What Is DNS Hijacking? How to Detect & Prevent It | Fortinet (2024)

Domain Name Server (DNS) hijacking is a type of DNS attack where an attacker purposefully manipulates how DNS queries are resolved so as to redirect users to malicious websites. Hackers either install malware on user PCs, seize control of routers, or intercept or hack DNS connections to carry out the attack.

DNS hijacking can also be used for phishing or pharming. After hijacking the real site’s DNS, attackers direct users to a fake site where they are invited to enter login credentials or sensitive financial information. Some governments also use DNS hijacking to reroute users to state-approved sites as part of a censorship strategy.

When you register a website with a domain registrar, you select an available domain name, and your site'sIP addresswill be registered with the domain name. For illustration purposes, let us say you choose the domain name BusinessSite.com.

A DNS record contains your site's unique IP address, and your domain name is linked to your site's IP address. In a DNS hijacking attack, hackers gain access to your DNS, then switch your unique IP address to another one. As a result, your domain name BusinessSite.com will point to the attacker's servers when retrieved via the DNS record.

In other words, when someone types "BusinessSite.com" into Chrome, Firefox, or another browser, they are not taken to your site. Instead, they are routed to a site the attacker controls. If the visitor thinks the site they are seeing is legitimate, they may mistakenly enter sensitive information or download malware.

Common signs of DNS hijacking include web pages that load slowly, frequent pop-up advertisem*nts on websites where there should not be any, and pop-ups informing the user that their machine is infected with malware. Fortunately, in addition to these telltale signs, there are several internet tools you can use to check if your DNS has been hijacked, including:

1. Pinging a network: You can identify DNS hijacking by using a ping program and pinging the questionable domain. You will know your DNS has not been hijacked if the results show that the IP address does not exist. On the other hand, if you ping the suspicious domain and an IP address comes up, there is a good chance that your DNS has been hijacked.
2. Checking your router: Attackers can use malware to gain access to your router's administration page. Once inside, they can change the DNS settings so the router uses a server the attacker manages. To check for this kind of attack, simply go to your router’s admin page and check its DNS settings.
3. Check WhoIsMyDNS: Another great online tool is WhoIsMyDNS, which allows you to find the real server responding to DNS requests on your behalf. If the DNS displayed is unfamiliar to you, you may have fallen victim to DNS hijacking.

Also learn about DNS Firewall here.

To prevent DNS hijacking, first, you have to know the different kinds of attacks. DNS hijacking can take four different forms:

1. Local DNS hijacking: An attacker installs Trojan software on a user's computer, then modifies the local DNS settings to reroute the user to harmful websites.
2. DNS hijacking using a router: Many routers have weak firmware or use the default passwords they were shipped with. Attackers can take advantage of this to hack a router and change its DNS settings, which will affect everyone that uses that router.
3. Man-in-the-middle (MITM) attacks: Attackers use man-in-the-middle attack techniques to intercept communications between users and a DNS server. They then direct the target to malicious websites.
4. Rogue DNS server: Hackers can alter DNS records on a DNS server, enabling them to reroute DNS requests to malicious websites. If the site looks legitimate, the user may not even know they are in the wrong place.

With cache poisoning, hackers target caching name servers to manipulate the DNS cache's stored responses. This attack can be carried out in a variety of ways, but it commonly involves flooding the server with forged DNS responses while altering the query ID of each response.

Unless Domain Name System Security Extensions (DNSSEC) isimplemented, cache poisoningcan be difficult to identify and defend against. DNSSEC refers to a collection of extension specifications set up by the Internet Engineering Task Force (IETF) to safeguard data exchanged in the DNS and IP systems. Without DNSSEC, hackers are more likely to execute a successful attack andimpact thousands of users who access a nameserver with compromised responses.