What Is DNS Hijacking And How To Stop It

What Is DNS Hijacking And How To Stop It

Updated: 08-31-2021

A Domain Name System (DNS) translates human-readable domains to numerical Internet Protocol (IP) addresses. For instance, when you type in a hostname such as www.example.com, the DNS converts this information into a machine-friendly address, an IP address used to locate the webpage.

For this reason, you don't need to memorize complicated numeric IPv4 or IPv6 addresses used by browsers to serve web content.

IPv4 is the fourth IP protocol version that consists of four segments, e.g.,

On the other hand, IPv6 is the latest IP protocol version split into eight segments and written in hexadecimal, e.g., a8:c0:00:00:00:00:01:01. As you can see, it's really difficult to cram all those characters, especially when it comes to IPv6 addresses.

Without the DNS system in place, you would need to memorize or write down the IP address to find a specific website. The DNS system simplifies this process and converts your specified domain name to computer-readable numerical addresses.

This system consists of the DNS recursor, root name server, top-level domain server, and authoritative name server that work together to automate directory inquiry and locate your specified domain.

DNS resolvers communicate with the top-level domain and root servers and send a response from the destination back to you. Everything happens in the background, and you can't know if you're connected to a legitimate or malicious site. As a result, it's really difficult to tell if you're a victim of DNS hijacking.

DNS hijacking or redirection is an attack where a cyber-criminal hijacks DNS traffic by subverting DNS queries and overwhelming server resources. This makes the server so busy that it can't handle legitimate requests and, as a result, redirects users to malicious sites.

Attackers achieve this by installing malware on user's computers, hacking DNS communication or routers.

Given that you don't manage your own DNS system, an attacker can hijack or poison the DNS server you're using without your knowledge. If an attacker successfully hijacks your DNS, they can intercept your web traffic and gain access to personal information.

In this article, you'll learn more about:

  • Definition of DNS hijacking.
  • How DNS hijacking works.
  • Why DNS hijacking occurs.
  • Types of DNS attacks.
  • How to stop DNS attacks.

And more!

What's DNS Hijacking/Redirection Attack?

A DNS hijacking attack targets a vulnerable DNS infrastructure and redirects website users to an alternative destination. The alternative destination is often the attacker's website disguised as the legitimate website the user intended to visit in the first place.

When a cybercriminal hijacks an internet user's DNS traffic, the compromised DNS server will return a fake IP address.

When users input their login or personal information into the illegitimate website, they receive a 'website failed to load' error. They will then redirected to the legitimate website.

The goal is to acquire sensitive information from the victim for malicious gains. For instance, if you try accessing www.example.com and there's a DNS redirection attack, you'll be sent to a malicious website disguised as the legitimate website.

Even though the request is sent from your device to the appropriate DNS resolver, attackers incorrectly resolve the DNS and convert the legitimate IP address into an illegitimate IP address.

How Is DNS Hijacked?

Computers use the DNS to map hostnames to IP addresses. Given that most users depend on the DNS servers assigned by their ISPs, they would have no clue if they're using a rogue DNS server.

When you open the browser and type in a domain name, a DNS query will be made from the browser to a DNS server used by your ISP.

Alternatively, if you've visited the website before, the DNS query will not be necessary because the DNS query is stored in the browser's cache.

The exchange of query and response between the browser and DNS server is often unencrypted. This is where attackers can exploit the system by intercepting the queries and redirecting users. 

For instance, suppose you've registered your site with a third-party entity or internet registrar that manages your DNS. In that case, an attacker can hijack and compromise the DNS then replace your IP address with their own IP address.

When attackers interfere with the authoritative nameserver and change the IP address, your web visitors will be redirected to the fake site and not yours. The fake site might be an exact clone of the legitimate server, but vital information, such as login credentials, will be sent to the attackers.

Your web visitors will have no clue the DNS server has been compromised, but the attack could damage your site's reputation later on. Attackers can hijack the DNS system in several ways.

Here are some common methods attackers use to hijack the DNS system.

Installing Malware Into a DNS Server

DNS attacks normally occur outside a controlled network environment, but they can also occur inside the user's network. This happens when an attacker installs malware on a local computer and changes the DNS server that the client uses.

For this reason, the client's machine domain names are resolved to the attacker's preferred IP address.

Attackers can also install malware into a DNS server and poison the device's DNS lookups such that they change the machine's hosts files.

