DNS poisoning guide: What is DNS hijacking?

Enhance your DNS Security with ThreatDown DNS Filtering. It’s time to block unwanted websites on your business network.

What is DNS hijacking?

Like many Internet users, you probably trust your web browser to take you to the right website after entering the correct URL in the address bar. Here, you may not think twice before sharing your username, password, or credit card to verify your identity or complete a transaction.

But what if your browser was taking you to a spoofed website instead? With a DNS hijacker, a threat actor can send you to a malicious website to commit identity theft or financial crimes, or generate ad revenue.

DNS hijacking is just one of many Domain Name System (DNS) attack techniques threat actors use to redirect users to alternate websites.

Learning how to defend against DNS hijacking and DNS poisoning attacks can improve your online safety. Please read this in-depth guide for more information on:

What is a DNS: What is a domain name system?

DNS stands for Domain Name System. You can think of a DNS as a phonebook or a translator for the Internet. It helps you browse the Internet by matching the human-friendly letters and words you use to find websites with the machine-friendly numbers that computers use.

Every machine that exists on the Internet has an Internet Protocol (IP) address, including computers that host websites like Netflix or YouTube. Internet-connected machines find each other online through this address. In other words, your machine, such as your laptop or smartphone, needs a website’s IP address to go there.

A typical IP address looks like a series of numbers separated by decimals. Remembering this string would be challenging and inconvenient for most Internet users. That’s where DNS makes things easier. When you type the URL of a website in your browser, your device extracts the website’s corresponding IP address from a DNS server. 

Popular websites such as Instagram have many IP addresses. When you type www.instagram.com in your address bar, your machine sends a request, also known as a DNS query, to a DNS server. A DNS server will match the URL with one of the website’s IP addresses.

The entire process of translating IP addresses to domain names is called DNS resolution. It’s almost instantaneous. The process can be further sped up when you use the DNS cache, which is a temporary storage of previous DNS lookups on your machine.


What is a DNS attack?

A DNS attack is any type of attack leveraging the DNS infrastructure for malicious activity. Here are some types of DNS attacks:

  1. DNS flood: This is a type of distributed denial of service (DDoS) attack where threat actors flood a domain’s DNS servers to slow down or prevent DNS resolution.
  2. DNS amplification: Hackers use this DDoS attack to manipulate DNS server vulnerabilities, amplifying small queries to overwhelm and shut down a target.
  3. DNS tunneling: Threat actors abuse the DNS protocol to tunnel malware in this type of DNS attack. 
  4. DNS spoofing: A DNS attack where threat actors redirect victims to alternate websites by modifying DNS records.
  5. DNS spying: Intermediaries such as an ISP or coffee shop can spy on a user’s web browsing history because a DNS request has no encryption. However, companies like Firefox are trying to change this with a DNS-over-HTTPS rollout.

DNS hijacking definition: What is DNS hijacking?

DNS hijacking, also known as DNS redirection, is a kind of DNS attack where a DNS query is engineered to send a user to an alternate space. An example of DNS hijacking is when your machine sends a DNS request for your bank’s website, but a hacker manipulates the process to send you to a spoofed version of your bank’s page.

Not all DNS hijacking redirects users to malicious websites, though. For example, some countries may use a type of DNS hijacking to practice censorship. Instead of visiting a website critiquing the government, you may end up on a state-sponsored propaganda platform, for example.


DNS hijacking vs DNS cache poisoning

DNS hijacking and DNS cache poisoning are both different types of DNS attacks.

In DNS hijacking, threat actors subvert DNS resolution by physically taking over DNS settings. But in DNS cache poisoning, threat actors corrupt the DNS cache.

Now, you might be asking what is cache in DNS poisoning attacks. A DNS cache is a temporary copy of DNS lookups on your browser or operating system. The purpose of the DNS cache is to make DNS resolution more efficient by expediting the DNS lookup process.

During DNS poisoning attacks, threat actors poison your DNS cache by forging DNS entries. In other words, they replace the legitimate IP destination of a domain name in your cache with a malicious one.


How DNS hijacking works

DNS hijacking works by taking advantage of your trust in the DNS resolution process. When you enter the URL of a website in your browser, you trust that the DNS system will match you with the correct IP address.

Hackers can utilize several other methods for DNS hijacking:


Local DNS hijack attacks: What is local DNS hijacking?

During a local DNS hijacking attack, a hacker alters a machine’s local DNS settings for a DNS attack, typically with a DNS changer/hijacker. This Trojan horse malware quietly modifies DNS settings without the victim’s knowledge. Requests are sent to foreign DNS servers that redirect users to the wrong websites.

A common infection vector for DNS hijackers are rootkits, fake antivirus (FAKEAV) programs, and pirated software. If you suspect a DNS hijacking attack, immediately use a free anti-malware download to scan your system for Trojans. After removing Trojan, work with your ISP to reset your router settings. You will also need to reset your DNS settings.

For more safety, use a DNS filtering tool. Check our website to learn what DNS filtering is and how it shields businesses.


