DNS Hijacking: In-Depth

The most important thing to understand here is the path of the cyber attack – its vector. Let's take a closer look at DNS Hijacking...

Check out my recent articles:

Below you will see not a typical article, but a systematization of knowledge - SoK, in which I will rely on authors that I myself trust in this matter, and at the end I will write my conclusions.

Many thanks to Authors, thank you for your amazing works! Special thanks to: Halborn, Hacken, Efani & Bitcoin.com!


  • For educational purposes only, the Author won't be responsible for any damage done!

I - What is DNS?

DNS is the “address book of the Internet.” It translates human-readable domain names to the IP addresses used by computers for routing network traffic (like 127.0.0.1).

A DNS server hierarchy organizes the DNS infrastructure. Each server in the hierarchy will answer to requests for the IP addresses associated with a specific domain name, allowing a user to find any domain on the Internet using only single top-level DNS server.

Attack Variations

DNS resolution attack on Bitcoin. The attacker poisons DNS cache and modifies the data. When a user queries the server to obtain IP addresses of peers who are accepting connections, he is routed to attacker's network. The attacker can game the user by feeding him fake blocks and transactions.
DNS resolution attack on Bitcoin. The attacker poisons DNS cache and modifies the data. When a user queries the server to obtain IP addresses of peers who are accepting connections, he is routed to attacker's network. The attacker can game the user by feeding him fake blocks and transactions.

According to Halborn, DNS hijacking occurs when the records stored on DNS servers are compromised by an attacker. If an attacker can replace a legitimate DNS record with one containing their IP address, any future DNS lookups will result in the visitor going to the wrong site.

While it's a possible vector, attacking websites with a HTTPS connection is much harder than simply changing the IP. The attacker would need to use self-signed certs which would trigger your browser, or other methods, possibly socially engineering some CA to register a new certificate for the website they are trying to impersonate. Keep this in mind!

With all said, hackers can achieve DNS hijacking in different ways. Judging from the Hacken's article, here are the most popular:

Router DNS Hijack

This DNS hijacking method involves hackers overriding and reconfiguring the DNS settings of a vulnerable DNS router (a hardware device used by domain service providers to link their domain names to equivalent IP addresses) to launch a DNS attack. Afterwards, the attackers would jam the website and redirect traffic to another malicious website, making the website inaccessible to users.

Man-in-the-middle DNS Hijack

This is accomplished by hackers interfering with the communication between a network user and a DNS server in order to obstruct such communication and eventually redirect the user to an unknown destination IP address leading to malicious websites. DNS spoofing is another term for it.

Rogue DNS Hijack

An attacker compromises the DNS server, alters its saved records, and redirects subsequent DNS requests to malicious websites owned by them.

Local DNS Hijack

This DNS hijacking technique is accomplished when a cybercriminal installs Trojan malware on the computer of a website user. This malware is designed to look like legitimate software.

Once activated, it grants hackers access to network systems, allowing attackers to steal data and alter DNS settings to redirect users to fake websites. Sometimes it involves reverse-proxy phishing even - to copy the original website.

Check out:


II - DNS Hijacking for the Mobile Environment

As stated by Efani, Mobile carriers manage their DNS platform to control the user experience, and it produces a lot of data for them:

Keep in mind as well:

DNS makes using the Internet a lot easier to use by not having to remember a website domain rather than IP addresses, and companies can change their IP address if under attack, but threats to DNS include the following;

  • Malware can manipulate the DNS cache on your device

  • Intercept DNS requests between you and the cellular network

  • The DNS platform can also get hacked

  • The hacker can hack the WIFI router you are using as well.

All these methods had used to achieve the same result, to send you to a rogue web asset.

More info:


III - How to defend?

Assume you want to go to Binance, and your DNS request is hijacked and directed to a fake page where you enter your login credentials. While trying to figure out why you can't log in, the hacker has already collected your login information.

Hackers use this to gather login credentials, collect information about your device, and serve malware to hack you in the future - these refer to as Phishing. Or they serve you ads to generate ad revenue; this is called Pharming.

More info on topic:

How can one know if they are being attacked?

  • Pages loading slowly;

  • Ads popping up even where they shouldn't be;

  • Pop-ups convincing the user that their PC is infected with malware (suggest using the one from malwarebytes).

It is also possible to recognize DNS Hijacking with a couple of simple steps:

  • Ping the domain you are trying to visit. If the results show that the IP address does not exist, everything is fine - your DNS has not been hijacked.

  • Check your router settings through the admin page. If the DNS settings have been changed, you can start sounding the alarm.

  • Use the WhoIsMyDNS tool, which will show you the server answering DNS queries for your site. If the DNS presented is unfamiliar to you, you may have already been attacked.

  • Use Registry-Lock status. It protects domains from unwanted changes, transfers and deletions, thereby making it very difficult for hackers.

  • Prevent cache poisoning by randomizing user identity, using randomized query IDs, and using random source ports.

  • Another high priority is to monitor your certificates and the certificates used by all your «hot» domains. A proper certificate monitoring solution (SIEM/DLP/Bandwidth Monitor) would have noticed that a certificate was changed for the webmail portal, alerting you to the unauthorized change. You can still do this manually.

How is DNS hijacking different from DNS spoofing and DNS cache poisoning?

Spoofing, unlike hijacking, does not forcibly disconnect the victim site from the network in order to start an attack. Instead, the hacker changes the DNS information to redirect the user to a malicious website.

Furthermore, by poisoning the DNS cache, the attacker exploits a vulnerability in the DNS configuration/settings. If a server does not check DNS responses (e.g., DNSSEC), it will cache erroneous answers locally and use them to respond to subsequent users who issued the same query.

Thoughts…

Sites such as Whoismydns.com enable web users to check whether they recognize the name and IP of the server they’re connecting to, which will often be your ISP. Beyond that, unfortunately, there is little that the average web user can do, for the onus is on web admins to monitor their site for evidence of BGP leaks…

According to Doug Madory, Despite proposed technical fixes to secure BGP and DNS, it would appear that we presently have no way to completely prevent this from happening again.

However, an idea worth considering comes from Job Snijders of NTT who proposes that major DNS authoritative services offer RPKI for origin validation of their routes. This would enable ASes and IXP route servers to drop invalid routes like the ones used to impersonate Amazon’s DNS a while ago

I am also not asking you to comply with all of the tips from this article, but you must remember the main rule in this particular case:

If we finally want to give people the opportunity to be their own bank, we must realize that in this case, people must be able to replace all those services and actions for which traditional banks get money.

Yes, it seems like it is a veritable minefield over there. Keep the faith. Learn the latest attack techniques, white hat cheat sheets, and defenses.

Only knowledge can defeat criminals’ knowledge. In this intellectual boxing match the most prepared wins, and we want that to be you!


IV - More Info & Resources

Resources:

News:

Research Papers:

BGP Hijacking:

Wi-Fi & Router Security:


Support is very important to me, with it I can do what I love — educating users!

If you want to support my work, you can send me a donation to the address:

Stay safe!

Subscribe to Officer's Blog
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.