Hosts files are responsible for web development and Virtual Machine (VM) software. Attackers modify the hosts file to specify custom IP addresses for any domain name using the DNS server. 

Trojan is the most common malware used for DNS hijacking.

On the other hand, DNSchanger malware changes the DNS system settings without the victim's knowledge. After successfully infecting a victim's device, it redirects web requests to a foreign DNS server set up by the attacker. 

Rootkits modify and intercept OS modules such that when attackers want to perform unauthorized functionality in the system, it gives them a backdoor and keeps their actions unnoticed. Rootkits can also modify and register system activity as desired by the attacker.

There are three types of rootkits:

  • Hypervisor – Runs on the firmware level and cannot be detected by a rootkit software running in other layers.
  • Kernelmode – Alters kernel mode functions and consists of the bootkit variant that can attack the bootloader.
  • Usermode – Changes the behavior of called functions and carried by infection vectors such as spam campaigns and exploit kits.

Using DNS Amplification Attacks

A DNS amplification attack is a form of Distributed Denial Of Service (DDoS) relying on publicly accessible open DNS servers to flood a user's system with web requests. The attacker first sends a DNS name lookup request that opens a DNS server with the source address being the target's address. As a result, the DNS server sends the DNS record response to the target.

To maximize amplification attacks, attackers will send multiple zone information requests simultaneously.

In a DNS environment, a zone is basically a space allocated for a specific server.

The attackers use spoofed queries to receive all the DNS zone information in a single request. The more the spoofed queries, the more the attacker floods the DNS server with DNS response traffic with little effort.

The DNS server responds to each request because it assumes that the requests are originating from valid servers. It's difficult to stop or prevent DNS amplification attacks unless the DNS servers use Response Rate Limiting to restrict the amount of traffic caused by the DDoS attack.

By Redirecting Web and Email Traffic

Attackers can replace the TCP/IP configuration and redirect web traffic to their own server. As a result, they can access all the information stored in the database and monitor all activities performed on the machine.

This can happen regardless of whether users entered the correct URL on the web browser; they would still be redirected to the attacker's malicious website.

For instance, if you type in Twiter.com while you intended to go to Twitter.com, two things may happen:

Instead of your browser indicating Site Can't Be Reached, you'll be redirected to another fake version of the site that may be full of ads.


You'll be redirected to a site that requests ransom to avoid releasing your hijacked data to the general public.

DNS Cache Poisoning and Spoof

If attackers fail to compromise the DNS registrar A-Records, they can use cache poisoning to hijack the DNS.

A-Records map a domain name to the IPv4 address of the computer that hosts the domain.

Given that the actual address of a legitimate site is in the DNS registrar A-records, attackers can introduce a rogue DNS server between the user's computer and the legitimate site to redirect traffic to their own servers.

The attackers can then use DNS caches or lookup servers to redirect the user from the actual address to a fake one.

ISPs and governments use this option when users try to access banned websites due to censorship or geographical restrictions. They redirect traffic to fake websites to collect data, serve ads or control the user's browsing activities.

Why Is DNS Hijacked?

An attacker can hijack a DNS to perform pharming or phishing.

Pharming involves manipulating internet traffic by changing the host file or exploiting DNS server vulnerabilities on a victim's computer to steal confidential information.

Marketers mostly use it to display unwanted ads on the victim's browser.

Pharming is performed at the server level and does not use any fake links to dupe victims into providing their personal information. It can misdirect users to a fake website filled with advertisements to help the web administrator generate revenue.

On the other hand, phishing is done by scammers who pose as a trustworthy entity to lure individuals into providing sensitive Personally Identifiable Information (PII) such as credit card numbers, usernames, passwords, etc.

For example, users may access a website pretending to be a banking site and then provide their online banking information, unaware that the website is fake.

As a result, the attacker will have access to the user's information, which will then be used to log in to the victim's account.

Internet Service Providers (ISPs) can also conduct DNS hijacking by overriding a computer's TCP/IP configuration and taking over users' DNS requests.

The ISPs then redirect users' internet traffic to websites that collect data, show ads, and other purposes. This usually occurs when users try to access non-existent websites.

Usually, when you type in a non-existent domain name on the web browser, you'll receive a NXDOMAIN response displaying an error. An NXDOMAIN response is a message received when you search for a domain, and the DNS can't match it to an IP address.

However, when an ISP hijacks a DNS, you'll be redirected to a fake IP address that belongs to the ISP.

