What is DNS Hijacking and Mitigation Methods

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
5 Min read

DNS (Domain Name System) is crucial to all organizations that rely on the Internet for conducting business – it’s critical for the performance and reliability of your internet applications and cloud services. DNS failure or poor performance leads to applications, data and content becoming unavailable, causing user frustration, lost sales and business reputation damage.

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs 
by over 50%

Recently, DNS hijacking attacks have become widespread. In this article we discuss DNS hijacking attacks and how you can mitigate them.

DNS overview

Domain Name System (DNS) servers are often called “the phonebooks of the Internet” and are used to resolve human-readable hostnames into machine-readable IP addresses. They also provide other useful info about domain names, such as mail services. As when you know someone’s name but don’t know their phone number, you use phonebooks  to find their number. DNS services use the same logic. When you request data for a web location you type its name and then the DNS servers find their IP address.

For example, if you request an address such as www.globaldots.com, DNS will translate it to something like 198.102.746.4. These internet phonebooks greatly influence the accessibility of Web locations which is exactly why DNS is crucial for any organization that relies on the Internet to connect to customers, partners, suppliers and employees.

The Internet maintains two principal namespaces, the domain name hierarchy and the Internet Protocol (IP) address spaces. The Domain Name System maintains the domain name hierarchy and provides translation services between it and the address spaces. Internet name servers and a communication protocol implement the Domain Name System. A DNS name server is a server that stores the DNS records for a domain name; a DNS name server responds with answers to queries against its database.

What is DNS Hijacking?

DNS Hijacking, also called Domain Hijacking is when bad actors redirect or “hijack” DNS addresses and reroute traffic to bogus DNS servers. Once a DNS address is successfully hijacked to a bogus DNS server, it translates the legitimate IP address or DNS name into the IP addresses of the hacker’s malicious website of choice.

DNS hijacking can be used for pharming (in this context, attackers typically display unwanted ads to generate revenue) or for phishing (displaying fake versions of sites users access and stealing data or credentials).

Many Internet Service Providers (ISPs) also use a type of DNS hijacking, to take over a user’s DNS requests, collect statistics and return ads when users access an unknown domain. Some governments use DNS hijacking for censorship, redirecting users to government-authorized sites.

DNS hijacking can occur with any size website, directing folks to malicious websites without their knowledge. Since the website owners depend upon legitimate DNS server that are issued by their Internet Service Providers (ISP), DNS hijackers use malware in the form of a Trojan to exchange the legitimate DNS server assignment by the ISP with a manual DNS server assignment from a bogus DNS server.

When users visit legitimate websites, they’re automatically hijacked to a malicious website disguised as the legitimate one. The switch from the legitimate DNS server to the bogus DNS server goes unnoticed by both the user and the legitimate website owner. At this point the malicious website gets to do pretty much anything it wants, for as long as the person using it believes it’s where they’re meant to be.

dns hijacking

As a cyber attack, DNS Hijacking has a host of uses, including injecting malware into your machine, promoting phishing scams and advertising on high-volume websites. Ultimately, it’s possible to suffer a data breach following a DNS Hijacking, as credentials can easily be mined while the victim is active on the attacker’s bogus site.

DNS hijacking attack types

There are four basic types of DNS redirection:

  • Local DNS hijack — attackers install Trojan malware on a user’s computer, and change the local DNS settings to redirect the user to malicious sites.
  • Router DNS hijack — many routers have default passwords or firmware vulnerabilities. Attackers can take over a router and overwrite DNS settings, affecting all users connected to that router.
  • Man in the middle DNS attacks — attackers intercept communication between a user and a DNS server, and provide different destination IP addresses pointing to malicious sites.
  • Rogue DNS Server — attackers can hack a DNS server, and change DNS records to redirect DNS requests to malicious sites.

Mitigation Methods

Let’s take  a look at methods you can use to prevent or mitigate DNS hijacking attacks.

Upgrade DNS in the Application Infrastructure

The lack of attention of DNS lags behind the innovation of the infrastructure in the cloud, creating cracks for possible exploitation. As organizations increasingly embrace a new generation of “cloud first” computing environments with multiple, connected clouds, data centers and CDNs, they also need to adapt and upgrade the underpinning infrastructure, including DNS and security technologies and policies.

Use DNSSEC

Application layers use security protocols (like HTTPS, DMARC, etc.), and DNS is no exception. The Domain Name System Security Extensions(DNSSEC) is one of them. DNSSEC reinforces the authenticity of DNS query responses by using digital signatures to authenticate communications, protecting applications (and the caching resolvers used by those applications) from using fake DNS data in cache poisoning and spoofing attacks.

Historically, organizations have held back from using DNSSEC, because implementing it would mean sacrificing the DNS traffic management capabilities they rely on to deliver high quality online services.

However, with recent technological developments, this is no longer a problem.

Secure access

Use two-factor authentication when accessing the DNS registrar, to avoid compromise. If possible, define a whitelist of IP addresses that are allowed to access DNS settings.

Client lock 

Check if your DNS registrar supports client lock (also known as change lock), which prevents changes to your DNS records without approval from a specific named individual.

Mitigation for end users

End users can protect themselves against DNS hijacking by changing router passwords, installing antivirus, and using an encrypted VPN channel. If the user’s ISP is hijacking their DNS, they can use a free, alternative DNS service such as Google Public DNS, Google DNS over HTTPS, and Cisco OpenDNS.

Conclusion

DNS hijacking has become a serious problem for many enterprises and end users. If you want to protect your business from DNS hijacking, you should implement the mitigation methods we’ve mentioned above.

If you’re still not sure you’ll be able to mitigate various DNS hijacking attacks, contact us today to help you out with your performance and security needs.

Latest Articles

Downtime is Pricy, Solution isn’t: How to Stay Out of DNS Outages

The recent global DNS outages, with the latest addition of Facebook-Instagram-WhatsApp, are a call to transform your approach to DNS solutions. In this webinar, we explore whether cloud-borne environments are really fail-proof and how businesses can use the most advanced cybersecurity methods and DNS solutions to minimize their risk of server failures, code misconfigurations, DDoS […]

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
13th October, 2021
Webinar: Stay Out of Outages – The BCP Element Now One Talks About

The onslaught of recent outages at major infrastructure providers like Fastly, Cloudflare and Akamai, reminds us of the importance of a holistic business continuity strategy that leaves nothing to chance. Yes, that includes often-overlooked web protocols like DNS. Learn about the DNS strategies that can increase uptime on this webinar, featuring our friends at NS1. […]

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
13th October, 2021
Facebook Will Happen Again: DNS Outages and Interconnected Systems

Last week’s massive outage on the Facebook-Instagram-WhatsApp ecosystem left many of us puzzled and concerned: How did our entire social communication (and news source for many) become so dependent in a single, non-regulated conglomerate? How come this conglomerate can fail over a seemingly-trivial reason such as DNS? And what are the dangers of our over-reliance […]

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
11th October, 2021
Ebook: DNS Best Practices to Proactively Protect Against Malware

Proactively protecting your company against malware, ransomware, and phishing at the DNS control-point, as opposed to retroactive triage and remediation, simply makes sense. A cloud-based solution is ideal given ease of configuration and deployment, limiting exposure time and ensuring 100% compliance across all branches, employees, and devices on your network near instantaneously. However, layering an […]

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
8th April, 2021

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential