DNS Hijacking

The Rise of DNS Hijacking and How to Avoid It

Recent years have seen the re-emergence of a type of threat that many of us in the cyber-security industry had hoped was a thing of the past. DNS hijacking attacks work by redirecting users to fake or malicious web pages and operate in such a simple way that they can be very hard to detect and combat.

In order to understand what DNS hijacking is, it is necessary to know how your computer knows where to find websites and other services. Though websites are typically identified by the .com or .net address that we type into a browser, in reality, all web hosts are assigned a unique IP address, just like all other computers and devices. The domain name system (DNS) is the global service that translates fully qualified domain names (for example www.eccouncil.org) into the IP address.

Let’s break down that example. Working from left to right, www.eccouncil.org is the host www in the eccouncil domain which is a subdomain of .org. You can also read it from right to left, which presents us with a hierarchical structure like this:

Notice the use of ‘.’ in the diagram. Domains start with a period, hosts are just a name. You can also add additional subdomains. For example, you could have www.development.eccouncil.org. This is an example of an FQDN or fully qualified domain name. If this example existed, you would have the host www in the subdomain of development, which is a subdomain of eccouncil, which is a subdomain of .org. Each domain and subdomain must have a Domain Name Server. This server’s job is to provide mapping services that map hosts to IP addresses. The one you are most familiar with is the www host. But there are also reverse lookup entries, mail exchanger hosts, name server hosts, and many others.

Your host operating system is configured with various networking information so that it can be on a network and move traffic. One of those configuration settings is the IP address of your primary Domain Name Server. This is the first server your system will ask when it needs to resolve an FQDN to an IP address. In the vast majority of cases, this primary DNS is provided by your ISP, though it is possible to change this default setting.

Of course, your primary DNS does not know the location of every possible site and service you wish to visit, and so it also has the ability to look up addresses it doesn’t know. As such, every DNS server is configured to answer any queries it can, and if it cannot, then it too has a DNS entry upstream that it can ask. This means that there is a hierarchy of DNS servers, with each asking another further up the chain until the required address is resolved.

In a DNS hijacking attack, a DNS server is compromised by adding an incorrect location for a particular site. This means that when your local machine looks up a DNS entry, it can be directed to a site controlled by a malicious actor. Further, because of the way in which the DNS system works, with each server looking to one further ‘up the chain’ in order to resolve addresses, a well-planned DNS hijack attack can quickly spread over a large number of servers.

These attacks typically occur in two ways. The first is through a classic ‘man in the middle’ attack, where an attacker intercepts a user’s DNS requests and re-directs them to their own compromised DNS server. This compromised server will use a DNS switching Trojan to return incorrect IP addresses to a user’s machine, and therefore direct them to a spoof website. Attacks of this type are known as ‘Pharming’, and their aim is to collect personal and financial information from victims.

The second common method of attack uses malware. This is the most common threat vector, where an attacker infects a user’s machine or router with a malware agent. This agent will modify the DNS settings on the infected hardware and redirect users to a compromised DNS server.

Sometimes, DNS redirects can also happen accidentally. A well-publicized example from recent years is an incident where web traffic intended for large US-based sites, including Facebook and Twitter, were accidentally redirected to the Chinese versions of these sites. The same technique can be used, however, to redirect web traffic to malicious web pages. Like with an email phishing scam, visiting the dangerous sites can result in data loss or identity theft. [1] Recently, a piece of malware called Roaming Mantis was discovered and found to be performing DNS hijackings through both mobile and desktop devices. [2] As a result of just one user clicking on a suspicious link from an email, the entire network could be put at risk.

Protecting Yourself: Do The Basics First

Since the most common way in which DNS hijacking is implemented is through man in the middle or malware attacks, the techniques you can use to protect yourself are very similar to those used to guard against many other forms of attack.

Primarily, this means doing all the basic stuff that you are already doing (or should be) to protect yourself online. Use updated security software, and make sure that security patches and updates are installed on all your hardware as soon as they are available. Avoid clicking on suspicious links in emails or on social media, and be wary of sites that you are not familiar with or that look untrustworthy. Protecting your router is also an important factor in combating DNS hijacking attacks. Make sure that your change the default admin username and password for the router, as every hacker on the planet knows the default ones!

Other forms of DNS hijacking are more difficult to avoid. You cannot do anything about a website being compromised, for instance, but you should be able to spot unusual pop-ups or other elements in pages that you visit regularly. You should also avoid using public Wi-Fi networks to send or receive personal information, or to log into sites that require a password or username. You should also be very suspicious of public networks that allow you to log in without presenting you with a ‘terms of service’ page.