Some governments conduct DNS hijacking by redirecting users' traffic to a government-run site. This happens in countries with internet censorship and those that prohibit certain sites, such as pornographic websites.

Attackers employ DNS hijacking mainly to redirect users to fake websites and eventually steal their login information and personal data.  

Different Types of DNS Hijacking Attacks

Here are some of the most common types of DNS hijacking attacks and how they occur.

Local DNS Hijacking

Local DNS hijacking is when an attacker uses a Trojan to change the DNS settings of the user's computer. For instance, if you're using Windows Operating System (OS), you can modify the DNS settings to a preferred DNS server. Cybercriminals exploit this and change the DNS settings such that every web request made points to their malicious server.

Man-in-the-Middle (MITM) Attacks

In this type of attack, an attacker places a controlled system in-between the user and DNS server to intercept, read, or manipulate the data traffic between them.

The attacker attempts to overturn SSL/TLS encryptions to redirect data flow between the client and the server. If successful, the hacker can view, record or manipulate the data traffic in its entirety.

However, many DNS requests lack SSL/TLS encryptions; as a result, attackers can easily manipulate web requests and map them to an IP address of their choice. As a result, the ISP's original DNS server never receives the client's web request.

Router Hijacking

A router is a hardware device that forwards data packets from a local network to the internet and allows multiple devices to connect to the same network.

Attackers take advantage of the fact that some users don't change their routers' login credentials.

In most cases, users stick to the original username and password configured by the hardware manufacturer. Not changing the original login credentials of a router creates a vulnerable entry point for malicious people to manipulate the router.

As a result, attackers hijack a router by using the standard login details from the manufacturer. When logged in, they breach the user's network router, modify DNS settings and change the lookup server addresses.

They then change the domain names of every user connected to the router and redirect the domain names to their preferred IP addresses.

This is done by controlling the DNS name resolution, which translates a web address to a numerical IP address. After that, all website requests of every user connected to the router will be transferred to a malicious site controlled by attackers.

Rogue Hijacking

Attackers can modify DNS resolvers to point to different IP addresses. A DNS resolver changes domain names into IP addresses when a client submits a request through the browser or any other application.

This type of attack is difficult to execute because it can't be controlled at the device level. For the attack to be successful, the attacker must hijack the ISP name server by changing select entries in the server.

If an attacker successfully gains access to the DNS using this method, all the users of the given DNS server will be affected. Users who submit any web request to the hijacked DNS server will be redirected to a fake website. 

Methods of Mitigation

There are three types of mitigation methods to improve DNS security and prevent DNS hijacking, as listed below.

Shut Down Unnecessary Resolvers

Legitimate DNS resolvers should be secured with a firewall. This prevents attackers from installing fake resolvers in the DNS server and compromising legitimate resolvers.

Secure the Name Server

This can be done by employing security measures, such as ensuring a physical security system, a reliable firewall, and multi-factor authentication.

Prevent Cache Poisoning

This involves randomizing the server source ports and query ID and changing the domain name structure from uppercase to lowercase and vice versa.

Server-Related Measures

Use different servers for the authoritative name server and the DNS resolver. If a DDoS attack occurs, only one component will be affected while the other component remains stable.

Examine the DNS server for any vulnerabilities and fix them regularly to prevent DNS hijacking.

Restrict zone transfers. By doing this, attackers can't use the slave servers to access the partial copy of DNS server records.

A slave server usually maintains a copy of the data for a specific zone, an activity delegated by a master server.

Recommended Mitigation Methods For End-Users

End users should regularly change their router passwords and avoid using the username and password configured on the hardware by the router manufacturer.

However, please note that these are credentials used to log in to the router and make changes to the DNS settings. They are not the same as the Wi-Fi access credentials.

Updating the router firmware equally helps resolve security vulnerabilities and improve security. Given that users are usually unaware when the DNS has been compromised, attackers can exploit vulnerabilities within the router's firmware and send their victim's DNS requests to a fake site.

Avoid public Wi-Fi networks when logging in to sites that require credentials.

Confirm the URL of the site after it loads. If it's the same site you intended to visit, chances are it is legitimate.

But if the URL is different or unfamiliar, close the browser immediately and check for DNS vulnerabilities or leaks.

Ensure the website has a valid Secure Sockets Layer (SSL) certificate represented by a lock icon on the browser's address bar. An SSL certificate is a digital certificate that indicates a website is secure and encrypted.

