A Domain Name System (DNS) is essential to all companies that depend on the internet to generate sales—it is a crucial element to the performance and legitimacy of an organization's web-based applications and cloud services.
A loophole in your DNS could translate to the loss of users, access to user credentials by hackers, unavailable content, and user frustration, among other consequences. One of the most common types of DNS server breaches is DNS hijacking or User Redirection Attack, which targets the stability of a network's domain server system.
What is DNS Hijacking?
DNS hijacking, also known as DNS redirection, is a type of cyber attack in which a hacker intercepts DNS requests from a user's computer and redirects them to a different IP address. This can lead to a user unknowingly visiting a fake website that appears to be legitimate, allowing the hacker to steal sensitive information such as login credentials or credit card numbers.
How does DNS Hijacking Work?
Cybercriminals understand that your website's domain name system is a unique, trusted protocol and that many companies don't care to monitor their domains for malevolent activities. For this reason, they may initiate a range of attacks on the organization's Domain Name System, and get away with it.
DNS translates human-friendly URLs into machine-friendly Internet Protocol (IP) addresses. It, therefore, provides internet users with a way to match search queries to relevant websites. Any device that’s connected to the internet has an IP address made up of numbers. The NDS serves a fundamental role of syncing up domain names with the appropriate IP addresses enabling website owners and users to choose memorable domain names while the devices, on the other hand, can use machine-friendly IP addresses.
For example, suppose you run a query by typing www.office1.com into your search engine. In that case, a request will be sent from your computer to the appropriate DNS resolver, which is a computer that searches IP addresses associated with your search query. The DNS resolver is programmed to communicate with high-level domain servers, find a match and send it back to your device.
To execute an attack, the perpetrators incorrectly resolve the DNS to send your users to malicious websites. They achieve this by taking over routers, hacking the Domain Name Server communication, or installing malware on website users’ devices. Once a company’s DNS is successfully hijacked and the users redirected to a fake website, it translates the authorized IP into the illegitimate IP address of the hijacker’s malicious DNS.
Why Are DNSs Hijacked?
A DNS may be hacked for a range of reasons. The hijacker may use it for pharming, which is to display ads to users to generate revenue or phishing, which is directing users to a fake version of your website with the aim of stealing data or login information.
Internet Service Providers (ISP) are also known to use domain redirection to control users’ DNS queries to collect user data. Other organizations use domain hijacking for censorship or redirecting users to alternative websites.
Types of DNS Hijacking Attacks
There are a number of ways in which a DNS hijacking attack can be executed. The four most common types of DNS hijacking attacks are:
1. Router DNS Hijack
The DNS router is a hardware device that domain service providers use to match domain names to their corresponding IP addresses. Most routers come with preset passwords and a host of firmware vulnerabilities. Cybercriminals can take advantage of weak default passwords and the vulnerabilities to take over the router and reconfigure the DNS settings to their benefit. If they successfully overwrite the DNS router, they can easily divert the traffic to another website and jam your company’s website to make it inaccessible.
2. Man-In-The-Middle Attack
This is also called DNS spoofing. In this case, the attacker targets and intercepts the communication between the website’s traffic and the site's DNS alters the DNS settings hence directing the traffic to a malicious IP address.
3. Local DNS hijack
A local DNS attack installs malware on the website user's computer. The malware, usually a trojan malware disguised as legitimate software, gives the cyber thieves access to users' network systems, enabling them to steal data and change DNS settings to direct the users to malicious websites.
4. Rogue DNS Server
In this type of DNS hijacking, the cybercriminal intercepts the DNS server and alters the DNS settings to divert traffic to fake websites.
In a Distributed Denial of Service (DDoS) attack, the attacker floods the DNS server with a large number of requests, overwhelming it and causing it to respond with fake IP addresses.
6. DNS Cache Poisoning
In this type of attack, the attacker injects fake query IDs into the DNS cache, causing the DNS server to return a fake IP address.
7. DNS Spoofing
In DNS spoofing attacks, a request is redirected from a legitimate website to a malicious website. An attacker can compromise a DNS server to redirect users to a malicious website that superficially imitates a legitimate site.
Examples of DNS Hijacking
DNS hijacking attacks can have serious consequences for businesses and organizations. Here are two recent examples:
The SolarWinds Attack
In late 2020, a state-sponsored hacking group carried out a sophisticated attack on the software development process of SolarWinds Orion platform. The attackers were able to insert malicious code into the platform's software updates, which were then distributed to SolarWinds customers via the company's update system. As part of the attack, the hackers were able to gain access to SolarWinds' DNS records and redirect traffic to their own servers, enabling them to carry out their malicious activities undetected.
The SolarWinds attack is considered one of the most significant cyber espionage campaigns in recent history. It highlighted the need for improved DNS security measures, as well as greater awareness and preparedness for cyber threats of this scale and complexity. The attack is estimated to have cost SolarWinds at least $18 million in remediation costs alone, with the wider impact on affected organizations still being assessed.
