General security

How to Stop DNS Hijacking

Ali Qamar
December 5, 2014 by
Ali Qamar

You have (probably more than once in your life) keyed in a familiar domain name and ended up in an entirely different page that was not even close to what you had expected. Chances are that you never even noticed the abnormality and you went ahead retyping the domain name or making a custom search of your preferred destination on Google. Well, what you have never realized is that you may have been a victim of Domain Name System Hijacking or redirection.

Apparently, DNS hijacking is a growing threat, and no single organization is large enough for DNS attacks. Not long ago, a hackers' group known as the Iranian Cyber army took Twitter by storm, after having successfully managed to redirect domain requests from Twitter.com to its own hosted IP addresses. Similarly, on Thanksgiving day, the Syrian Electronic Army hijacked network traffic to major media outlets sites including the Independent , the Telegraph and the Canadian Broadcasting Corporation, just to mention a few.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

So, What is DNS Hijacking?

Technically, Domain Name System Hijacking intercepts legitimate DNS requests from the user and matches them to compromised IP addresses hosted on the attacker's servers. Ideally, websites on the World Wide Web are identified using a combination of numbers known as IP addresses, which are unique to every single site. To save you from the hassle of having to remember each IP address like you do with all your passwords, all IP addresses are given a custom domain name, which is easy to remember. In simple terms, you can access the web by searching its domain name or through its IP address if you can recall it, although you won't.

When it comes to DNS hijacking, the attacker launches a man-in-the-middle-like attack, which subverts the user's DNS requests and directs them to their own compromised DNS server. The basic function of a DNS server is to match the user's DNS request with the correct IP addresses. However, an attackers' compromised DNS server uses a DNS switching Trojan to attach the wrong IP address to the user's DNS request, therefore directing him to a spoofed website. Such attacks are known as Pharming and could be employed by scammers in a phishing campaign aimed at stealing personal information.

Notably, DNS hijacking is not a pattern of malicious hackers only. Legitimate ISP providers also engage in the ill-feting activity to suit their own selfish interests, including placing ads or collecting statistics for Big Data Analysis. Ordinarily, you should come up with a "server not found" error message every time you query a non-existent domain name. However, ISP providers have perfected the art of manipulating DNS (NXDOIMAN) responses and directing users to their ad-ridden IP addresses. DNS Hijacking is not only irritating, but could also expose the user to potentially dangerous cross-site scripting attacks, besides violating RFC international standard for DNS (NXDOMAIN) responses.

A fine example of an ISP "behaving badly" and somehow manipulating Internet users without their consent (otherwise, it would not be manipulation, right?) is that of Verizon and its Perma Cookie. EFF has heavily criticized the abuse of personal information that has been made by Verizon Wireless, and this is just a drop in the ocean of non-consensual traffic redirection and tracking occurring daily on the web.

Shore Up DNS Security

Whether it's a DNS cache poisoning or simple DNS blocking by the ISP providers, no one wants to traverse the web at gun point. In a Cache Poisoning attack, the hacker secretly injects false addressing data into DNS resolvers, enabling the attackers to redirect legitimate DNS requests away from legitimate websites to compromised DNS servers. The clandestine activity can go undetected for ages, allowing the attack to siphon huge chunks of sensitive information, including all Passwords and Usernames.

The first step in fortifying your DNS security is to deploy Domain Name System Security Extensions (DNSSEC). This is a security standard that allows the Domain owners to physically monitor traffic to their domain. The owners are able to register their Domains' zones, enabling DNS resolvers to verify the authenticity of all DNS responses. Anyone with .org domains can now register them to domain registers through companies such as GoDaddy. DNSSEC will also enable you to manage customer identities.

Configure Your DNS Settings

In reality, the solution to your DNS solution lies within. If your ISP provider's DNS server does not live up to its security expectations, ditch that for an alternative third party DNS, such as OpenDNS, NortonDNS or DNSResolvers. Here is how to configure your DNS settings of your operating system and prevent DNS hijacking:

For Windows Users:

  • Open the control panel.
  • Under "Network and Internet" click on "Network status and tasks" and proceed to the Wireless connection button on the far right of your window.
  • Under the "Wireless Network Connection Status", click on "Properties" and go ahead to select "Internet Protocol Version 4 (TCP/IPv4) properties."
  • Now you should be able to give an alternative DNS address of your choice.
  • Almost at the bottom of the dialog box, select the "Use the following DNS server addresses" button and fill out your alternate DNS server IP information (e.g. 8.8.8.8 for Google or 205.210.42.205 for DNSResolvers). Click OK and your alternate DNS will now be active by default.

For Ubuntu Users:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

  • On the system menu, click on "Network connections" and select "Preferences".
  • Now you're at a dialog box with three optional tabs. If you want to configure the Ethernet connection, click on the "Wired" button and then specify your network from the interface list. For a wireless connection, click on the "Wireless connection" button and select your network. Then click on the "Edit" button.
  • Select the IPv4 Settings tab and, if the Automatic (DHCP) is the selected method, then proceed to select "Automatic (DHCP) addresses only".
  • In the Dialog box that appears, key in your DNS IP information (e.g. for Google type 8.8.8.8 8.8.4.4 and then follow up with the changes). You may be required to set a password of your choice.
  • Repeat the above steps for any network you wish to modify.

After having followed the guidelines provided above in order to amend your settings, you will see that the alternative DNS servers you use work wonders for your privacy. Without having the proper information displayed on your computer for anyone to track down on, DNS hijacking cannot happen. Instead, your wireless connection will be completed using fake details, and therefore you will be thoroughly protected at all times while surfing the web!

Ali Qamar
Ali Qamar

Ali Qamar is an Internet security research enthusiast who enjoys "deep" research to dig out modern discoveries in the security industry. He is the founder and chief editor at SecurityGladiators.com, an ultimate source for worldwide security awareness having supreme mission of making the internet more safe, secure, aware and reliable. Follow Ali on Twitter @AliQammar57