Do not input private data into a web form or a website with no SSL certificate. This is because most phishing sites do not have a valid SSL certificate.

It is also advisable to install antivirus software that can easily detect malware.

Avoid opening email attachments from unknown sources and clicking on suspicious links or pop-ups.

Use an alternative DNS service such as Cisco OpenDNS or Google Public DNS.

Use a VPN from a premium provider when browsing the internet. A VPN creates a secure tunnel for all your traffic, bypasses the router's settings, and uses its own DNS resolvers to perform DNS requests. VPNs also block traffic from going to DNS servers provided by ISPs or those under government surveillance.

Recommended Mitigation Methods for Website Administrators

If you own a website, consider the following mitigation methods:

Use multi-factor authentication to access the DNS registrar and whitelist IP addresses that can access DNS settings.

Change the client lock from the DNS registrar settings and prevent DNS records changes from unauthorized persons unless from a whitelisted IP address.

Implement Domain Name System Security Extensions (DNSSEC) on all devices. DNSSEC is a security standard used to secure information provided by the DNS. It provides cryptographic authentication that prevents the redirection of web requests to rogue websites. Afterward, you can monitor traffic on every website and check for vulnerabilities.

Register your domain zone such that DNS resolvers can verify the authenticity of DNS responses. Use a service with multiple secure DNS proxies to prevent DNS hijacking, DDoS attacks, and cache poisoning.

Change the default DNS server, which is the global DNS service provided by your local ISP. You can use third-party services such as OpenDNS and Google DNS to route your DNS traffic, completely bypassing your ISP. A good DNS server can automatically filter out suspicious web traffic sent from fraudulent websites.

However, you should only use credible services for DNS routing.

Only trusted members of the IT team should have multi-factor authentication and access to the DNS registrar.

Signs That Your DNS Has Been Hijacked

Common signs of a hijacked DNS include:

  • Web pages may load slower than usual because the attacker has redirected web traffic to his own server or cloned website.
  • When you notice an unfamiliar web URL different from the original URL of the site you intended to visit.

DNS hijacking can negatively impact a business that depends on the internet to make sales. At the individual level, it can also leak users' credentials to hackers, which can, in return, be used to execute various cybercrimes.

There's no foolproof solution when it comes to preventing DNS hijacking. For this reason, it is always advisable to keep your website safe from DNS hijacking by looking for vulnerabilities that attackers may take advantage of and patching them up immediately. Implement the mitigation methods discussed in this blog post to prevent or stop DNS hijacking.

Leave a Reply

Your email address will not be published. Required fields are marked *

32 comments on “What Is DNS Hijacking And How To Stop It”

  1. I loved even more than you will get done right here. The picture is nice, and your writing is stylish, but you seem to be rushing through it, and I think you should give it again soon. I'll probably do that again and again if you protect this walk.

  2. I had a great time with that, too. Despite the high quality of the visuals and the prose, you find yourself eagerly anticipating what happens next. If you decide to defend this walk, it will basically be the same every time.

  3. In addition, I had a wonderful time with that. In spite of the fact that both the narration and the images are of a very high level, you realise that you are anxiously expecting what will happen next. Regardless of whether you choose to defend this stroll or not, it will be essentially the same every time.

  4. of course like your website but you have to check the spelling on several of your posts A number of them are rife with spelling issues and I in finding it very troublesome to inform the reality on the other hand I will certainly come back again

  5. Instagram'da, takipçi, beğeni ve izlenme gibi hizmetleri sunan takiple.com.tr, kullanıcıların hesaplarını güçlendirmelerine ve platformdaki etkileşimlerini artırmalarına olanak tanır.

  6. I am not sure where youre getting your info but good topic I needs to spend some time learning much more or understanding more Thanks for magnificent info I was looking for this information for my mission

  7. you are in reality a good webmaster The website loading velocity is amazing It sort of feels that youre doing any distinctive trick Also The contents are masterwork you have done a fantastic job in this topic

  8. Its like you read my mind You appear to know a lot about this like you wrote the book in it or something I think that you could do with some pics to drive the message home a little bit but instead of that this is fantastic blog An excellent read I will certainly be back

  9. ラブドール 熟女 ご挨拶!私はこれがちょっとオフトピックであることを知っていますが、コメントフォーム用のキャプチャプラグインをどこで見つけることができるか知っているかどうか疑問に思っていましたか?どうもありがとう!