DNS hijacking is a serious cyber threat to businesses. A DNS or Domain Name System is like a phonebook but for the whole internet. Domain names such as google.com and office1.com make it easier for humans to access webpages and the information hosted on them.
When we type a domain name into a web browser, it translates the word into an IP address to load its related internet resources. However, this critical element to the legitimacy and performance of web-based applications and cloud services isn’t completely secure. A vulnerability can quickly lead to hackers stealing credentials, compliance fines, downtime, and loss of customers.
Research suggests that about 800,000 domains remain vulnerable to DNS attacks, with about 70,000 already hijacked. This statistic underscores the critical need for enhanced security measures in domain management.
What is DNS Hijacking?
DNS hijacking (also known as DNS redirection or domain theft) is a cyberattack where a hacker takes control of a domain by manipulating a vulnerability in the domain registrar’s system or stealing the administrator’s login credentials. Once in control of the domain, the threat actor can intercept various DNS requests from various users and redirect them to a different malicious IP address.
Whenever a website DNS has been compromised, users can unknowingly visit a fake webpage that mimics a legitimate one. This allows cybercriminals to steal sensitive data, including login credentials or credit card numbers. Threat actors can also use the domain to launch other cyberattacks, including DDoS attacks.
How Does DNS Hijacking Work?
DNS hijacking, a process that can occur in a matter of milliseconds, is a serious threat whenever threat actors compromise a domain. DNS translates URLs written in human languages into machine-friendly Internet Protocol (IP) addresses. This approach helps match search queries to relevant websites.
For instance, when you type google.com onto a web browser, your device must find the domain’s corresponding IP address to connect to the website. To do that, the computer or mobile device will send a DNS query or request to the DNS server. Once received, the DNS server looks up the domain name stored in its records and communicates the corresponding IP address back to your device. Once the IP address is known, your browser will automatically connect to the server hosting the website and display it for you.
DNS hijacking occurs when a threat actor successfully tampers with this process. Whenever this happens, they can redirect users from a legitimate website to a malicious one without their knowledge. Once users start interacting with a hacker’s website, they are at risk of exposure to harmful content, theft of sensitive data, or infection (trojans, malware, and ransomware).
Due to their frequent connection to various public Wi-Fi networks, mobile devices are particularly susceptible to DNS hijacking. For example, attackers can intercept DNS queries and redirect users to phishing pages to steal personal data whenever a smartphone or laptop connects to a compromised Wi-Fi network in public spaces like cafes or airports. This highlights the vulnerability of mobile devices and the need for vigilance.
Many mobile devices lack robust default security configurations. This makes accessing the devices by infecting them with malware pretty straightforward. For example, hackers can exploit weak security settings on the router, change the DNS settings on the device or network, and lead users unknowingly into traps set up for data theft or malware installation.
Why Are DNSs Hijacked?
DNS hijacking is prevalent in the criminal world for several reasons:
1. Financial Gain
Phishing Attacks
Hackers often hijack DNS for phishing attacks. They build fake websites mimicking legitimate ones to trick users into sharing their usernames, passwords, and credit card details. This information usually ends up in dark web marketplaces.
Fraudulent Transactions
Criminals also hijack DNS to redirect users to websites built to siphon money from bank accounts. They also do this to enable credit card fraud.
2. Advertising Revenue
Pharming
DNS hijacking is also widespread among “pharmers.” This cyberattack redirects users to unwanted ads including popups or affiliate links to generate revenue through clicks or impressions. As this hijacking tactic exploits the users’ trust, the reputational damage can be irreversible.
3. Data Collection
ISP Practices
Internet Service Providers (ISPs) sometimes use DNS hijacking to monitor and collect data on user behavior and serve targeted advertisements. Sometimes, ISPs also redirect users to their own error pages instead of legitimate sites.
4. Exploitation of Vulnerabilities
Hackers often take advantage of weak security configurations in DNS settings, such as outdated software or default passwords on routers. When they successfully compromise these systems, they can change DNS settings and redirect all web traffic from all affected devices.
5. Misconfigurations
Whenever companies poorly manage DNS records, they quickly become vulnerable to DNS hijacking. Threat actors are known to scan for these misconfigurations and take control of legitimate domains, leading to unauthorized access, data breaches, ransomware attacks, and compliance violations.
6. Censorship and Control
Government Interventions
Unfortunately, several governments around the world also use DNS hijacking as a tool for censorship. In this scenario, they will redirect users to state-approved websites or block access to specific domains altogether. This practice is rampant in countries ruled by dictators or governments with strict internet regulations.
ISP Practices
ISPs also use domain redirection to control users’ DNS queries and to collect user data. Some organizations also use domain hijacking for censorship or redirecting users to alternative websites.
Types of DNS Attacks
There are several types of DNS hijacking attacks:
Local DNS Hijacking
Local hijacking is a type of attack where malware is installed on a user’s computer through social engineering attacks or by visiting a malicious website. Once the malware infects the device, it alters local DNS settings and redirects web traffic.
Unlike other hijacking techniques focusing on controlling routers and servers, local hijacking directly impacts the user’s devices. This tactic isn’t easy to detect with robust security tools, and the user may not even notice that the device has been compromised.
Router DNS Hijacking
Threat actors often target and exploit router vulnerabilities, hijack them, and change DNS configurations for all connected devices.
Man-in-the-Middle Attacks
Man-in-the-middle attacks occur when threat actors intercept communications between the user and the DNS server. This tactic allows attackers to inject false responses, which can have significant consequences.
Rogue DNS Server Attacks
Threat actors sometimes manage to compromise a legitimate DNS server and manipulate DNS records directly. These rogue servers can then create significant security risks and disrupt network operations.
DNS Spoofing
In a DNS spoofing or DNS cache poisoning cyberattack, cybercriminals inject fake DNS query IDs into the DNS cache. Once the false information is in the DNS cache, users will be redirected from legitimate websites to malicious ones. For example, when users visit their bank’s website, they may end up at a fake version of the site instead. This is where hackers steal your login information, passwords, and credit card numbers.
DNS Amplification
DNS amplification occurs when threat actors bounce tiny requests off DNS servers that send back huge responses while making it look like they should go to their target. It’s like ordering a thousand pizzas and sending them to someone else’s house, but it’s way worse for servers.
DNS Tunneling
DNS tunneling is a hacking technique that hides malware inside normal-looking DNS traffic. Since firewalls usually let DNS traffic through, attackers can use this tactic sneak in and steal data or control infected computers. It’s like smuggling contraband inside a perfectly normal-looking package.
DNS Reflection
DNS reflection is a lot like DNS amplification, but it works a bit differently. In this instance, the attacker pretends to be the target and requests several DNS servers to send their responses there. Whenever several servers respond simultaneously, it can overwhelm the target.
Domain Generation Algorithms (DGAs)
DGAs are different from other forms of DNS attacks. Hackers and botnets leverage infected devices to generate numerous random-looking new domain names to initiate malware attacks. They also use new domain names to sidestep malware detection tools that block specific static IP addresses associated with malicious activity.
Distributed Denial of Service (DDoS) Attack
In a DDoS attack, threat actors will flood the DNS server with an enormous number of requests, often from a botnet. This will overwhelm the server and make it unavailable to legitimate requests. A DDoS attack is usually the culprit whenever a top-level domain goes down.
Cryptojacking
As web3 proliferates, cryptojacking is also accelerating. Cryptojacking occurs when threat actors hijack your computer’s processing power to mine cryptocurrency, stealing computer resources and electricity. Although it’s not a DNS attack per se, it does involve DNS traffic. Cryptojacking malware often communicates with command-and-control servers via DNS queries.
DNS Rebinding
DNS rebinding attacks are sophisticated, as they change how browsers decide what resources they are allowed to access. In this scenario, the hacker gets users to their website and plays some tricks with the DNS to access their local network data. With more companies using automated browsers these days, this has become a critical concern for cloud security.
Examples of DNS Hijacking
DNS hijacking attacks can have serious consequences. Here are two recent examples:
Large Utility Company
In 2024, a significant DNS hijacking incident involved defacing a large American utility management company. In this security event, the attackers were able to compromise and manipulate the DNS nameservers of the utility company.
