- DNS Hijacking attack is a type of cyber attack where attackers hijack users’ DNS requests to incorrectly resolve the IP address of the website, users attempted to load thereby redirecting them to phishing sites.
- To perform DNS Hijacking attack, attackers either install malware on users’ systems or take over routers by exploiting known vulnerabilities or hack DNS communication.
Domain Name Server (DNS) Hijacking also known as DNS Redirection is a type of cyber attack where attackers hijack users’ DNS requests to incorrectly resolve the IP address of the website, users attempted to load thereby redirecting them to phishing sites.
The attack involves compromising users’ system DNS (TCP/IP) settings to redirect it to a ‘Rogue DNS’ server thereby invalidating the default DNS settings. To perform the attack, attackers either install malware on users’ systems or take over routers by exploiting known vulnerabilities or hack DNS communication. As a result, users would become a victim of either pharming or phishing.
Types of DNS Hijacking attacks
- Local DNS hijacking attacks - In Local DNS hijack, attackers plant malware on a user’s system and modify the local DNS settings, as a result, the user’s system now uses a DNS server controlled by the attacker. The attacker-controlled DNS server translates website domain requests to IP addresses of malicious sites, thereby redirecting the user to malicious sites.
- Router DNS hijacking attacks - In this type of attack, attackers exploit firmware vulnerabilities that exists in the router to overwrite DNS settings, thereby impacting all users connected to that router. Attackers could also take over the router by leveraging the default passwords of the router.
- MiTM DNS attacks - In this type of DNS hijack, attackers perform Man in the middle (MiTM) attack to intercept communication between a user and a DNS server and provide different destination IP addresses, thereby redirecting the user to malicious sites.
- Rogue DNS Server - In this attack, attackers can hack a DNS server, and change DNS records in order to redirect DNS requests to malicious sites.
How does DNS Hijacking attack work?
Your DNS server is owned and controlled by your ISP (Internet Service Provider) and your system’s DNS settings are usually assigned by your ISP.
- When users attempt to access a website, the requests are referred to their system’s DNS settings which in turn redirects the requests to the DNS server.
- The DNS server scans the DNS requests and then directs users to the requested website.
- However, when users DNS settings are compromised due to malware or router hack, the DNS requests made by users will be redirected to a rogue DNS server controlled by attackers.
- This attacker-controlled rogue server will translate users’ requests to malicious websites.
Example of DNS Hijacking attack
- Attackers used DNSChanger trojan to hijack the DNS settings of over 4 million computers via malvertising campaign and earned revenue of about 14 million USD.
- A recent DNS hijacking campaign in January 2019 has been successful in targeting organizations globally. The series of attacks affected commercial entities, government agencies, Internet infrastructure providers, and telecommunications providers across North America, North Africa, and the Middle East. In the attack, attackers modified ‘DNS A’ and ‘DNS NS’ records and redirected victims’ organization's nameserver record to attacker-controlled domain.
How to prevent DNS Hijacking attack?
- To prevent DNS Hijacking, it is always recommended to use good security software and antivirus programs and ensure that the software is regularly updated.
- Security experts suggest using public DNS servers such as Google DNS servers or CloudFlare and APNIC DNS servers.
- It is best to periodically review if your DNS settings are modified and ensure your DNS server is secure.
- It is recommended to reset your router’s default password with a complex one.
- Use two-factor authentication while using DNS registrar and patch all vulnerabilities that exist in the router in order to avoid compromise.
- It is always best to stay away from untrusted websites and avoid downloading anything that is free.
- In case if you’re already infected, then it is recommended to delete the contents of HOSTS file and reset the Hosts File.