Router DNS hijack attacks: What is router DNS hijacking?

Hackers can exploit router software vulnerabilities to override DNS server settings and send users to malicious websites. Router DNS hijacking leaves all the devices in your home vulnerable, such as your desktop, laptop, smartphones, tablets, and video game consoles. Try the following tips to reduce the risk of a router-based DNS attack:

  • Update your router’s firmware to the latest version.
  • Consider buying a new router if your router is no longer supported.
  • Change your router’s default name and password.
  • Set a complex password for your router.

Man-in-the-middle-DNS attacks: What is man-in-the-middle hijacking?

In a Man-in-the-Middle (MitM) attack, a threat actor secretly positions themselves between two entities to manipulate communication. The concept is similar for MitM DNS attacks. Hackers intercept communication between website traffic and the DNS for their own gain.


Rogue DNS server attacks: What is rogue DNS hijacking?

A rogue DNS server is a server hacked to divert traffic to malicious websites to steal usernames, passwords, financial data, and other personal information. Domain names of popular websites such as search engines, news organizations, or banks are typical targets of DNS server attacks.


DNS vulnerability

A DNS vulnerability, also known as a DNS exploit, is a flaw in a DNS. Threat actors can leverage DNS vulnerabilities to commit different cybercrimes:

  • Ransomware attacks
  • DNS tunneling
  • DDoS attacks
  • Botnet attacks
  • Subdomain takeovers

DNS hijacking detection: How to detect DNS hijacking 

You might be the victim of DNS hijacking if your websites load slower than usual or you notice random popups. However, these symptoms can also be due to other types of malware, such as adware or browser hijackers.

You can try pinging a non-existent domain name to see if it resolves. A safe DNS will not resolve a non-existent domain name:


Windows

  1. Open the Command Prompt.
  2. Type “ping,” hit space, and then enter a random website name.
  3. Your DNS is secure if it “cannot resolve.”


Mac

  1. Open Terminal.
  2. Type “ping,” hit space, and then enter a random website name.
  3. Your DNS is secure if it “cannot resolve.”


Linux

  1. Open Terminal.
  2. Type “ping,” hit space, and then enter a random website name.
  3. Your DNS is secure if it “cannot resolve.”

Certain websites will also help you check if your computer uses rogue DNS. Check these websites recommended by the FBI.


Why do people hijack DNS?

We use the Internet to consume information, entertainment, and for commerce. Entities that can surreptitiously control the websites we visit can control the type of information we can consume. They can also generate revenue by exposing us to advertising or using our sensitive information for various financial crimes.


Ads for revenue generation

DNS hijacking for ad revenue generation isn’t necessarily a threat to your confidential information, but it can be unpleasant. Attackers will use this attack to display unwanted ads on your screen to make money. Either the fake website will feature many ads, or it will drop adware on your system. An adware remover will help clean adware and other potentially unwanted programs (PUPs), though.


Stealing personal information

Pharming is a common cybersecurity attack involving DNS hijacking. But what is pharming exactly? In a nutshell, it involves redirecting web traffic to fake websites to gain usernames, passwords, financial data, and other personal information.


Censorship

Countries with strict laws use modified DNS servers to block access to information and media. Users within their borders who try to access blocked websites end up on government pages instead.


Phishing

Imagine if you enter Amazon’s domain name in your browser but are sent to a fake version of the e-commerce giant’s website. When you enter your username and password to log into the phishing website, you share your credentials with a hacker instead of a platform you trust.

With your account information, a threat actor could spy on you, lock you out of your account, or shop for expensive items on your dime.


High-level attacks

Advanced hackers can also use DNS hijacking for some sophisticated attacks:

  1. Watering hole attack: In a watering hole attack, threat actors can target entire organizations on the websites they frequent. With DNS hijacking, they can send their targets to malicious pages to extract information. The DNS hijacking incidents involving Sea Turtle mentioned later may be examples of watering hole attacks.
  2. Whaling attack: A whaling attack is a highly targeted spear-phishing attack that focuses on CEOs, presidents, spokespersons, and other valuable targets. With DNS hijacking, a threat actor can drop malware like spyware on a specific target in a whaling attack.
  3. Supply-chain attack: A supply-chain attack targets an organization by leveraging the weakest entity in its supply chain. For example, a hacker may use DNS hijacking to infect a vendor’s system with a worm to eventually attack their client. 

DNS hijacking examples

Sea Turtle

A prolific team of mysterious hackers called Sea Turtles has hit numerous organizations across the globe with complex DNS hijacking attacks, compromising top-level country-code domains. Researchers at Cisco’s Talos security division believe that the ultimate targets of these attacks are intelligence, military, and energy organizations in North Africa or the Middle East.


Brazilian Bank

Researchers say hackers took over a Brazilian bank’s complete online footprint within five hours. The cybercriminals used DNS hijacking to reroute all of the bank’s online customers to phishing websites. Hackers modified the DNS registrations of all 36 of the bank’s digital properties, including desktop and mobile domains.

