DNS Hijacking

What is DNS hijacking and How It Works?

9 Mins Read

Online SecurityWhat is DNS hijacking and How It Works?

The internet is no longer a safe place. There is always a reason to get concerned when we go online to either browse a website, make transactions or shop online. But why, you may wonder? Because our sensitive information is at risk!

When we connect to the internet without precautions or protection, our personal information gets exposed to data-hungry hackers. And, when the hackers see an open opportunity to steal your information, be it your online bank or social media account details, they use every mean necessary to obtain it. DNS hijacking is one such method hackers use to carry out such clandestine acts.

DNS based attack isn’t something an average user would know about. Therefore, to learn more about what DNS hijacking is, you first need to understand what a DNS is and what it does.

Let’s Take a Quick Overview of DNS

In layman terms, you may call it a phone book for domain names such as example.com. If we go for a precise definition, DNS is the keeper of all domain names that are registered on the internet. Its job is to translate those names into IP addresses and hence show the relevant website to the user.

Why was such a roundabout process necessary? Well, computers don’t work like humans, and therefore they don’t understand our language. Instead, they translate our language into codes and operate accordingly. Likewise, people don’t read codes and as a result, they can’t remember the actual name of every website they visit such as 123.34.31.1 (example.com).

And so, we have the DNS system today to remember the real IP addresses for us. Whenever we want to visit a website, it simply matches the name with the IP address and shows the result.

Now that we know about DNS and its role on the internet let’s move on to, “What is DNS hijacking?

What is DNS Hijacking

What is a DNS hijacking attack?

DNS hijacking is a cyberattack in which an attacker re-routes a victim’s web traffic to a malicious server by altering the DNS records. This allows the attacker to redirect the victim to a fake website or display false information and can also be used to intercept their data. DNS hijacking can be challenging to detect as it does not require any malware or hacking tools – all that is needed is access to the DNS records.

DNS hijacking is often used in phishing attacks, as it allows attackers to redirect victims to a fake website that looks identical to the real one. The victim then enters their login credentials, which the attacker then steals. DNS hijacking can also redirect victims to a malicious website containing malware, which can infect their computer.

DNS hijacking is a severe security threat, as it can be used to steal sensitive data, redirect traffic to malicious websites, or even takeover entire networks. If you suspect your DNS records have been tampered with, you should contact your DNS provider immediately. You can also protect yourself by using a secure DNS service that encrypts your DNS traffic and prevents tampering.

How DNS hijacking Works

Your computer’s DNS settings are usually assigned by your ISP (Internet Service Provider). On the other hand, some users use the public DNS server such as the one provided by Google. When you try to access a website, your computer refers your request to those settings which redirects it to a DNS server. The server matches the name with the IP address and then sends you to the desired website.

If your computer settings are compromised, your request will be redirected to a rogue DNS server. Consequently, the rogue server will translate your request into a fake IP address that leads to a fake or malicious website.

DNS hijacking attack types:

Attackers can carry out DNS hijacking attacks in a few different ways. One popular method is malware to change the DNS settings on a victim’s computer. This type of malware is often spread through email attachments or malicious websites. Once the malware is installed on the victim’s computer, it can change the DNS settings so that traffic intended for legitimate websites is instead redirected to malicious sites.

Another common DNS hijacking method is changing the DNS settings on a victim’s router. This can be done by physically accessing the router and changing the settings or remotely accessing the router and changing the settings through its web-based interface.

 Redirection vs DNS Spoofing

Redirection vs DNS spoofing attack:

Redirection and DNS spoofing are two types of attacks that can be used to redirect traffic from one site to another. In a redirection attack, the attacker changes the DNS settings on a server so that when users try to visit the original site, they are instead redirected to the attacker’s site. This can be used to steal sensitive information or infect visitors with malware. 

A DNS spoofing attack convinces users that they are visiting the legitimate site when directed to a fake site that the attacker controls. This can be used for phishing attacks or other types of fraud. Redirection and DNS spoofing attacks can be prevented by using secure DNS servers and keeping your DNS settings up to date.

DNS poisoning attack examples:

DNS poisoning is a type of cyber attack where an attacker corrupts the DNS records of a targeted victim. This can be done by either changing the DNS records of a specific domain or poisoning the DNS cache of a DNS server.

Plus, DNS poisoning attacks can have several serious consequences for victims. For example, if an attacker changes the DNS record of a website, they can redirect visitors to a malicious site that looks identical to the original. This can allow the attacker to collect sensitive information such as login credentials.

Moreover, DNS poisoning can also be used to launch denial-of-service (DoS) attacks. By changing the DNS records of a target, an attacker can cause the target’s website to become unavailable. This can be highly disruptive to businesses that rely on their website for sales and customer service.

There are some ways to protect against DNS poisoning attacks. For example, organizations can implement security measures such as access control lists (ACLs) and DNS filtering. Individuals can also take steps to protect themselves by using secure DNS services and keeping their computer’s antivirus software up-to-date.

Signs of DNS hijacking attacks:

There are a few signs that may indicate that your DNS has been hijacked:

  • You suddenly can’t access certain websites: If you suddenly can’t access certain websites, it could be because your DNS settings have been changed to block those sites.
  • Websites look different than usual: If websites look above average, it could be because your DNS settings have been changed to redirect you to fake versions of those sites.
  • You see strange pop-ups or ads: If you see strange pop-ups or ads, it could be because your DNS settings have been changed to redirect you to ad-filled websites.

How your DNS is hijacked?

Malware attack is one of the most common ways used by hackers to hijack your DNS. The hackers can use any DNS-changing Trojan to modify the DNS settings of your system. They can successfully carry out the attack by luring users into downloading something or clicking malicious links.

