What is DNS Hijacking and How to Detect It

What is DNS Hijacking

What is DNS hijacking?

DNS hijacking, also referred to as DNS redirection, is a type of cyber attack that sees hackers intercept a user’s DNS queries and redirects them to malicious websites.

The role of a DNS (Domain Name System) server is to translate the URL, or domain name, that the user enters into their browser, into an IP address so they can access a particular website. When a user attempts to connect to a website, this results in a DNS query: a request for the server to look up the entered URL and map it to the correct IP address. A DNS hijack involves a cybercriminal intercepting these queries and returning a fake IP address that then sends the user to an illegitimate site of their choice, for financial gain.

Let’s take a closer look at how cybercriminals can hijack your DNS settings and how to identify if it’s happening to you.

Types of DNS hijacking

After understanding what is DNS hijacking, you need to know the four types, or levels, of DNS hijacking:

  • Local DNS hijacking: cybercriminals install malware into a user’s computer and change their local DNS settings to redirect them to malicious websites.
  • Router DNS hijacking: cybercriminals take advantage of vulnerabilities in the user’s router by hacking into it and changing its DNS settings, affecting all users who connect to the internet through that router.
  • Man-in-the-middle (MIM) DNS hijacking: cybercriminals intercept queries sent by the user to a DNS server – putting themselves in the “middle” of the two parties – and return fake IP addresses that redirect them to sites of their choosing.
  • Rogue DNS Server hijacking: cybercriminals directly hack a DNS server and change the IP address to redirect traffic to their malicious sites.

Additionally, MIM and rogue DNS hijacks are often referred to as DNS Spoofing. This is a category of DNS hijack where the attacker attempts to change the DNS records returned to a user to illegitimate, or “spoofed” versions of websites, without hacking their device or router.

What is DNS hijacking used for?

When a hacker hijacks a user’s DNS queries or settings, their main motive is financial gain. This could be by tricking users into giving up personal information so they can commit fraud or identity theft. Alternatively, they’ll show users unwanted, intrusive ads that generate revenue from impressions and clicks.

This is achieved through pharming, a type of phishing attack where a user’s DNS settings are changed to redirect them to a malicious site. As alluded to above, these sites are full of ads and pop-ups or may attempt to convince users to give up sensitive data details. Pharming differs from phishing, and in some ways, is more dangerous, in that it doesn’t require users to click a link to be directed to a site.  

Additionally, It’s not uncommon for Internet Service Providers (ISPs) to hijack their user’s DNS requests, redirecting them to ad-heavy websites when they type in an incorrect URL. Similarly, governments can hijack their resident’s DNS queries to censor particular domains.

How to detect DNS hijacking?

Strange browser behaviour: slow-loading pages, site redirects and unavailabilities, an unusual amount of pop-ups, or other changes to your usual experience when using your browser, may indicate a local DNS hijack, i.e., that your device has been infected with malware.

Examine your hosts file: your computer’s hosts file is used by its operating system to map IP addresses with domain names before querying DNS servers. If your hosts file has been modified, with an unfamiliar IP address – URL pairings, it could indicate a DNS hijack.

Check your router‘s DNS settings: check if your router has been hijacked by looking at its DNS settings. Fortunately, there are several tools, such as router checkers and Wi-Fi scanners, which will help you do just that.

Ping the IP address: pinging an incorrect domain should result in no response and your request being times out. Subsequently, if you ping a made-up URL and it receives a response, there’s a good chance that your ISP is hijacking your DNS queries.

How to protect yourself against DNS hijacking

Here are a few ways to be proactive about the security of your DNS settings and to prevent your queries from being hijacked:

  • Install the latest antivirus software: frequently scan for malware. Also, regularly install updates as they help protect your device against new cyber threats.  
  • Use a VPN: A virtual private network (VPN) provides an encrypted “tunnel” that all your web traffic goes through, making it far more difficult for attackers to intercept your DNS queries.  
  • Reinforce your router’s security: Firstly, practise good password hygiene: make sure you change your router’s default password and, subsequently, routinely change its password often. Secondly, keep your router’s firmware up-to-date.  
  • Switch to secure DNS servers: you don’t have to go with the DNS servers provided by your ISP (especially if you discover they’ve been redirecting your queries!). Instead, opt for a free, alternative DNS service such as Google Public DNS, OpenDNS, or Cloudflare.

How RiskXchange can help

RiskXchange can help you identify the biggest threats to your organisation’s cybersecurity and where you’re in danger of suffering from a breach – like a DNS hijack. We’ll provide you with a free real-time risk assessment of your organisation’s attack surface, which includes a risk score that will tell you how your cybersecurity measures compare to industry benchmarks.

Get in touch with RiskXchange to find out more about what is DNS hijacking and what to do if you suspect your DNS settings have been tampered with.