7 January 2022 | 7 min read

DNS Hijacking: A Comprehensive Guide

Why do hackers attempt to hijack DNS servers? How does it work? How to prevent this malicious activity? Find answers to these questions in our article.

Hacker trying to hijack DNS server.

With nearly 72% of organizations experiencing Domain Name System (DNS) attacks in the past year, the security of the DNS infrastructure has never been more important. One of the most common attacks was DNS hijacking, which affected 47% of survey respondents, followed by DDoS attacks (46%) and DNS tunneling (35%). 

Unfortunately, attempts to hack the Domain Name System are frequent. That’s because it is a vital link between organizations and their customers or suppliers. If this link is disrupted, customers might get frustrated and businesses may lose their clients or sales.

In this article we introduce the DNS, define what DNS hijacking is and suggest a few preventive measures you should consider to make your Domain Name System more secure.

What is DNS?

The most important function of a Domain Name System is to convert human-friendly domain names into machine-friendly IP addresses and connect internet users to websites. The first step in this process is a DNS resolver, or a recursive DNS server, that deals with the initial request and ultimately translates the domain into an IP address. 

Basically, by searching for DNS records on one or more authoritative DNS name servers, the DNS resolver finds the corresponding IP addresses that machines can read. Undeniably, the authoritative DNS name server is an intrinsic part of the lookup process. That is because it gives answers to the recursive DNS server about where specific websites can be found.

Flow chart of how DNS lookup works.
How DNS lookup works

Of course, the user who wants to access a website does not see this operation. They only need to enter a domain name (e.g., google.com) into a web browser and it takes the user to the website.

Another important player in smooth DNS communication is a domain name registrar or DNS registrar. A domain name registrar is an organization accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). It allows users to register and lease domain names. 

Without domain names, it would be difficult for the users to remember long strings of numbers – IP addresses – that identify these domains. In short, domain names simplify the browsing experience for everyone.

Sometimes, the DNS may not work due to simple internet connection problems or outdated web browsers. At other times, however, the issue might be more serious. DNS hijacking is one of the critical issues that we must take seriously.

What is DNS hijacking? 

During DNS hijacking attacks, or DNS redirection, DNS requests are resolved incorrectly to redirect users to malicious websites. This happens if a DNS server is under a hacker’s control and they divert the traffic to a fake DNS server. Then, the server translates a legitimate IP address into the IP address of a malicious website.

A chart explaining how DNS hijacking works by redirecting traffic to malicious website.
How DNS hijacking works

To hijack a user’s DNS, hackers also employ other techniques like cache poisoning. Website cache poisoning is a type of cache poisoning when the hacker exploits a website’s cache. 

Website cache poisoning is a sophisticated technique. It enables inserting malicious entries into a website’s cache that later returns a fraudulent response – an infected website – to the user. Similarly, in the case of DNS cache poisoning, the hacker inserts fake DNS entries into a DNS resolver’s memory. 

Basically, without adjusting DNS settings, perpetrators poison the DNS cache with an incorrect IP address that has the same domain name as a legitimate website. Then the DNS server resolves this IP address and sends the user to the malicious website.

For example, if a user enters login credentials into a fake online bank login form, the hacker could, potentially, hijack the user’s account and steal money. In fact, financial institutions can be a great target for DNS hijacking attacks. Because users usually trust their banking services, they might not be aware that they are visiting fraudulent websites.

Of course, in some cases, DNS hijacking is more frustrating than dangerous. For instance, when you type in a website’s URL that does not exist, instead of facing an error message, you end up on your internet service provider’s (ISP) website. Internet service providers do this to collect data about their users or display ads. Technically, this is not a DNS attack.

Why is DNS vulnerable?

DNS is a relatively old protocol. It was created in 1983 before all the modern cyber security threats emerged. Unsurprisingly, it did not have appropriate security measures (e.g., authentication) integrated. At that time, no one would have assumed that the DNS could be used for malicious activities.

In addition to the basic lack of security, organizations may not monitor DNS traffic carefully appropriately either.

As a result, today the DNS is attractive to hackers and susceptible to different types of attacks that can affect both regular internet users and businesses.

What is the purpose of DNS hijacking?

The purpose of DNS hijacking is to collect personal and financial information for malicious purposes or show unwanted ads to generate revenue from views and clicks. 

A computer with a lock on it and hacker's hands trying to unlock it.
A hacker trying to unlock personal and financial information

Unfortunately, the pop-up ads may sometimes lead to scams and malware if a user clicks on them. Consequently, the malware, in turn, can infect the website visitor’s computer, allowing the hacker to access their device.

