackers intercept the query and redirect the user to one of their malicious websites for extortion. There are four different types of DNS hijacking that cybercriminals use today: “local”, “router”, “rogue”, and “man-in-the-middle”.
Local hijacking: This is where a hacker installs a piece of Trojan malware on your system to attack the local DNS settings. After the attack, they can change these local settings to point directly to their own DNS servers (for example, instead of a default Server). From here, all requests made by the victim’s browser would be sent to the hacker’s servers and they could return whatever they wanted. They can also point you to other malicious web servers in general.
Router hijacking: Contrary to what some people might think, hijacking the router is usually the first point of attack for many cybercriminals. This is because many routers have default passwords or existing firmware vulnerabilities, which hackers can easily find (many companies do not take the time to individualize the login credentials of their routers). Once hackers are logged in, they modify the DNS settings and specify a preferred DNS server (usually owned by them), so that the conversion of a web address to an IP address is controlled solely by them. From here, users’ browser requests are forwarded to malicious sites. This is especially serious as it doesn’t just affect one user, but all the users connected to the infected router.
Rogue hijacking: This type of cybercrime is much more complicated than local hijacking because it can’t be controlled from the target device. Instead, hackers hijack the ISP’s existing name server to change selected entries. As a result, the unsuspecting victims are then seemingly accessing the correct DNS server, which has really been infiltrated by the hackers. The cybercriminals then change the DNS records in order to redirect the user’s DNS requests to a malicious website. Due to ISPs adopting higher cybersecurity standards, this attack is much rarer and harder to execute. When this attack does happen, it potentially affects a huge number of users because anyone that resolves their queries via this server could be a victim.
Man-in-the-middle attacks: this type of attack focuses on the interception of communications between you and the DNS. Using specialist tools, the hacker interrupts the communication between a client and the server because of the lack of encryption present in many DNS requests. The requesting users are then provided with a different destination IP address, which points to a malicious website. This can also be used as a type of DNS cache poisoning attack on both your local device and the DNS server itself. The result is much the same as the above.
Luckily, there are a number of different and simple ways to verify if your DNS has been hacked. First of all, it’s important to know that if some of the websites that you regularly use are consistently loading more slowly than usual, or you are receiving more random pop-up ads (usually telling you that your computer is “infected”), your DNS may well have been hacked. However, with these symptoms alone, it’s impossible to say for certain. So, here are a number of practical tests you can do with your machine:
Do a “ping command” test
A ping command is essentially used to see if an IP address actually exists. If your browser is pinging a non-existent IP address and it’s still resolving, there’s a high chance that your DNS has been hacked. This can be done on Mac and Windows. For Mac, simply:
Open the Terminal and enter the following command:
if it says “cannot resolve” your DNS is fine.
If you’re using a Windows computer, then all you have to do is:
Open the Command Prompt and enter the following:
if it says “cannot resolve” your DNS is fine.
Check your router or use a “router checker”
This next test is provided by many online sites. Digital router checker services work by checking your system with a reliable DNS resolver and seeing if you are using an authorized DNS server. Alternatively, you can go to your router’s admin page online and check the DNS settings there.
This online service shows you the DNS servers that you’re using and the company that owns them. In general, your browser will use the IP address of the DNS servers provided by your ISP. If the company name doesn’t seem familiar, your DNS may have been hijacked.
If you’re aware of your DNS servers being hacked, or it has happened before, then we recommend using an alternative public DNS service, like Google’s Public DNS servers.
Whether it’s a case of local, router or rogue DNS hijacking, it is always better to avoid getting hacked in the first place. Fortunately, there are a number of measures that you can take, which will strengthen your DNS security and your data security as a whole.
Never click on a suspicious or unfamiliar link: This includes links in emails, text messages, or via social media. Remember, be aware that tools which shorten URLs can further mask dangerous link destinations, so avoid using these as much as possible. Although it might be time-consuming, you should always opt to manually enter a URL into your browser (but only after confirming that it is legitimate).
Use reputable antivirus software: It is always best practice to regularly scan your computer for malware and update your software when prompted. Your system’s security software will help you to uncover and remove any resulting infections from a DNS hijack, especially if you’ve been infected by Trojan malware during a local hijack. Since malicious websites can deliver all types of malware and adware programs, you should be scanning for viruses, spyware and other hidden issues consistently.
Use a virtual private network (VPN): A VPN provides you with an encrypted digital tunnel for all your website queries and traffic. Most well-known VPNs use private DNS servers that exclusively use end-to-end encrypted requests to protect your local machine and their DNS servers. The result gives you servers taking requests that can’t be interrupted, radically reducing the likelihood of a man-in-the-middle DNS hijack.
Change your router’s password (and username): This seems relatively simple and obvious, but many users don’t take this precaution. As we mentioned previously, it’s very easy to crack the default login details of a router because they are so rarely altered. When creating a new password, we always recommend using a “strong” password (around 10-12 characters long, containing a mix of special characters, numbers, uppercase and lowercase letters).
Be aware: If you find yourself on a website that you are unfamiliar with and it serves you different pop-ups, landing pages and tabs that you’ve never seen before, you should leave the page immediately. Being aware of the digital warning signs is the first step to better cybersecurity.
However, if you’re a website owner, there are a few different ways to prevent your DNS from being hijacked.
Limit access to the DNS: Limiting the access of your DNS settings to only a few members of your dedicated IT team limits potential opportunist cybercriminals taking advantage of your team members. Also, make sure the chosen few are using two-factor authentication whenever they access the DNS registrar.
Enable client lock: There are some DNS registrars that support “client locking”, which prevents any changes to the DNS records without approval. We recommend enabling it when you can.
Use a registrar that supports DNSSEC: The Domain Name System Security Extensions are a kind of “verified real” label, which helps keep a DNS lookup authentic. As a result, it makes it more difficult for hackers to intercept the requests your DNS makes.
Don’t leave yourself vulnerable to DNS hijacking and other forms of malware attacks. Kaspersky Security Solutions allow you to keep your online activity safe and private across multiple devices. Find out more today.
Domain Name System hijacking, also known as a DNS redirection attack, is where the DNS queries sent from a victim’s browser are intercepted and incorrectly resolved, redirecting the user to a malicious website. The DNS can be hijacked locally with malware, via the router, through interception or via the name server.
DNS hijacking works by attacking the point of communication between your browser sending a DNS request and the name server’s response because it is often not encrypted. At this intercept, a hacker can redirect you to one of their malicious websites for extortion.
There are a number of ways DNS hijacking can be stopped and prevented. For individual users, they should not click on suspicious links or visit domains with a lot of pop-ups. They should use good antivirus software, change the username and password of the router, and access the web using a VPN.
Related articles and links: