What is DNS hijacking? How it reroutes to fake sites

Edward G. | July 24, 2020

DNS hijacking refers to attacks that force DNS queries to get resolved incorrectly. This attack aims to lead users to fake and malicious websites. 

For instance, instead of legitimate Facebook, you might end up in a fake version of this website.

Some fake sites can display unwanted ads or aim to steal credentials and take over accounts. Thus, defending against DNS hijacking means you always enter the website you want, not a fake version.

Recap on Domain Name System (DNS)

DNS (Domain Name System) is a mechanism that translates regular URLs into code understood by computers. Hence, DNS servers are libraries performing systematic conversions between different formats. 

When you type addresses in browser tabs, legitimate resolvers render into IP addresses associated with sites. 

DNS resolvers work with multiple name servers, managing large databases. So, DNS requests bounce from one DNS server to another until it finds the necessary IP address. 

Since DNS requests do not travel in a straight line, DNS hijacking becomes possible. DNS requests move from one server to another. Then, hackers can guide them to the wrong destination by pursuing a man-in-the-middle DNS attack.

What is DNS hijacking? 

DNS hijacking reroutes DNS queries incorrectly. While your ISP (Internet Service Provider) flips through servers, a hacker intercepts this search and misdirects it. 

Instead of authentic DNS redirection, crooks associate requests with false IP addresses. As a result, users reach fake versions of the official websites they want to visit. 

However, the consequences of DNS hijacking vary. Some attacks show unwanted ads to generate revenue.

Nevertheless, DNS hijacking can manipulate and reroute requests to malicious websites. Deceptive destinations can pose as legitimate websites by copying interface elements. 

With the site reproduced, it becomes a copycat, aiming to steal users’ credentials or transmit malware. Sadly, DNS hijacking professionals render the dummy domains as convincing duplicates of the legitimate versions. Hence, users might not be able to tell them apart. 

Types of DNS hijacking attacks 

DNS hijacking can happen in three different ways: 

  • Router DNS hijack means that hackers infect the DNS settings on a router level. It usually happens due to router flaws and outdated firmware.
  • Local DNS hijack means that criminals taint DNS settings on a particular device.
  • A rogue DNS server means that hackers infect all DNS records in a DNS server.
  • A Man-in-the-middle DNS attack means hackers interrupt the exchange between the user and the DNS server.

Main dangers of DNS hijacking 

Tainting DNS servers and requests can be highly dangerous. So, such attacks usually attempt to do the following: 

  • Show fake websites and generate revenue from ads. 
  • Some ads displayed on sites can be dangerous. 
  • Fake websites can require users to log into their accounts. Then, hackers retrieve these credentials. 
  • If criminals steal credentials, they can take over accounts. 
  • Unreliable websites can also aim to steal other personal information like social security numbers. 
  • Rogue DNS servers could also block access to certain websites or information providers.

Each step of DNS hijacking 

DNS hijacking follows a clear sequence for their attacks: 

  • Crooks craft a fake version of a legitimate website. 
  • To poison a DNS server, the abuser needs to obtain login credentials and access the Admin panel of the DNS provider. Hence, before the DNS hijacking, hackers will target the website with other cyberattacks.
  • The attackers alter DNS records for the targeted website after retrieving the necessary login details. As a result, they make DNS reroute requests to the dummy site.
  • Hackers can add more convincing details, such as counterfeit TLS encryption certificates. This action might prevent browsers from labeling sites as potentially dangerous. 
  • Finally, all traffic to the targeted website travels to the imposter site, belonging to crooks. 
  • The narrative from this point can differ. Sites can feature malicious links or ads. People can attempt to log in to the fake website. Immediately after that, hackers will harvest provided credentials. 

Previous DNS hijacking incidents 

Experts have reported an alarming wave of DNS hijacking attacks. According to the ongoing investigations and incidents in the past, there are four types of attempts: 

Against carefully selected websites 

A group by the name Sea Turtle launched a global campaign of consecutive DNS hijacking attempts. The target list captivated the media with its high-level victims, ranging from foreign ministries to intelligence agencies. 