Cybercriminals understand very well how important the domain name system is for the use of the internet. Therefore, it’s not at all surprising that they often exploit the DNS to perform various cyberattacks

Types of DNS hijacking

There are a few ways to perform DNS hijacking attacks, and these are four of the most common DNS hijacking techniques: 

  • Man-in-the-middle attack
  • Rogue DNS server
  • DNS manipulation by ISP
  • Malware on router

Man-in-the-middle attack

During a man-in-the-middle attack, an attacker intercepts the connection between the user and the website or application the user wants to access. The attacker then manipulates the user’s DNS requests by redirecting to a malicious DNS server. Finally, the attacker provides different target IP addresses to point the user to abusive websites. This type of DNS hijacking attack is also called DNS spoofing.

Spoofed websites are fake copies of trusted websites that can mislead users and trick them into disclosing their financial or other sensitive information. Eventually, the perpetrators might be able to collect large amounts of personal information, sell it or use it for other malicious purposes.

A graph explaining how man-in-the-middle attacks work by setting a new connection.
How a man-in-the-middle attack works

Rogue DNS server

Cybercriminals can hack DNS servers and change DNS records to reroute DNS queries to fraudulent websites owned by cybercriminals themselves. This happens when hackers tamper with the router’s DNS settings to control the user’s DNS system. Then, they can modify the DNS router – a device normally used by domain service providers – to use a rogue DNS server and redirect traffic anytime.

Unfortunately, this is a serious problem. Perpetrators can take over DNS queries to direct the entire web traffic to malicious websites. Consequently, these sites can further infect devices with malware and help steal sensitive information.

DNS manipulation by ISP

Interestingly, DNS hijacking facilitates not only fraudulent activities. ISPs may also manipulate DNS requests. Why? They can control users’ DNS queries to collect statistics about internet use or display ads.

Usually, when a user attempts to enter a domain name that does not exist, they see an NXDOMAIN response message. In this case, the DNS resolver or DNS lookup that translates a domain name into a particular IP address cannot resolve the request. When ISPs hijack this NXDOMAIN response, they can load a redirect page to show ads or collect data.

Moreover, government institutions may also employ DNS redirection techniques for censorship purposes; for example, to redirect users from illegal or pornographic content.

A hand on a laptop screen with the access denied warning message.
DNS redirection can be used for censorship

Malware on router

There is one more DNS hijacking technique that hackers use not only to reroute DNS queries but also to infect devices with malware and cause further damage (e.g., steal and sell data).

A local DNS hijack occurs when an attacker installs malware on a user’s computer or router (router DNS hijack). The malware enables access to the network, and hackers then can modify local DNS settings and strike all users on the same network. Unfortunately, routers are often susceptible to attacks due to firmware vulnerabilities and weak default passwords.

How can DNS hijacking be prevented?

DNS is an important system that must be protected against all types of DNS hijacking attacks. Both website owners and internet users should employ protective measures, including:

  • Installing a firewall
  • Separating name server from resolver
  • Employing DNSSEC
  • Using a client lock
  • Setting a strong router password
  • Installing anti-virus software

If you are a website owner, install a firewall for the DNS resolver to prevent the installation of a fake resolver and to block unauthorized access. A firewall acts as an additional protective layer preventing DNS hijacking.

Additionally, it is a good idea to separate the name server from the DNS resolver. Note that if they both run on the same server, they could be affected at the same time.

One more protective measure to employ is the Domain Name System Security Extensions (DNSSEC) feature. DNSSEC authenticates DNS results using digital signatures thereby protecting sensitive data, such as IP addresses, and preventing cache poisoning.

A graph explaining how the Domain Name System Security Extension works.
How the Domain Name System Security Extension works

Also, you can check if your DNS registrar offers a client lock (or change lock) function. It prevents changes to the DNS records if the request does not come from a specific IP address. To further ensure secure access to the DNS records, set up multi-factor authentication access to the domain name server registrar.

If you don’t own a website, you can still prevent DNS hijacking by changing router passwords and keeping anti-virus software up-to-date. When changing a password, don’t forget to make it long, add symbols and include both uppercase and lowercase letters.

Finally, if your ISP is hijacking your DNS, note that you can use a free alternative DNS service such as the Google Public DNS.

Conclusion

In today’s internet, any online business or organization can become a hacker’s target. DNS hijacking is one of the attacks that perpetrators can perform.

What is DNS hijacking? It is a kind of cyberattack that can help mislead an internet user, steal their data or even infect their computer with malware for large-scale malicious acts. Keeping that in mind, it is crucial to take DNS hijacking seriously and increase DNS security.

Luckily, there are many preventative measures that can help ensure the safety of DNS servers and protect against server hijacking, man-in-the-middle attacks, DNS spoofing and other types of DNS abuse.

Still need help?

Slack community

Get involved in the IPXO Slack community.

Ask the IPXO community

Contact support

If you have any questions, contact our support team!