Many of the customers didn’t hesitate to share their sensitive information with the phishing websites because they were almost perfect reconstructions of the bank’s pages. 


WikiLeaks

On August 30, 2017, many users trying to visit wikileaks.org saw a message claiming that the website was hacked. But the website wasn’t hacked. Instead of hacking the website, a group was redirecting users to a fake page by hijacking a DNS server.


Twitter, Huffington Post and New York Times

The Syrian Electronic Army attacked the website of the Melbourne IT domain registrar in 2013. The online activist group modified the records of multiple Melbourne IT customers, including The New York Times. Attacks by The Syrian Electronic Army also impacted Twitter.co.uk and HuffingtonPost.co.uk.


DNS hijacking prevention: How to prevent DNS hijacking on your business

DNS hijacking can be problematic for your organization because it can threaten your reputation, operational integrity, and sensitive data. Follow these tips to prevent DNS hijacking and strengthen your DLP security:


Registry Locks

Prevent unauthorized changes by taking advantage of registry locks. To mitigate the risk of DNS hijacks further, activate multi-factor authentication (MFA). Consider moving to a hosting service that offers MFA if your current provider doesn’t offer this facility. Finally, try activating Domain Name System Security Extensions (DNSSEC) to prevent some common DNS threats like DNS hijacking and DNS poisoning attacks.


Install an antivirus

As mentioned above, a cybersecurity tool can stop and remove malware like DNS hijacker Trojans. We recommend investing in next-generation antivirus (NGAV) software. This advanced software utilizes artificial intelligence and other complex technologies to stop threats.


DNS security solutions

The best DNS security solutions help control network vulnerabilities, nullify attack vectors such as malware, phishing, and web-based cyberattacks, and provide DNS protection in collaboration with other vendors. Let’s look at some advantages of using DNS security for small businesses:

  • Prevention and real-time protection
  • Saves organizational time
  • Compliance regulation
  • Added layer of protection
  • Increased productivity

DNS filtering

It’s no secret that DNS filtering can save small businesses from cyberattacks. For example, a top DNS content filtering tool will block phishing websites, prevent Man-in-the-Middle attacks, and detect DDoS attacks. DNS filtering also helps organizations with compliance.

So, What is DNS Filtering? Learn more.


Use a VPN

A technologically advanced VPN like the one from ThreatDown offers home cybersecurity and privacy by encrypting data and masking IP addresses. Using ThreatDown Privacy’s DNS servers also shields your endpoints from DNS attack risks.


Patch vulnerabilities quickly

Patching vulnerabilities before threat actors can leverage them for DNS attacks is crucial. Speeding up your patch management process means detecting missing software updates and applying patches to correct errors more efficiently. To finetune this critical process, your IT professionals and systems maintenance teams need to see the whole picture.

We recommend ThreatDown Vulnerability Assessment to help enhance your visibility into software vulnerabilities that threat actors can use for DNS attacks.


Separate your name server from your resolver

Your server’s name should be separate from your resolver, or a DDOS attack could paralyze both.


Verify

Ensure that your DNS infrastructure points to the right hostnames or IP addresses. Check all levels, from second-level domains and subdomains to resource records. Please also check requested certificates related to your domains. Rescind any improperly requested ones.


Look out for resolvers

Prevent access to DNS resolvers from outside your businesses with a firewall. A firewall will help stop threat actors from installing fake resolvers and will shield your organization from DNS hijacking. Please also close down unused DNS resolvers immediately.


Protect yourself from cache poisoning

Adopt the following steps to mitigate the risk of DNS cache poisoning attacks:

  • Random source ports
  • Random query IDs
  • Random upper and lower case in domain names.

The future of DNS hijacking

DNS hijacking is a popular attack method today as threat actors take advantage of vulnerabilities and sophisticated malware for data exfiltration and network disruption. Experts believe these attacks will grow more complex as hackers utilize advanced malware and new strategies to attack businesses.

To secure your company, you need highly trained IT professionals with the most proactive cybersecurity tools against DNS spoofing, server hijacking, and man-in-the-middle attacks. Please also consult with experts for an audit that helps mitigate the risk of DNS attacks.

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warns of a complex international DNS Infrastructure Hijacking Campaign. So, please, harden your cybersecurity measures.

Featured resources

DNS Hijacking FAQs

Can you get hacked through DNS?

Yes. Many organizations have unknown DNS vulnerabilities which are susceptible to hackers, malware, and ransomware. Taking a layered approach to security with solutions, such as Endpoint Detection and Response (EDR)Endpoint Security (EP), and Next-gen Antivirus, will prevent, detect, and eradicate sophisticated threats that cause data breache

What are the most common DNS attacks?

DNS poisoning and DNS spoofing are interchangeable terms in which threat actors poison your DNS cache by faking DNS records. In other words, they substitute a malicious IP address for the real IP address of a domain name in your cache. DNS hijacking or DNS redirection, is a type of DNS attack where a DNS query is engineered to send a user to an alternate space. Amplifying your DNS security involves using cybersecurity solutions, like Malwarebytes DNS Filtering to block web-based attacks