DNS Hijacking: What is it and How it Works
DNS hijacking (sometimes referred to as DNS redirection) is a type of malicious attack that overrides a computer’s TCP/IP settings to point it at a rogue DNS server, thereby invalidating the default DNS settings. In other words, when an attacker takes control of a computer to alter its DNS settings, so that it now points to a rogue DNS server, the process is referred to as DNS hijacking.As we all know, the “Domain Name System (DNS)” is mainly responsible for translating a user friendly domain name such as “google.com” to its corresponding IP address “74.125.235.46”. Having a clear idea of DNS and its working can help you better understand what DNS hijacking is all about.
How DNS
Hijacking Works?
DNS is the one that is responsible for mapping the user friendly domain
names to their corresponding IP addresses. This DNS server is owned and
maintained by your Internet service provider (ISP) and many other private
business organizations. By default, your computer is configured to use the DNS
server from the ISP. In some cases, your computer may even be using the DNS
services of other reputed organizations such as Google. In this case, you are
said to be safe and everything seems to work normally.
But, imagine a situation where a hacker or a malware program gains
unauthorized access to your computer and changes the DNS settings, so that your
computer now uses one of the rogue DNS servers that is owned and maintained by
the hacker. When this happens, the rogue DNS server may translate domain names
of desirable websites (such as banks, search engines, social networking sites
etc.) to IP addresses of malicious websites. As a result, when you type the URL
of a website in the address bar, you may be taken to a fake website instead of
the one you are intending for. Sometimes, this can put you in deep trouble!
What
are the Dangers of DNS Hijacking?
The dangers of DNS hijacking can vary and depend on the intention behind the attack. Many ISPs such as “OpenDNS” and “Comcast” use DNS hijacking for introducing advertisements or collecting statistics. Even though this can cause no serious damage to the users, it is considered as a violation of RFC standards for DNS responses.
Other dangers of DNS hijacking include the following
attacks:Pharming: This is a kind of attack where a website’s
traffic is redirected to another website that is a fake one. For example, when
a user tries to visit a social networking website such as Facebook.com he may
be redirected to another website that is filled with pop-ups and
advertisements. This is often done by hackers in order to generate advertising
revenue.Phishing: This is a kind of attack where users are
redirected to a malicious website whose design (look and feel) matches exactly
with that of the original one. For example, when a user tries to log in to his
bank account, he may be redirected to a malicious website that steals his login
details.How to Prevent DNS Hijacking?In most cases, attackers make use of malware programs
such as a trojan horse to carry out DNS hijacking. These DNS hijacking trojans are often distributed as video and
audio codecs, video downloaders, YoTube downloaders or as other free utilities.
So, in order to stay protected, it is recommended to stay away from untrusted
websites that offer free downloads. The DNSchanger trojan is an example of one such malware that
hijacked the DNS settings of over 4 million computers to drive a profit of
about 14 million USD through fraudulent advertising revenue.
Also, it is necessary to change the default password of your router,
so that it would not be possible for the attacker to modify your router
settings using the default password that came with the factory setting.Installing a good antivirus program and keeping it up-to-date can
offer a great deal of protection to your computer against any such attacks.
What
if you are already a victim of DNS hijacking?
If you suspect that your computer is infected with a malware program
such as DNSChanger, you need not panic. It is fairly simple and easy to recover
from the damage caused by such programs. All you have to do is, just verify
your current DNS settings to make sure that you are not using any of those DNS
IPs that are blacklisted. Otherwise re-configure your DNS settings as per the
guidelines of your ISP.