The hijacked IP address hosted a defaced page attributed to a group called Garuda Security. Luckily, it was quickly detected by a passive monitoring security system, but the company did face service disruptions and potential reputational damage. However, the fact that the name isn’t known suggests that the utility company was able to manage the security event successfully.
Democratic Coalition (DK)
The Democratic Coalition (DK) is one of the largest opposition parties to the Hungarian government. Last year, their domain name was hijacked, redirecting users to a phishing site mimicking a Microsoft login page.
This incident highlights how threat actors can use DNS hijacking to disrupt political communications or spread misinformation and the potential security risks for users accessing the compromised site.
How To Prevent a DNS Hijacking
There are several steps both users and organizations can take to improve their DNS security and prevent DNS hijacking. We have three categories of the basic mitigation measures:
Mitigation Measures to Prevent Name Server Hijacking
As outlined earlier in this post, cyberattacks target DNS routers and DNS servers. So, they must have strong security measures to prevent attackers from hacking and launching attacks on website users.
Below are elaborate measures that the IT team can adopt to enhance and fortify the website’s name server’s security:
Install Firewalls Around The DNS Resolver
Every DNS has resolvers, legitimate resolvers. DNS hijackers will attempt to install fake resolvers in the DNS to compromise it and intercept the legitimate resolvers. To prevent this type of attack, the IT team should place the legitimate resolvers behind a firewall and shut down all non-required DNS resolvers.
Increase Restrictions on Access to Name Servers
Threat actors can come from within your organization. To mitigate the risk of insider threats, security teams should ensure a physical security system with multi-factor authentication (MFA) access and a reliable firewall to limit access to the organization’s DNS.
Randomize User Identity and Server Source Ports
To mitigate the risk of website cache poisoning, IT teams must randomize user identity and server source ports. They should also use both upper and lower cases in the organization’s domain name.
Fix the Known Vulnerabilities Immediately
Threat actors always capitalize on obvious vulnerabilities to initiate DNS attacks. As such, IT teams should regularly examine the DNS for any vulnerabilities and immediately patch them up to prevent attacks.
Avoid Zone Transfers
DNS zone records or zone files contain data about the domain’s associated IP addresses and instructions on how to handle them. This data is a prime target for hackers who often pose as slave name servers requesting a zone transfer. Avoid zone transfers at all costs, as this involves copying server zone records.
Implement Domain Name System Security Extensions (DNSSEC)
DNSSEC helps validate the integrity of DNS data. This approach helps ensure that responses are authentic and not tampered with. It also helps prevent both cache poisoning and DNS spoofing attacks.
Regular DNS Audits and Logging
Ensure all DNS activities are logged to monitor for suspicious patterns, especially unauthorized changes. Regular audits are critical to identifying vulnerabilities before they are exploited.
Use DNS Filtering
DNS filtering helps block malicious domains and prevents users from accessing harmful websites. This approach helps significantly reduce the risk of malware infections.
Redundancy and Backup
Always have redundant DNS servers ready and ensure regular backups of DNS data. This approach ensures service availability if one server is compromised or goes offline.
Limit Access to Specific Networks
Restrict DNS resolver usage to users on serviced networks to prevent cache poisoning by hackers targeting open resolvers.
Hide Primary DNS Server
Mask the identity of primary DNS servers and limit its visibility. Whenever enterprises do this, they can help prevent targeted attacks. IT teams are better off using slave servers that can only be updated by the primary server.
Response Rate Limiting
Limiting the response rate can help mitigate the risk of DDoS attacks. This is because it throttles the speed at which DNS servers respond to queries from a single IP address.
Automation and Scripting
Mitigating the risk of human error is always critical to reducing the organization’s cybersecurity risk exposure. Automation makes this possible. Automating as much as possible ensures consistent security configurations across all DNS servers.
Mitigation Measures for End-Users
Although DNS hijackers have historically advertised products to hijacked traffic, they are more likely to target user data and credentials today.
