By Yair Green, CTO, GlobalDots
DNS (Domain Name System) is crucial to all organizations that rely on the Internet for conducting business – it’s critical for the performance and reliability of your internet applications and cloud services. DNS failure or poor performance leads to applications, data and content becoming unavailable, causing user frustration, lost sales and business reputation damage.
DNS hijacking attacks have become widespread so what can be done to mitigate them.
Domain Name System (DNS) servers are often called “the phone books of the Internet” and are used to resolve human-readable hostnames into machine-readable IP addresses. They also provide other useful info about domain names, such as mail services. For example, if you know someone’s name but don’t know their phone number, you can use a phone book to find their number. DNS services use the same logic. When you request data for a web location you type in its name and then the DNS servers find their IP address. Such internet phone books greatly influence the accessibility of Web locations which is exactly why DNS is crucial for any organization that relies on the Internet to connect to customers, partners, suppliers, and employees.
The Internet maintains two principal namespaces – the domain name hierarchy and the Internet Protocol (IP) address spaces. The Domain Name System maintains the domain name hierarchy and provides translation services between it and the address spaces. Internet name servers and a communication protocol implement the Domain Name System. A DNS name server is a server that stores the DNS records for a domain name; a DNS name server responds with answers to queries against its database.
What is DNS Hijacking?
DNS Hijacking, also called Domain Hijacking, is when bad actors redirect or “hijack” DNS addresses and reroute traffic to bogus DNS servers. Once a DNS address is successfully hijacked to a bogus DNS server, it translates the legitimate IP address or DNS name into the IP address of the hacker’s malicious website of choice.DNS hijacking can be used for pharming (in this context, attackers typically display unwanted ads to generate revenue) or for phishing (displaying fake versions of sites that users access whereby data or credentials are stolen from them).
Many Internet Service Providers (ISPs) also use a type of DNS hijacking to take over a user’s DNS requests, collect statistics and return ads when users access an unknown domain. Some governments use DNS hijacking for censorship, redirecting users to government-authorized sites. DNS hijacking can occur with any size website, directing folk to malicious websites without their knowledge. Since the website owners depend upon legitimate DNS servers that are issued by their Internet Service Providers (ISP), DNS hijackers use malware in the form of a Trojan to exchange the legitimate DNS server assignment by the ISP with a manual DNS server assignment from a bogus DNS server.
When users visit legitimate websites, they’re automatically hijacked to a malicious website disguised as the legitimate one. The switch from the legitimate DNS server to the bogus DNS server goes unnoticed by both the user and the legitimate website owner. At this point, the malicious website gets to do pretty much anything it wants, for as long as the person using it believes it’s where they’re meant to be.
As a cyber-attack, DNS Hijacking has a host of uses, including injecting malware into your machine, promoting phishing scams and advertising on high-volume websites. Ultimately, it’s possible to suffer a data breach following a DNS Hijack, as credentials can easily be mined while the victim is active on the attacker’s bogus site.
DNS hijacking attack types (6 main types)
- Local DNS hijack — attackers install Trojan malware on a user’s computer, and change the local DNS settings to redirect the user to malicious sites.
- Router DNS hijack — many routers have default passwords or firmware vulnerabilities. Attackers can take over a router and overwrite DNS settings, affecting all users connected to that router.
- Man in the middle DNS attacks — attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.
- Rogue DNS Server — attackers can hack a DNS server, and change DNS records to redirect DNS requests to malicious sites.
- Recursive DNS hijacking — because DNS resolving is hierarchical with caching at the ISP level, hackers take over ISP recursive DNS resolvers and provide fake answers to end-users.
- Registrar record modification — the domain registrar provides the names of the authoritative name servers to the top-level DNS. An attacker hacks into the domain registration records and modifies them to point to a rogue server.
Upgrade DNS in the Application Infrastructure
The lack of attention of DNS lags behind the innovation of the infrastructure in the cloud, creating cracks for possible exploitation. As organizations increasingly embrace a new generation of “cloud-first” computing environments with multiple, connected clouds, data centers and CDNs, they also need to adapt and upgrade the underpinning infrastructure, including DNS and security technologies and policies.
Application layers use security protocols (like HTTPS, DMARC, etc.), and DNS is no exception. The Domain Name System Security Extensions (DNSSEC) is one of them. DNSSEC reinforces the authenticity of DNS query responses by using digital signatures to authenticate communications, protecting applications (and the caching resolvers used by those applications) from using fake DNS data in cache poisoning and spoofing attacks. Historically, organizations have held back from using DNSSEC, because implementing it would mean sacrificing the DNS traffic management capabilities they rely on to deliver high-quality online services. However, with recent technological developments, this is no longer a problem.
Use two-factor authentication when accessing the authoritative DNS provider and the registrar, to avoid compromise. If possible, define a whitelist of IP addresses that are allowed to access DNS settings.
Check if your authoritative DNS provider and your registrar support client lock (also known as change lock), which prevents changes to your DNS records without approval from a specific named individual.
Mitigation for end-users
End users can protect themselves against DNS hijacking by changing router passwords, installing antivirus, and using an encrypted VPN channel. If the user’s ISP is hijacking their DNS, they can use a free, alternative DNS service such as Google Public DNS, Google DNS over HTTPS, and Cisco OpenDNS.
External Monitoring of DNS resolution
Even if end users are protected and your authoritative DNS is secure, a local ISP can be compromised, affecting millions of end-users. Run continuous DNS resolution tests from as many locations as feasible, and alert your security team on suspicious changes.
Whilst DNS hijacking has become a serious problem for many enterprises and end-users, implementing the correct mitigation method goes a long way towards solving the problem.
About the Author
Yair Green is the CTO of GlobalDots, and a Cloud, Security, and Web Performance Evangelist.