DNS HIJACKING

DNS mean Domain Name System. It is also named as DNS redirection. It is a type of DNS attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites. To perform the attack, perpetrators install malware on user computers, take over routers, or intercept or hack DNS communication.

These modifications may be made for malicious purposes such as phishing, for self-serving purposes by Internet service providers (ISPs), by the Great Firewall of China and public/router-based online DNS server providers to direct users’ web traffic to the ISP’s own web servers where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.

DNS Hijacking has four different types of attack:-

• Local DNS hijack— attackers install Trojan malware on a user’s computer, and change the local DNS settings to redirect the user to malicious sites.
• Rogue DNS Server— attackers can hack a DNS server, and change DNS records to redirect DNS requests to malicious sites.
• Router DNS hijack— many routers have default passwords or firmware vulnerabilities. Attackers can take over a router and overwrite DNS settings, affecting all users connected to that router.
• Man in the middle DNS attacks— attackers intercept communication between a user and a DNS server, and provide different destination IP addresses pointing to malicious sites.

Examples of functionality that breaks when an ISP hijacks DNS:

• Roaming laptops that are members of a Windows Server domainwill falsely be led to believe that they are back on a corporate network because resources such as domain controllers, email servers and other infrastructure will appear to be available. Applications will therefore attempt to initiate connections to these corporate servers, but fail, resulting in degraded performance, unnecessary traffic on the Internet connection and timeouts.
• Many small office and home networks do not have their own DNS server, relying instead on broadcastname resolution. Many versions of Microsoft Windows default to prioritizing DNS name resolution above NetBIOS name resolution broadcasts; therefore, when an ISP DNS server returns a (technically valid) IP address for the name of the desired computer on the LAN, the connecting computer uses this incorrect IP address and inevitably fails to connect to the desired computer on the LAN. Workarounds include using the correct IP address instead of the computer name, or changing the Node Type registry value to change name resolution service ordering.
• Browsers such as Firefoxno longer have their ‘Browse by Name’ functionality (where keywords typed in the address bar take users to the closest matching site).
• The local DNS client built into modern operating systems will cache results of DNS searches for performance reasons. If a client switches between a home network and a VPN, false entries may remain cached, thereby creating a service outage on the VPN connection.
• DNSBLanti-spam solutions rely on DNS; false DNS results therefore interfere with their operation.
• Confidential user data might be leakedby applications that are tricked by the ISP into believing that the servers they wish to connect to be available.
• User choice over which search engine to consult in the event of a URL being mistyped in a browser is removed as the ISP determines what search results are displayed to the user.

There are also application-level work-around, such as the No Redirect Firefox extension, that mitigate some of the behaviour. An approach like that only fixes one application (in this example, Firefox) and will not address any other issues caused. Website owners may be able to fool some hijackers by using certain DNS settings. For example, setting a TXT record of “unused” on their wildcard address (e.g. *.example.com). Alternatively, they can try setting the CNAME of the wildcard to “example.invalid”, making use of the fact that ‘.invalid’ is guaranteed not to exist per the RFC. The limitation of that approach is that it only prevents hijacking on those particular domains, but it may address some VPN security issues caused by DNS hijacking.

By Archit Sharma:-