The CD Projekt Red Attack
In February 2021, the video game company CD Projekt Red suffered a ransomware attack that compromised the company's IT infrastructure. The attackers were able to gain access to the company's internal network and steal sensitive information, including the source code for several of the company's games. As part of the attack, the attackers also hijacked the company's DNS settings, redirecting traffic from the company's websites to a ransom page.
The CD Projekt Red attack highlights the risks associated with DNS hijacking and the importance of implementing robust security measures to prevent such attacks. The attack is estimated to have cost the company millions of dollars in lost revenue and remediation costs, as well as damage to the company's reputation.
Preventing DNS Hijacking
There are numerous precautionary steps you can take to improve your DNS security to prevent DNS hijacking. We have three categories of the basic mitigation measures:
1. Mitigation Measures to Prevent Name Server Hijacking
As outlined earlier in this post, cyber thieves target DNS routers and reconfigure them to redirect traffic to malicious locations on the internet. The DNS name server is a crucial resource that should have strong security measures to prevent attackers from hacking and launching attacks on website users.
Below are elaborate measures that the IT team can take to improve your site's name server's security:
- Install Firewalls Around Your DNS Resolver: Every DNS has resolvers, legitimates resolvers. Attackers may install fake resolvers in the DNS to compromise it and to intercept the legitimate resolvers. To prevent this from happening, have the IT team place the legitimate resolvers behind a firewall, and shut down all non-required DNS resolvers.
- Increase Restrictions on Access to Name Servers: An attacker could be an enemy within your organization. As such, the IT team should ensure a physical security system, multi-factor authentication access, and a reliable firewall to limit access to the organization's DNS.
- Prevent Cache Poisoning: common measures to prevent website cache poisoning include; randomizing user identity, randomizing server source ports, and using both upper and lower cases in your organization’s domain name.
- Fix the Known vulnerabilities, immediately: cybercriminals capitalize on obvious vulnerabilities to initiate attacks on DNS. Have your IT team examine the DNS for any vulnerabilities and immediately patch them up to prevent attacks.
- Avoid Zone Transfers: DNS zone records are delicate files that contain data that is often targeted by attackers. The hackers may pose as slave name servers requesting for a zone transfer, which involves copying server zone records. To prevent this vulnerability, avoid zone transfers.
2. Mitigation Measures for End-Users
Besides advertising products to hijacked traffic, DNS hijackers also target user data and credentials. Website users can prevent hijacking by the following:
Use a VPN: A Virtual Private Network (VPN) encrypts your internet traffic and directs it through a secure tunnel, making it difficult for attackers to intercept your DNS queries.
Clear your DNS cache: Clearing your DNS cache can help prevent attacks that use DNS cache poisoning.
Be wary of unsolicited emails and links: Don't click on links in emails or websites that you don't trust, as they may lead to malicious sites.
Be cautious when entering sensitive data: Always check the website's URL to make sure it's a legitimate site. Look for the padlock icon in the address bar, which indicates that the site is using HTTPS encryption.
- Keep your antivirus software up-to-date: Antivirus software can help detect and remove malware that may be used to carry out DNS hijacking attacks.
Frequently change passwords: It is recommended to frequently change your passwords, especially for sensitive accounts, to reduce the risk of a malicious attacker gaining access to your accounts.
3. Mitigation Measures for Website Owners
If your organization uses a Domain Name Registrar, your IT team can take the following steps to prevent DNS hijacking:
- Ensure Secure Access—DNS access should be limited to only a few members of the IT team, who should have a multi-factor authentication whenever accessing the domain name server registrar. This measure will significantly avoid DNS hacking. If convenient for the IT team, only a few whitelisted Internet Protocol addresses should access the domain name registrar.
Client Lock—To enhance DNS security, some DNS registrars use client locks. The lock disables the option to change DNS records unless the request is made from a particular IP address.
- Use HTTPS: HTTPS encrypts your web traffic, making it more difficult for attackers to intercept your DNS queries.
Use a reputable DNS service: Choose a DNS service that has a good reputation for security and reliability. Public DNS services such as Google Public DNS and OpenDNS are good choices.
Use A Domain Name Service provider with DNSSEC—A DNSSEC uses digital signatures and public keys to verify the validity of DNS requests. If your DNS registrar offers DNSSEC, enable it to add a layer of protection that makes it challenging for attackers to intercept and redirect traffic from your website to a fake site.
Don’t Let Your DNS Be Compromised
DNS hijacking is a reality that happens to vulnerable websites around the world. Despite considerable efforts to avert DNS spoofing and redirecting of traffic, attackers are always finding new cunning ways to access organizations' networks and users' devices, compromising data, and stealing credentials.
To keep your organization’s website safe from DNS hijacking, the IT team must always be on the lookout for vulnerabilities that attackers may take advantage of and patch them up. If your organization doesn't have an in-house IT team, you may want to consider outsourcing your IT services to a reliable managed security services provider. Conducting a cybersecurity assessment and following the measures we have outlined in this post, you will detect malicious activity on your website, and implement the appropriate steps to stop or prevent a DNS hijacking and improving your network security.