DNS hijacking is one of many ways that scammers and hackers direct unassuming users to malicious websites.
There's been a reported increase in this sort of attack globally since 2019, so it's understanding exactly how they play out is more important than ever.
Don't know What DNS is?
If you are new to the concept of DNS or just want more information about how it is used, then head over to our "what is DNS" guide.
What is DNS Hijacking?
DNS hijacking occurs when a request made to a given DNS server leads to a user being redirected to a site that contains malware – in other words, the communication procedure has been hijacked.
These sites sometimes look like the site the user actually intended to visit, maintaining the illusion that the page is indeed legitimate and the information the user subsequently inputs will be safe. In this instance, the scammer is looking for usernames, passwords, and credit card information that victims would have used on the genuine site they're mimicked.
Hackers and scammers may instead be looking to install malware on a user's device so they can extract personal information for financial gain that way. They might, for example, use ransomware in an attempt to intimidate a victim into paying out a cash sum to ensure their personal data isn't made public, deleted or used to commit other crimes.
Another reason why some fraudsters engage in DNS hijacking is a revenue-making practice called pharming. A lot of digital publishers are paid by the click by the advertising companies that run ads on their pages. This situation has turned DNS hijacking into a profitable revenue stream for scammers, who host the ads on websites designed solely to increase visits, which they do by rerouting through rerouting users' traffic against their will.
*data taken from IDC survey of 900 organizations as part of their 2020 Global DNS Report.
Types of DNS Hijacking
Now that we've covered the motives, we can move onto the different methods scammers use to hijack a DNS. They vary depending on what part of the process the hacker looks to exploit.
|Local DNS hijackings are initiated by infecting a device with malware and then altering the computer's DNS settings so that the user is automatically redirected to dodgy sites.|
|Router Hijacking involves taking over a router and reworking its DNS settings. Many router owners expose themselves by forgetting to change their passwords from the default ones provided, whereas flashing your router with firmware can open up potential exploit points.|
|'Man in the Middle' attacks involve exploiting the channel of communication between a device making requests and the DNS server it is sending them to, and responding with fake IP addresses from a fake DNS server. This is a commonly used hijacking technique for pharming.|
|Rogue DNS servers come into existence when the DNS server itself is hacked and its internal address book is changed.|
How to prevent DNS hijacking
There are several steps you can take to mitigate the possibility of your DNS getting hijacked. Basic ones include:
- Using up-to-date malware and antivirus services
- Thoroughly checking site URLs
- Changing the default password on your router
- Fixing known vulnerabilities as quickly as possible
- Keeping your router firmware up to date
- Installing a DNS firewall
- Taking extreme care when using public wifi networks
However, if you're really concerned about DNS hijacking, then there are some other steps you can take to decrease the likelihood of it happening.
The first thing you can do is upgrade your system security. Domain Name System Security Extensions (DNSSEC) help create a robust defense against hijacking in the lower levels of the DNS hierarchy. They verify the origins of information as it comes in to ensure it hasn't been tampered with on the way to the device that requested it.
Another would be to restrict (or avoid as much as possible) DNS zone transfers. Zone transfers are one of the ways that domain name databases can be shared, replicated, and instantiated in different DNS servers. Some hackers make requests for this valuable data as it helps them hijack the DNS.
As a last resort you could, if very worried, change your DNS server completely. It's unlikely that the DNS server/s that your ISP is using will have stringent security measures. However, it's possible to purchase a more secure DNS – but the downside that a bad decision could see you stuck with a less secure one.
Can a VPN prevent DNS Hijacking?
One of the best ways to mitigate the possibility of a DNS hijacking is to get yourself a VPN, which stands for 'Virtual Private Network'.
VPNs reroute all of your traffic through an encrypted tunnel to a private server before it reaches the internet, meaning that anyone looking at your traffic will see the IP address of the server rather than your device or network.
When using a VPN, users bypass their own router and internet service provider and send DNS requests through one of the many servers a VPN provider will own or rent.
Top tier VPNs like ExpressVPN and NordVPN will also provide DNS leak protection along with access to their servers. DNS leaks arise from security flaws that sometimes occur after seemingly innocuous tasks such as resetting system preferences are actioned. This can sometimes cause your traffic to be redirected back through your ISP's default server and thus be susceptible to interception.
VPNs have a multitude of other security features to keep you safe as well as benefits such as bypassing geo-restrictions to give you access to content from all around the world, such as Netflix libraries from outside of your region.
Although a more in-depth analysis can be found on our best VPN article, here's a whistlestop tour of our favorites:
- ExpressVPN - A super-fast VPN service with strong encryption and the ability to unblock websites are streaming services.
- NordVPN - An excellent VPN for unblocking major streaming services from around the world.
- Surfshark - A cheap service with features to match services with higher prices.
- Private Internet Access - one of the most secure VPN services around. It has a proven no logs policy and strong encryption.
- PrivateVPN - One of the cheapest VPNs out there, but an incredibly good service
All of these providers will give you a full refund if you aren't happy after 30 days of using their service, so if you're not completely sure, you can take one – or two – out for a test run.
Will I know immediately if my DNS has been hijacked?
It's not always abundantly clear (unless you've received some sort of aggressive malware). Every malicious actor operates slightly differently, but there are common clues. One major indication (but importantly, not proof) that your DNS may have been hijacked is the appearance of advertisements on pages that don't usually serve you ads. Other, dodgy-looking pop-ups masquerading as security warnings should send alarm bells ringing, as should a sudden drop in loading speed.
If you notice these 'symptoms', proof can be obtained by using a router checker to check for router hijacking, and there are plenty of websites that help identify the DNS the request you're making is going to, such as WhoismyDNS.com.
You can also find evidence of DNS hijacking by using ping commands. Pinging a domain that you know doesn't exist should get you nowhere – but if you're redirected through to a site, it's almost certain that the DNS has been hijacked.
DNS hijacking is just one of many methods of obtaining user information that hackers and scammers have developed since the birth of the internet. There is a plethora of these techniques that apply solely to DNS-related vulnerabilities.
The prevention suggestions discussed in this article are explained in the context of DNS hijacking attacks, but following these tips will greatly enhance your security when it comes to things like DDoS attacks, so they are worth taking seriously – as is getting yourself a VPN.