As such, website users can prevent hijacking by doing the following:
Always Access the Web Through A VPN
A Virtual Private Network (VPN) is a security solution that encrypts internet traffic and directs it through a secure tunnel, making it difficult for attackers to intercept the user’s DNS queries. Only use VPNs that come with a kill switch built in. This is because it will automatically disconnect from the internet if the VPN connection drops. This type of VPN technology prevents exposure to unencrypted traffic.
Regularly Clear DNS Cache
Clearing your DNS cache can help prevent attacks that use DNS cache poisoning.
Be Cautious of Unsolicited Emails and Links
Don’t click on links in emails or websites that you don’t trust, as they may lead to malicious sites. Verify the domain details before clicking on a link from an organization you trust. As threat actors mimic authoritative websites, always practicing caution is important.
For instance, check the website’s URL to ensure it is legitimate. If a letter is missing, then it’s a fake site. Keep an eye out for the padlock icon in the address bar. When the padlock icon is there, the site uses HTTPS encryption before entering sensitive information.
Keep Antivirus Software Up to Date
Antivirus software can help detect and remove malware that may be used to carry out DNS hijacking attacks.
Frequently Change Account Passwords
Following cybersecurity best practices is a must. Frequently change your passwords, especially for sensitive accounts, to reduce the risk of a malicious attacker gaining access to your accounts. Never use the same password on another platform.
Change Router Passwords
Updating router passwords from default settings is critical to prevent unauthorized access. Plenty of resources are available online if you don’t know how to do this.
Mitigation Measures for Website Owners
IT professionals, especially security teams, play a pivotal role in ensuring robust cybersecurity and preventing DNS hijacking in any organization. Their expertise and vigilance are crucial.
If your company uses an established Domain Name Registrar, they can take the following steps:
Implement Network Segmentation
It’s important to divide the network into multiple segments to limit or prevent lateral movement. This approach helps stop the spread of an attack during an active data breach and reduces the overall impact of DNS hijacking.
Use Multi-Factor Authentication (MFA)
MFA is a highly effective tool that significantly reduces the risk of unauthorized access. It’s also far superior to two-factor authentication. Organizations can enhance their security posture by requiring MFA for all critical accounts, including those related to DNS management.
Ensure Secure Access
Only authorized individuals within the IT team should have DNS access. This can be just an individual or limited to a handful of team members. Whoever has access should always use MFA when accessing the domain name server registrar. This security measure will mitigate the risk of DNS hacking. If possible, only a few whitelisted IP addresses should be able to access the domain name registrar.
Client Lock
Work with a DNS registrar that uses client locks. This is because the lock turns off the option to change DNS records unless requested from a specific IP address.
Use HTTPS
HTTPS encrypts web traffic, making it considerably more difficult for attackers to intercept various DNS queries.
Use Private DNS Servers
Use private DNS servers that only allow requests from trusted sources whenever possible, reducing exposure to potential threats.
Use a Reputable DNS Service
When it comes to DNS services, reputation matters. Partner with a service provider with a proven security and reliability track record. As stated earlier in this article, use a DNS service with DNSSEC. If your DNS registrar offers DNSSEC, enable it to add a layer of protection that makes it challenging for attackers to intercept and redirect traffic from your website to a fake site.
Don’t Let Your DNS Be Compromised
DNS hijacking has been around as long as the internet. If your website is vulnerable, you can bet it will be compromised by a DNS attack sooner rather than later. Although organizations and security professionals make considerable efforts to avert DNS spoofing and redirecting of traffic, threat actors keep finding new ways to compromise websites, access an organization’s network and user devices, compromise data, and steal credentials.
Organizations that take a proactive approach to cybersecurity, have an opportunity to stay ahead of threat actors. IT teams must be alert and always be on the lookout for vulnerabilities that attackers may take advantage of and patch them up.
If your organization doesn’t have an in-house IT team, you may want to consider outsourcing your IT services to a reliable managed security services provider. By conducting a cybersecurity assessment and following the measures outlined in this post, you will detect malicious activity on your website and implement the appropriate steps to stop or prevent DNS hijacking and improve the organization’s network security.
