DNS hijacking manipulates the transaction and makes users unaware of the servers that they are using during an internet session. It is a malicious exploit where an user is redirected to a wrong server(s) with the help of a rogue DNS server. DNS Hijacking, also named DNS redirection, is a type of attack where the users are unknowingly redirected to malicious sites. The attackers execute the DNS attack by either installing malware on the user computer or hack DNS communication.
What is DNS?
DNS (Domain Name System) is the address book of the internet. It is what let you connect to websites using their domain names instead of IP (Internet Protocol) addresses. A DNS server returns website’s IP address on receipt of a connection request from end user’s device. It enables connection among the web-connected devices to communicate with websites.
How DNS works?
Type a website address (for example, www.4etsec.com) in the URL (Uniform Resource Locator) bar of a web browser of an internet-connected device. The device will send a query to a DNS server for the IP address of www.4etsec.com. The DNS server informs the device of the IP address. The device records the IP address given by the DNS server and uses it to connect to www.4etsec.com. The most interesting part is that everything happens in the background without your knowledge.
Uses of DNS hijacking –
Pharming: Hackers display unwanted ads to generate revenue. Phishing: Hackers display fake versions of websites to steal data and credentials.
The purpose of performing a DNS attack is quite apparent – to steal money from the victim’s bank account, perform credit card fraud, sell personally identifiable information on the dark web, and other malicious acts.
Types of DNS Hijacking attack –
Local DNS Hijack: By installing Trojan malware on a user’s system, the attacker changes the regional DNS settings and redirects the user to a malicious site.
Router DNS Hijack: Attackers take over a router that has a default password and overwrite DNS settings and redirect users connected to that voucher.
Man-in-the-middle DNS attack: Attackers obstruct communication between a DNS server and user and provide multiple IP addresses pointing to malicious sites.
Rogue DNS Server: Attackers hack the DNS server, change records, and redirect requests to malicious sites.
DNS Spoofing –
A type of attack where the request is redirected from a legitimate website to a malicious website. DNS Spoofing can be achieved by DNS redirection, when an attacker compromises a DNS server to spoof legitimate websites and redirect users to malicious sites.
Cache poisoning –
It is another type of DNS spoofing where, DNS servers, systems and routers cache DNS records. Attackers insert a forged DNS every to poison the DNS cache, having an alternate IP destination for the same domain.
Mitigating DNS attack–
Shut down the DNS resolvers and place the legitimate resolvers behind a firewall with no link to external communication.
Restrict access to a name server by using multi-factor authentication, firewall, physical security, and network security.
Combat cache poisoning using a randomize query ID, random source port, and random alphabet cases.
Don’t run an authoritative name server from the resolver, run them separately.
Patch vulnerabilities immediately as hackers often look for vulnerable DNS servers.
Restrict transfer of zone records as they contain information that is valuable to attackers.
Considering that DNS is a crucial part of web infrastructure and the threats pertinent to DNS attacks, organizations and businesses need to review their DNS servers regularly for DNS threats. They skilled penetration testers who are proficient in intruding and protecting DNS servers. 4ET Cybersecurity Inc., offers IT infrastructure security assessments and testing services that helps customers gauge exactly how their web infrastructures impact their security postures.
