Preventing DNS Hijacking

DNS Hijacking: What It Is And How To Prevent It

Last updated on June 9, 2021

What is DNS?

The Domain Name System (DNS) works like an enormous digital phone book that matches all the billions of domain names (website addresses) with their respective IP addresses: the long identifying numbers that computers use to talk to each other. Every single device has its own, completely unique IP address that other machines use to help them identify and locate it. Web browsers also communicate through IP addresses – they can’t directly interpret domain names. DNS resolution works by translating these domain names into computer-friendly IP addresses so that your browser can track down the website you’re looking for.

In this article

How Can It Be Hijacked?

DNS hijacking works by jumping into the middle of this translation process. Attackers redirect the person trying to reach a particular website to somewhere else instead.

They do this by hacking a DNS server and changing the details so that people are automatically sent somewhere else when they try to look up a site. Note that DNS hijackers aren’t always criminals. Sometimes governments use DNS hijacking as a tool for censorship, to redirect people away from domains they want to block or ban. It’s also possible at times for DNS hijacking to occur in benign ways, or even by accident. For example, you may have tried to access your country’s version of a particular website while abroad, only to be automatically redirected to the local version.

In this article, though, we’ll focus on DNS hijacks designed to redirect people towards malicious sites. After all, more than 80% of all hack attempts are driven by cybercrime.

Types of DNS Hijack

There are four basic types of DNS Hijack:

Rogue DNS Attack

Users typically rely on whatever DNS servers are automatically assigned by their ISPs. In a rogue attack, hijackers translate the domain names of the sites a user is trying to visit into one they aren’t trying to visit. Typically, this means malicious content.

Router DNS Hijack

Most DNS routers have firmware vulnerabilities and default passwords installed. That makes it relatively easy for hijackers to hack into the DNS router, take over the settings and affect all users connected to that router.

Local DNS Hijack

With a localized hijack, attackers install Trojan software on a personal computer and use this to change the local DNS settings in order to redirect them to malicious websites.

Man-in-the-Middle DNS Attack

Hackers can also jump in the middle of communications between the user and their DNS server, feeding another destination IP address back to the user. Once again, the aim is typically to redirect them to spoofed or malicious sites.

What Are the Dangers of DNS Hijacking?

As we’ve seen, hijackers may want to redirect you away from your chosen sites for many reasons. When it comes to criminal activity, though, the two main ones boil down to phishing and pharming. You can read more about this here.

Phishing with DNS Attacks

DNS hijacking often plays a useful role for hackers running phishing attacks. For example, when a website is hacked, users may be redirected to a fake site that closely mimics the real one, causing them to enter sensitive details that can be exploited by the hackers.

Pharming with DNS Attacks

In a similar way to phishing, DNS hijackers running a pharming scam can cause a person who is trying to visit a website to be redirected to a malicious site that is stuffed with ads and popups.

The aim is to rack up as much money as possible as quickly as possible from ad impressions. A trojan called DNSChanger, for example, was used to infect 4 million computers and earn $14 million through deceptive advertising revenue.

While this isn’t as damaging to the user as phishing, it’s certainly very disruptive and annoying. Plus, it’s extremely bad news for the owner of the real domain.

Who Has Been Hijacked?

DNS hijacking is actually very common and even large, tech-savvy companies get targeted. In the past, rogue DNS hijackers have hit GMail.com, PayPal.com, Netflix.com, Uber.com, caix.gov.br, itau.com.br, bb.com.br, bancobrasil.com. As a result, people with infected routers were redirected to malicious sites whenever they tried to visit any of these websites.

Sometimes it’s unclear whether deliberate DNS hijacking has taken place, or why. For example, in the case of Facebook, Twitter and several other big sites based in the US, traffic headed for these domains was sent to their Chinese equivalents in 2010 – and no one really knows whether it was a mistake or a deliberate hijacking attempt. Meanwhile, just this year, a huge DNS hijacking espionage attempt was uncovered, most likely linked to Iran.

This means that you need to be extremely careful. You need to recognize that even the best-known sites are at risk of DNS hijacking, and stay vigilant. You also need to do everything you can to ensure that you’re properly protected against attempted attacks and hijacks.

How Do You Prevent DNS Hijacking?

Implement Domain Name System Security Extensions (DNSSEC)

If you own any domains, you really ought to roll out DNSSEC on all your devices. This is a security standard used throughout the industry that gives domain owners a way to monitor traffic coming through all their domains and identify anything that looks suspicious. You can also register your domain zones, which helps DNS resolvers to verify whether DNS responses are authentic.

Alarmingly, despite the benefits, only 3% of Fortune 1000 companies have yet rolled out DNSSEC. That’s a lot of high-profile, vulnerable sites out there.

Change Your Default DNS Server

In order to route your internet traffic as efficiently as possible, your computer and router will use your local ISP to connect you to the global DNS service. That means you have that ISP’s version of the DNS database.

This can open you up to vulnerabilities, though. To get around this, you can opt for various DNS routing services that will handle this for you, cutting out your ISP in the process. Two good (and free) versions are OpenDNS and Google DNS.

Bear in mind that changing your DNS server means handing over control – and you certainly don’t want to give that to just anyone. You need to be sure that you’re entrusting these details to a company or non-profit you can rely on, or you could be increasing your risk of DNS hijacking. The paid version of OpenDNS is a particularly secure choice that’s good at filtering out dodgy traffic from spoof websites.

Enable HTTPS

Again, if you own a domain, do yourself and your visitors a favor by enabling HTTPS for all the web apps and services you host on that domain name. This encrypts site access and significantly reduces the risk of opening users up to man-in-the-middle attacks.

