DNS Hijacking

DNS Hijacking is an attack where a computer is prevented from getting reliable DNS info by subverting its DNS queries.

There are many ways in which these queries can be subverted.

  • Malware directly affecting computer's network communications
  • Malware which changes computer's DNS settings
  • Changing a router's DNS settings
  • Changing an IP address in the cached DNS responses
  • Using a hacked or rogue DNS server

DNS Hijacking gives an attacker control over all IP addresses which the computer uses. They decide what sites the user gets when a URL is entered in the browser. They can redirect the request to a malicious website, serve pages with ads, or censor requests for certain content. If nothing else, they can collect data about the URLs which the user is requesting. In the worst cases, DNS Hijacking can subvert security measures based on the domain name (like Content Security Policies same-origin rules) or enable Man-in-the-Middle Attacks.


Corporate DNS Hijacking

DNS hijacking is not just performed by attackers. Unfortunately, it is regularly performed by major ISPs, including Comcast, Time Warner, Verizon, Cablevision, Cox, RCN, Rogers, Charter, and others. It is a terrible practice which is against Internet regulations, but is still done all the same. By default, all domain requests are sent to an ISP's DNS server. The ISP knows exactly which sites subscribers visit and collect statistics on this information. (If a subscriber goes shopping for a new ISP, they know about it.) Besides the privacy issues, there are technical and security issues as well. Requests for domains which should return an error, return ISP-provided pages instead. These pages are may show friendly error pages, but also frequently serve advertising. It has been reported that the lack of errors can trigger some software into believing it is currently in a secure environment when it is not. ISP DNS Hijacking can often be disabled in the router configuration or in other subscriber settings.


DNS Hijacking Preventions

The best defense against DNS Hijacking is DNSSEC. DNSSEC (short for "Domain Name System Security Extensions") adds digital signatures to all steps in the DNS lookup. Digital signatures can be used to validate that the data is the expected data. It is similar to verifying the CA-signed certificates used for HTTPS. DNSSEC is highly technical to understand, but not difficult to set up. A domain owner simply has to generate a public key and upload them to their domain registrar. The registrar will do the signing and publication necessary to set up the rest.

A user can also choose a custom DNS server. This can be a DNS server run by the organization, or a public DNS such as Cisco's OpenDNS or Google's Public DNS. This may require also disabling ISP DNS Hijacking if it is user-configurable.

Because most DNS Hijacking is the result of malware, the preventions against malware, such as anti-virus software, are important protections.

Fork me on GitHub