DNS Hijacking

DNS Hijacking, also known as DNS redirection, is a form of hacking that overrides a computer’s TCP/IP settings to point to a rogue DNS server, consequently invalidating the default DNS setting. What this means: if you registered your domain name to be www.mydomain.com, a malicious attacker could hijack the domain to point to another DNS server. If this happens, the

Bo Si ChuaBy: Bo Si Chua, Dec 15, 2017
TwitterFacebookLinkedIn

DNS Hijacking, also known as DNS redirection, is a form of hacking that overrides a computer’s TCP/IP settings to point to a rogue DNS server, consequently invalidating the default DNS setting. What this means: if you registered your domain name to be www.mydomain.com, a malicious attacker could hijack the domain to point to another DNS server. If this happens, the victim could be browsing a “fake” www.mydomain.com,allowing the attacker to obtain sensitive information via phishing.

In order to understand how DNS Hijacking works and how to protect yourself against it, you should first understand how DNS works on a deeper level. A server is identifiable via an IP address, and websites are usually accessible via port 80 and port 443 (http/https). It would not be practical if a user were to type in the full IP address such as https://xxx.xxx.xxx.xxx to browse a page that is publicly available. This is where DNS comes in. DNS is responsible for mapping these hard-to-remember IP addresses into user-friendly names. For example, instead of typing https://xxx.xxx.xxx.xxx, you could just type in https://www.easytoremember.com, if xxx.xxx.xxx.xxx is mapped to the easytoremember domain name.

 

DNS servers are typically owned either by your internet service provider (ISP) or private businesses. So how do you protect against DNS hijacking? There are two main ways to do so:

  1. Perform periodic malware checks on your computer to ensure that malware programs such as trojan horses are cleaned out. These trojan houses usually attach themselves onto freewares such as YouTube Downloaders, video and audio codecs and other free utility programs. One example of such malware would be DNSChanger. The DNSChanger trojan could override the system’s DNS configuration and point them to rogue name servers.
  2. Change your router’s default password to a secure one. By doing so, you can ensure that the attacker cannot modify your router settings to point to a rogue name server address.
  3. Perform regular patching and firmware upgrades of your router.

Lastly, if you suspect that you are already infected, you could perform the following:

  1. Delete the contents in your HOSTS file
  2. Flush your DNS Cache by the following command: “ipconfig /flushdns”
  3. Check your router’s DNS and check it against https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

References:

http://resources.infosecinstitute.com/stop-dns-hijacking/#gref

https://www.avg.com/en/signal/what-is-dns-hijacking

http://www.thewindowsclub.com/what-is-dns-hijacking-prevention

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

https://www.gohacking.com/dns-hijacking/

Bo Si Chua
By: Bo Si Chua, Dec 15, 2017

Head of Vulnerability Assessment and Penetration Testing (VAPT)

TwitterFacebookLinkedIn