Domain Name System hijacking (DNS hijacking) is a tactic used to redirect you to websites different from the ones you’re intending to visit, usually to steal your personal data, display unwanted ads, or impose internet censorship. It’s also called DNS Poisoning or DNS spoofing.
Jump to…
What is DNS?
How DNS hijacking works
Why are DNSs hijacked?
Common types of DNS hijacking attacks
How to detect DNS hijacking
Ways to prevent DNS hijacking
Real-world examples of DNS hijacking
What is DNS?
The Domain Name System (DNS) turns domain names into IP addresses so that your browser can read them and load the correct pages. For example, when you type a URL, like expressvpn.com, into the address bar of your browser, your DNS servers will translate that into an IP address that represents expressvpn.com. It’s similar to your home address; you use it to tell others where you live, but not the GPS coordinates.
By default, you use the DNS servers provided by your internet service provider (ISP). However, VPN providers also run their own DNS servers to protect your internet traffic. When you’re connected to ExpressVPN, you’ll use its secure DNS servers, keeping your internet traffic protected.
Want to know more about what a DNS does? Watch the video below:
How DNS hijacking works
When a computer reaches out to a DNS server to find a website, it doesn’t check whether it’s connecting to the correct server. This enables attackers to imitate the DNS server and deliver incorrect responses.
It is also possible for a DNS server itself to poison its records. This means replacing the IP address of the site you want to visit with that of another site, or simply removing the IP address altogether. This is similar to altering a phone book, removing certain names or companies or swapping a listing’s address to that of another company.
DNS hijacking makes it possible for a sophisticated attacker to impersonate websites, gathering personal information such as passwords and IP addresses.
Why are DNSs hijacked?
As DNS is one of the most important aspects of the internet, it’s subsequently a target of various forms of attack for a range of reasons, like the below:
Display ads to generate revenue
Attackers can hijack your DNS to display unwanted ads to generate revenue, in a technique known as pharming. In a less fraudulent sense, your internet service provider can also manipulate your DNS requests to show ads to you.
Steal your personal information
DNS hijackers will redirect you to fake websites which look like legitimate ones, aiming to steal your login credentials and other of your personal data. This is a common technique known as phishing.
Government or organizational censorship
Governments can use DNS hijacking to suppress political opposition or prohibit certain online content. Users won’t be able to access the censored website and will be redirected to a different website. Schools and organizations can also manipulate DNS requests to avoid inappropriate content from showing to their users.
Common types of DNS hijacking attacks
Local DNS hijack
Attackers start by installing malware on a user’s computer. The attacker can then change your DNS settings and redirect you to malicious websites, usually to steal your personal data.
Router DNS hijack
An attacker can change your router’s DNS settings by exploiting software vulnerabilities. They can also break into your router’s configuration page with the default username and password. This allows them to redirect you to malicious websites to obtain your personal information or do harm to your device. That’s why it’s important to keep your router updated to repair vulnerabilities. (ExpressVPN for routers updates automatically to save you the hassle!)
Man-in-the-middle DNS attacks
A MITM attacker intercepts the communication between you and another party, which is usually a website or application you’re trying to access. Instead of seeing the real website, you’ll be presented with a malicious one. This is also called DNS spoofing.
Rogue DNS server attacks
This happens when an attacker hacks a DNS server and changes its DNS records. Your DNS requests will return with malicious sites.
How to detect DNS hijacking
There are usually some telltale signs your DNS has been hijacked. For starters, websites can be loading more slowly than usual, or you are seeing random pop-ups, usually saying your computer is infected. Of course, these signs aren’t enough, and thankfully, there’re tools you can use to verify if your DNS has been hijacked.
Use the ping command
You can detect DNS hijacking by running a ping command, which essentially tests whether an IP address exists. If you ping a non-existent domain name and it resolves, there’s a good chance your DNS is hijacked. If it doesn’t resolve, this means your DNS is safe.
On Mac
- Open Terminal.
- Enter the following command: ping [a random website name].
If it says “cannot resolve,” your DNS is safe.
On Windows
- Open the Command Prompt.
- Enter the following command: ping [a random website name].
If it says “cannot resolve,” your DNS is safe.
On Linux
- Open Terminal.
- Enter the following command: ping [a random website name].
If it says “cannot resolve,” your DNS is safe.
Use a router checker
There are a number of online router checkers that can verify whether your router has been affected by DNS hijacking. These services work by checking with a reliable DNS resolver, and whether it’s using an authorized DNS server. A good example of such a service is F-Secure. They provide a free, web-based router checker here.
