DNS hijacking manipulates the transaction and makes users unaware of the servers that they are using during an internet session. It is a malicious exploit where the users are redirected with the help of a rogue DNS server that changes the IPS address of the redirected internet user. DNS Hijacking, also named DNS redirection, is a type of attack where the users are unknowingly redirected to malicious sites. The attackers execute the DNS attack by either installing malware on the user computer or hack DNS communication.
|“DNS hijacking involves changes to a domain name server (DNS), which translates human-readable domain names into IP addresses. As the name implies, the “hijacking” means a user is directed to a different end server.” Techopedia|
What is DNS?
DNS is a protocol that runs on various servers, and a DNS server returns a website’s IP address on receipt of a connection request from your device. It enables connection among the web-connected devices to communicate with websites.
How DNS works?
Type a website address in the URL bar. For example, www.amazon.com.
The device will send a query to the DNS server for amazon.com’s IP address.
The DNS server informs the IP address.
Your device records the IP address given by the DNS server and connects to amazon’s website.
The most interesting part is that everything happens in the background without your knowledge.
Watch this video to understand how DNS Name Server works:
Uses of DNS hijacking
|Pharming||Hackers display unwanted ads to generate revenue.|
|Phishing||Hackers display fake versions of websites to steal data and credentials.|
The purpose of performing a DNS attack is quite apparent – to steal money from the victim’s bank account, perform credit card fraud, sell personally identifiable information on the dark web, and other malicious acts.
Types of DNS Hijacking attack –
|Local DNS Hijack||By installing Trojan malware on a user’s system, the attacker changes the regional DNS settings and redirects the user to a malicious site.|
|Router DNS Hijack||Attackers take over a router that has a default password and overwrite DNS settings and redirect users connected to that voucher.|
|Man-in-the-middle DNS attack||Attackers obstruct communication between a DNS server and user and provide multiple IP addresses pointing to malicious sites.|
|Rogue DNS Server||Attackers hack the DNS server, change records, and redirect requests to malicious sites.|
DNS Spoofing –
A type of attack where the request is redirected from a legitimate website to a malicious website. DNS Spoofing can be achieved by DNS redirection, when an attacker compromises a DNS server to spoof legitimate websites and redirect users to malicious sites.
Cache poisoning –
It is another type of DNS spoofing where, DNS servers, systems and routers cache DNS records. Attackers insert a forged DNS every to poison the DNS cache, having an alternate IP destination for the same domain.
Mitigating DNS attack–
- Shut down the DNS resolvers and place the legitimate resolvers behind a firewall with no link to external communication.
- Restrict access to a name server by using multi-factor authentication, firewall, physical security, and network security.
- Combat cache poisoning using a randomize query ID, random source port, and random alphabet cases.
- Don’t run an authoritative name server from the resolver, run them separately.
- Patch vulnerabilities immediately as hackers often look for vulnerable DNS servers.
- Restrict transfer of zone records as they contain information that is valuable to attackers.
After the reported DNS hijacking attacks by Iran on U.S. IT infrastructure, the Department of Homeland Security called an emergency directive to take required actions for U.S. government agencies as a countermeasure. The incident has brought higher awareness on DNS hijacking and organizations want to review their DNS server regularly for DNS attacks. They are looking for skilled penetration testers who are proficient in intruding and protecting DNS servers. EC-Council offers a penetration testing certification “Licensed Penetration Tester (L|PT) Master” that challenges the skills of a penetration tester. The certification differentiates experts from novice penetration testers.