Likewise, a hacker can also carry out the hijacking attack by finding a security vulnerability in your router and compromising the settings. However, a security weakness in the router isn’t the only thing that makes you vulnerable to attack. Your router can also be compromised through a simple password hack.

Is DNS hijacking common?

DNS hijacking is not common, but it can happen. Contact your Internet Service Provider (ISP) or network administrator immediately if you think your DNS has been hijacked. They can help you fix the problem. You can also visit the website of your DNS provider and follow their instructions for changing your DNS settings.

If you are not sure whether your DNS has been hijacked, there are a few things you can look for:

  • Your home page has changed without your consent.
  • You are redirected to a different website than the one you intended to visit.
  • You see new toolbars or other software on your browser that you didn’t install.
  • Your browser’s history shows visits to websites that you don’t recognize.

If you notice these things, your DNS may have been hijacked. Again, the best thing to do is to contact your ISP or network administrator, and they can help you fix the problem.

There are many DNS hijacking cases

DNS hijacking attacks are carried out all around the world. Some are performed on a limited scale which go unreported, while others leave a mark in internet history or at least appear as a case study on some cyber security magazine. Take, for instance, the case of WikiLeaks.org.

Earlier this year (2017), WikiLeaks users were redirected to a fake website. Instead of seeing the vast collection of controversial documents, the users were shown a teasing message. The hackers, the notorious OurMine group, didn’t compromise the WikiLeaks server to redirect the users to their website, but simply hijacked the name server, as explained by WikiLeaks founder, Julian Assange.

Similarly, in 2008, ICANN.com domain name was hijacked by a Turkish group of hackers, NetDevilz. The Internet Corporation for Assigned Names and Numbers (ICANN) is a renowned name on the internet. After all, it is responsible for maintaining the security of namespace databases.

How to prevent DNS hijacking attack:

If you think your DNS has been hijacked, you should first run a virus scan on your computer to ensure it’s not infected with malware. Once you have done that, you can change your DNS settings to the correct ones.

To change your DNS settings:

  1. Open the Control Panel.
  2. Click on Network and Internet.
  3. Click on Network and Sharing Center.
  4. Click on Change adapter settings.
  5. Right-click on your network connection and select Properties.
  6. Select the Internet Protocol Version 4 (TCP/IPv4) option and click Properties.
  7. Select Use the following DNS server addresses and enter the correct DNS server addresses for your ISP or use public DNS servers like Google Public DNS or OpenDNS.
  8. Click OK to save your changes.

DNS hijacking Is more harmful than it sounds

A hijacked DNS can put you or your online information at risk in ways you can never imagine.

For instance, most attacks are conducted to steal sensitive details like accounts’ passwords, etc. You may also call it phishing. In such attacks, users are presented with a fake version of a website they want to visit. When users type their account details on such bogus sites, all those details are sent to hackers.

Your ISP or government can also use the same principle of DNS hijacking to modify the DNS settings of your computer to limit your access to the internet. When you try to access a restricted website, you are either redirected to a different website or presented with an ‘apology’ message.

A few suggestions on how to prevent DNS hijacking

‘Prevention is better than cure,’ there is no truer maxim than this.

  • DNS hijacking attack prevention starts with you. The first thing you need to do is change your habit of visiting every website that attracts your curiosity. Remember, while the internet is brimming with wonderful things, there is just as much as bad on the internet. Therefore, don’t open every email that sounds tempting, or visit every website you come across.
  • Secondly, reset your router’s password and create a new one. Make the new password as hard as possible, and note it down on a piece of paper rather than on the same device. After all, if you have malware on your system, the hacker can always see the new password.
  • It is also important to use an antimalware to keep your system clean from any malware coming from the internet. With a security system in place, you won’t have to worry about precautions as the software or application would automatically detect and delete any malware.

DNS Hijacking FAQs:

The following are answers to some of the most frequently asked questions about DNS hijacking:

Can a DNS server be hacked?

If your ISP’s DNS server isn’t adequately protected, it can be exploited by hackers which means you’ll end up on rogue sites where your sensitive information is at risk.

What is domain name hijacking?

Domain hijacking, or domain theft as it’s often called, is when a hacker gains access to a domain name without the authorization of its rightful owner.

How many types of DNS hijacking attacks are there?

There are four types of DNS hijacking attacks, which are:

  1. Local DNS Hijack
  2. Router DNS Hijack
  3. Man-in-the-middle DNS Hijack
  4. Rogue DNS Hijack

What is a DNS redirect?

DNS redirect is a method commonly used to perform man-in-the-middle attacks, where your Internet traffic is redirected to a rogue server that captures your personal information like credit card details, passwords, etc.

What is a DNS spoof?

DNS spoofing, also known as DNS poisoning, is the act of altering or spoofing a particular DNS server’s records maliciously in order to redirect your Internet traffic to the attacker.

How to detect DNS hijacking?

Well, one of the easiest way is to determine DNS hijacking is using the ping utility. If you ping a domain that doesn’t exist, and it resolves, there’s a good chance that your DNS traffic is being hijacked.

Is there a DNS hijacking test?

There are a few sites that let you check for signs of DNS hijacking online like Who is My DNS?, etc.

What is ISP DNS hijacking?

As mentioned earlier, ISPs can also use DNS hijacking to alter the DNS settings of your device to limit your Internet access.

A word of advice

DNS hijacking attacks are common, but they can be as deadly as a weapon when it comes to your online privacy and security. Being proactive is the only way you can stay away from such cyber threats and roam the internet with complete peace of mind.

Mohsin Qadir An information security analyst in the making, a father of an adorable kid and a technology writer (Contributor). He can be found lurking around top network security blogs, looking for scoops on information security and privacy trends.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.