However, not all DNS hijacking focuses on government entities. 

Attacks against regular users

Another stream of DNS hijacking attacks can target consumer-grade routers. Imitating official domains of Netflix, Gmail, PayPal, and Uber, hackers fake DNS responses and aim at users’ credentials. 

Pranks on well-known websites

In 2017, hackers, calling themselves OurMine, poisoned DNS records and rerouted requests to Wikileaks. Instead of creating a dummy of Wikileaks, crooks misguided users to a message, mocking site owners. 

Malware that changes DNS configurations

Your device might be a victim of a malicious program that overwrites DNS settings. As a result, you might unknowingly visit imposter sites and see malware-ridden ads. 

Detect DNS hijacking 

Here are some ways to check whether your device suffers from DNS hijacking. Also, we add some common signs that the used DNS is not in the proper state. 

Using ping command

The ping command is a way to test whether your DNS works correctly. All you need to do is check a nonexistent website and see whether your DNS renders a site. 

On Windows: 

  1. Open the Command Prompt window. 
  2. Type in the following command: ping [a made-up website].
  3. “Cannot resolve” message means your DNS works properly. 

On macOS: 

  1. Open the Terminal window. 
  2. Type in the following command: ping [a made-up website].
  3. “Cannot resolve” message means your DNS works properly. 

On Linux: 

  1. Open the Terminal window. 
  2. Type in the following command: ping [a made-up website].
  3. “Cannot resolve” message means your DNS works properly. 

Signs of DNS hijacking 

DNS hijacking can affect the operation of your device. For example, websites might load slower than usual. 

Furthermore, sites might feature an unusual amount of ads. Rogue DNS resolution could also bring dangerous pop-ups, like those claiming severe computer issues. 

Router checkup 

Some third-party services can verify whether DNS hijacking has disturbed your browsing. Visit them to see whether you use a legitimate resolver and server. 

Most people use the DNS servers provided by their Internet Service Providers. If you connect to a Virtual Private Network, it might be different. Many VPNs offer separate DNS servers. 

How can you prevent DNS hijacking? 

DNS hijacking targets the backbone of the internet. While attacks in the past were more opportunistic, the experts see a spike in the targeted raids. So, here are the recommendations to battle this threat: 

Install strong antivirus tools

DNS hijacking can occur due to a malicious application residing on your device. So, make sure to run regular scans to detect potential threats. 

Protect against cache poisoning 

It is best to use a random source port. It makes it difficult for attackers to assume through which port to send malicious packets. 

Change router credentials 

Protect your router settings and network by changing the default password. Some manufacturers post default passwords for their routers publicly. So, a hacker could infiltrate your network via default credentials. 

Avoid ads

Malvertising is no joke. Vicious actors tempt consumers with flashy offers of discounts, one-time deals, or click-bait headlines. By clicking on the ad, you can allow hackers to track you, install malware, or extort personal data. 

Be wary of suspicious websites

The golden rule is to avoid rogue websites. However, DNS hijacking forces you to be vigilant when visiting legitimate sites. So, if you notice irregularities on a page you visit regularly, be careful. 

Update everything 

Keep software and firmware running on the latest versions. Updating operating systems and apps might be easy. 

However, routers are more challenging to take care of appropriately. You might need to visit manufacturers’ websites to see whether they have released updates. 

Flush your DNS cache 

An infected DNS cache can affect your system for a long time. Thus, you can manually remove all data. On Windows and macOS, you will need to run a command to flush DNS. 

On smartphones, you might be able to reset network settings, too. It can also happen automatically once you toggle airplane mode. 

Get a VPN tool

While changes to IP addresses are the main features, VPNs also reroute DNS traffic. Even if hackers poison DNS servers, robust VPN protection will keep you immune and prevent hackers from monitoring your activities.

Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Edward G.

Edward G.

Cybersecurity Researcher and Publisher at Atlas VPN. My mission is to scan the ever-evolving cybercrime landscape to inform the public about the latest threats.

Tags:

dnsmitm

Frequently asked questions


© 2023 Atlas VPN. All rights reserved.