Shore Up Your DNS Security

There are also more specific ways of protecting against DNS hijacking. A good first step is to implement Domain Name System Security Extensions (DNSSEC) on all your machines. This is an industry-wide security standard that allows domain owners to monitor traffic on their own domains, and thereby check for suspicious activity. Domain owners are also able to register their Domains’ zones, enabling DNS resolvers to verify the authenticity of all DNS responses.

Another good way of protecting yourself against DNS redirects is to change your default DNS server. By default, computers and routers will connect to the global DNS service based on your local internet service provider (ISP). For example, if you subscribe to a Comcast internet package, then you have access to Comcast’s version of the DNS database, which will typically route your traffic in the most efficient manner.

However, there are third party options available that can take over responsibility for DNS routing. [5] Two of the most popular services are OpenDNS and Google DNS, both of which offer free solutions. By simply redirecting your router’s DNS settings to the third party addresses, you can bypass your ISP completely.

If you change your DNS server, though, be wary of any DNS solution that does not come from a reputable company or nonprofit organization. Giving control of your DNS addresses to a rogue group could actually increase your risk of DNS hijacking. The most secure solution is a paid offer from OpenDNS, which will automatically filter out suspicious traffic from fraudulent websites.

Encrypt Connections

Virtual private networks are most commonly associated with businesses or individuals who want to make remote access possible through secure channels. But the advantages of VPN services extend to other aspects of networking, including protection from DNS hijacking.

When you configure a VPN connection from a computer or mobile device on your local network, an encrypted tunnel is created between your ISP and the VPN host. Information between these endpoints cannot be hacked or stolen. This works in a similar fashion as third-party DNS tools, as a VPN will bypass your router settings and perform DNS lookups automatically.

Be warned, however, that not all VPNs are created equal. There are in fact (at least) four different types of VPN, ranging from client-level browser add-ons to more secure ‘tunneling’ systems like IPSec [6]. Just like with DNS alternatives, you need to be able to trust the developer of the VPN solution you choose. While there are hundreds of companies selling VPN services – as with the DNS tools mentioned above – the pool of choices that provide service worth paying for is smaller. MUCH smaller. You should be aware some VPN providers will filter your network traffic, block certain websites, and even log your browsing habits.

In general, OpenVPN is generally considered to be the best protocol for VPN traffic [7], many people prefer to use L2TP/IPSec because these protocols can improve performance over encrypted connections. However, if you are are using a VPN to protect against DNS hijacking, or in fact, any other threat, do not use L2TP/IPSec if you can help it. Put simply, it is not as secure as a fully featured VPN service, and a slightly slower connection is a small price to pay for greatly improved security.

Keep Vigilant

If a hacker manages to infiltrate your local network and launch a DNS hijacking attack, the impact could be felt in a number of ways. [8] First, you may notice that web pages are loading slowly or appearing differently then they did before. This is evidence of a spoof attack, where the hacker has redirected your browser to a dangerous look-alike of a popular website, such as Apple or Amazon’s homepage.

Cross-site scripting (XSS) attacks are often paired with DNS hijackings, as they will allow hackers to obtain private information through a web browsing session. For example, XSS can allow for rogue JavaScript code to be run and initiate a pop-up window or automatic redirect. From there, any entry of email addresses, passwords, or other personal information can be stolen and used with malicious intent.

The simple rule for protecting against XSS and similar attacks is to always be mindful of what URL your browser is pointing to. If the domain portion of the address, which contains the .com or .net, looks unfamiliar then you should immediately close the browser and check your DNS settings for potential vulnerabilities. It’s also important to verify that the website you’re viewing has a valid secure sockets layer (SSL) certificate, indicated by the lock icon in the top address bar. You should never enter credit card numbers or personal information into a web form that is not secured with SSL.

Final Thoughts

Obviously, no solution is foolproof but just in case you presume yourself to be residing in a magical bubble of invulnerability from hack attacks like DNS hijacking, let us be the ones to say you probably aren’t.

This kind of nefarious behavior hits real computer systems and hurts real people every day. You’re not immune. Please take the preceding cautions to heart and you just might jam up a few bad guys along the way.


  1. https://blog.eccouncil.org/the-risks-of-phishing-to-organizations/
  2. https://thehackernews.com/2018/05/routers-dns-hijacking.html
  3. https://blogs.quickheal.com/dns-hijacking-trend-carried-adware/
  4. https://blog.eccouncil.org/the-art-of-layered-security/
  5. https://www.addictivetips.com/web/stop-dns-hijacking/
  6. https://www.auvik.com/media/blog/types-vpns/
  7. https://thebestvpn.com/pptp-l2tp-openvpn-sstp-ikev2-protocols/
  8. https://hostingcanada.org/most-common-website-vulnerabilities/

About the Author:

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense, and cryptography.

  • 11
  • 11
Write for Us