Bear in mind that to be truly effective in combating DNS hacking, you also need to combine this with a security policy called  HTTP Strict Transport Security (HSTS). This prevents cookie hijacking and is recognized by all up-to-date browsers. It works by insisting that the browser only accesses a website over a secure, encrypted connection – as in HTTPS. That largely stops hijackers from simply directing people to a spoof site that doesn’t use HTTPS.

Look Out for the Padlock

While we’re on the subject, make sure you’re always using a secure connection while browsing by keeping an eye out for the SSL or TLS padlock in the corner of the address bar of your browser when you visit a site. Not all sites have SSL encryption set up, but most of the big-name sites will. If you don’t see the padlock, you can’t be 100% sure the website is safe (and real).

Install Top of the Range AntiVirus

Many DNS server hijacks are achieved using Trojans, a type of malware that’s detected, quarantined and destroyed by decent AV software.

What’s more, many internet security packages come with all kinds of tools designed to prevent malicious redirects or warn you when a site isn’t secure. This means that reliable AV is a key tool in your arsenal for fighting back against potential DNS hijacks.

Update Your Router Password

As we’ve seen, weak standard passwords make your router vulnerable to hijacking. That means it’s really important that you change the default password to something stronger from the start.

Even if your router does come with a strong, hard-to-guess password as standard, it’s well worth changing this on a regular basis just in case hackers have managed to break it.

Use an Encrypted Connection

For full privacy, one of the simplest and most effective ways to protect yourself against DNS hijacking is to use an encrypted connection, i.e. a Virtual Private Network (VPN).

VPNs mask your IP address and use encryption to route your internet connection through a different server remotely. That server could be anywhere and many VPN providers allow you to choose where in the world you’d like to connect from.

There are many different reasons to use a VPN. Businesses use them to grant their employees secure, remote access to the work server. Organizations like governments, and corporations handling sensitive data protect this with VPNs, intensifying their security to keep intellectual property, customer data and any other secrets safe.

Meanwhile, individuals use VPNs to ensure total anonymity online. Encrypted connections allow you to bypass local censorship and keep your browsing private. That may be because you’re worried about who’s tracking your online activity or research, or who might be listening into VOIP calls. You may also be worried about protecting yourself on unsecured public WiFi connections – or you may simply want to watch your favorite Netflix show while you’re out of the country.

Whatever your reasons, an additional benefit of using a VPN is that they make it much harder for DNS hijackers to target you. That’s because you’re accessing servers through secure channels, routing your traffic through an encrypted tunnel that runs between your ISP and the VPN host.

Provided you choose a robust, reliable VPN provider, no one will be able to hack, steal or otherwise interfere with data at either endpoint. That prevents potential hackers from hijacking DNS servers and redirecting you somewhere you don’t want to be.

That said, to be safe from attacks, you really do need to install a reliable VPN.

We Recommended: ExpressVPN

Our top choice for a VPN that’s equipped to prevent DNS server hacking is ExpressVPN. This is an excellent provider that takes security extremely seriously, going well beyond the minimum standards common to the industry.

Of particular importance is its solid DNS leak protection. DNS leaks occur when your DNS requests are not encrypted before they are sent – as in, not sent through the VPN tunnel – or are sent to a server that isn’t hosted by the VPN provider. As a result, you think you’re browsing anonymously, but in fact, your ISP or others can see exactly what you’re up to and which sites you visit.

There are plenty of reasons that a VPN user might be worried about DNS leaks. After all, you’re keeping your browsing private for a reason, so finding out it wasn’t private after all can be a nasty shock. When it comes to DNS hijacking, though, leaks like these expose your DNS requests and so undermine all the protection you thought you’d created by encrypting your connection. By taking every effort to plug leaks like this, ExpressVPN goes a step further than many other VPNs to reduce the risk of hijacks.

ExpressVPN is able to guarantee a commitment to preventing DNS leaks, in part, because it’s based in the British Virgin Islands and so is under no legal obligation to keep logs of what you get up to online.

It’s important to check details like this for whatever VPN service you end up using. If the company is based in a country where a government can demand to see usage logs, they can’t realistically promise you complete anonymity – and by extension, they can’t ensure a completely watertight approach for blocking DNS server hijacking.

Another great ExpressVPN feature that works to ensure your encryption is the “kill switch”, which allows you to suspend your internet access automatically if the VPN connection drops for any reason. Many other VPNs will just stop protecting you if they get cut off from whatever server they’re attached to, which means you could be left vulnerable until you manage to connect to a new one. ExpressVPN doesn’t let that happen.

Plus, you can install ExpressVPN on pretty much any device, so you’re not opening yourself up to DNS hijacking risks on your Mac, your phone, or anywhere else, and you can use it to guard your privacy at home or on a public WiFi connection.

Finally, ExpressVPN is a great option because it’s fast. No matter what you use it for, it processes it at impressive speeds with minimal interruptions or delays – and that includes streamlining HD video. As a result, you’re much more likely to actually use it instead of getting frustrated and switching it off, opening yourself up to potential vulnerabilities.

Conclusion

DNS server hacking is a very real and very common risk. Hijackers target from many different angles and it’s important to stay vigilant, looking out for telltale signs like unsecured sites or webpages that don’t look quite right.

At the same time, many of the most effective steps you can take are really quite simple, from updating passwords to installing AV to running all your internet traffic through a trusted VPN.

If you own any domains, it’s important to take this stuff seriously, as a hack could seriously harm your website visitors. Even if you don’t run any sites of your own, you owe it to yourself to protect yourself against malicious hijacks.

Article comments