Use WhoIsMyDNS.com
WhoIsMyDNS shows you the DNS servers you’re using and the company that owns them. Unless you’re connected to a VPN, you’ll be using the IP addresses of the DNS servers provided by your internet service provider. If you don’t recognize the company name, there’s probably something wrong with your DNS.
Ways to prevent DNS hijacking
Thankfully, there are ways to prevent DNS hijacking.
For general internet users
Here are a couple of things you can do to prevent DNS hijacking:
- Change your router’s default username and password. This prevents attackers from trying to access your router’s settings with the default login credentials commonly used for routers.
- Install antivirus software. Antivirus software can detect and eliminate malware that performs DNS hijacking. Some antivirus software performs constant scans, detecting attacks at the moment they occur.
- Use a VPN. ExpressVPN runs its own encrypted, secure DNS servers, so when you’re connected to ExpressVPN, you automatically use these servers. No one else can get hold of your information or hijack your connection. This also ensures you can’t be censored by a government or your internet service provider.
- If your ISP’s DNS servers aren’t safe, use an alternative DNS service like Google Public DNS.
If you do all of the above, you will have a multi-layered defense against DNS hijacking.
For name servers and resolvers
- Shut down unneeded DNS resolvers. Also, legitimate resolvers should be placed behind a firewall.
- Restrict access to a name server. Network security measures should be used.
- Take precautions against cache poisoning. For example, use a random source port and query ID. Also, randomize upper and lower cases in domain names.
- Patch known vulnerabilities. Hackers actively exploit vulnerabilities in DNS servers.
- Separate the authoritative nameserver from the DNS resolver. A DDoS attack happening on one won’t affect the other one.
For website owners
If you use a Domain Name Registrar, a business that registers a domain name on your behalf, take the following steps to avoid DNS redirection:
Limit DNS access
Limit DNS access to only a few members of the IT team. Make sure they use two-factor authentication whenever accessing the domain name server registrar.
Enable client lock
Some DNS registrars support client lock, which prevents changes to your DNS records without approval. If your DNS registrar supports it, you should enable this option.
Use a DNS registrar that supports DNSSEC
DNSSEC stands for Domain Name System Security Extensions. It makes it more difficult for hackers to intercept your DNS requests. If your DNS registrar supports DNSSEC, make sure to enable this option.
Real-world examples of DNS hijacking
There are many real-life examples of DNS hijacking. We’ve collated a few significant ones below:
The Sea Turtle campaign
In early 2017, a mysterious group called Sea Turtle targeted 40 organizations spreading across 13 countries, primarily in the Middle East and North Africa. They compromised third parties that handled the victims’ DNS queries, redirecting them to fake websites to steal their login credentials.
The Twitter, New York Times & Huffington Post DNS hijack
In 2013, a group of hackers called Syrian Electronic Army hijacked the DNS servers of Twitter, the New York Times, and the Huffington Post among other media outlets.
The ICANN DNS hijack attack
The Internet Corporation for Assigned Names and Numbers (ICANN) was hijacked by a Turkish hacker group, NetDevilz, in 2018. Its site users were redirected to a page that says “You think that you control the domains but you don’t! Everybody knows wrong.”
A DNS attack against WikiLeaks
In 2017, a Saudi Arabian-based hacker group known as OurMine compromised the DNS servers of WikiLeaks, directing its users to a fake website.
FAQ: About DNS hijacking
Is DNS hijacking common?
DNS hijacking is common among all types of DNS attacks. In a survey, 47% of its respondents had been affected by DNS hijacking, followed by DDoS attacks (46%) and DNS tunneling (35%).
Does VPN prevent DNS hijacking?
Yes. A VPN helps prevent DNS hijacking. Most VPN services run their own DNS servers, preventing your DNS queries from being intercepted. ExpressVPN runs its own encrypted DNS on every VPN server, keeping your internet traffic protected.
What can someone do with your DNS?
Attackers can do harm to your DNS in various types of DNS attack. For example, someone can hijack your DNS to redirect you to malicious websites, usually to steal your personal data or spread malware to your device. In DNS spoofing, your DNS records can be altered to redirect you to fraudulent websites.
What’s the difference between DNS poisoning and DNS hijacking?
DNS spoofing (or called cache poisoning) overwrites your local DNS cache values with fake ones to redirect you to malicious websites. DNS hijacking, also known as DNS redirection, often involves installing malware onto your device to hijack your DNS.
How do I change my DNS servers?
You can change your DNS servers within the settings of your Mac, Windows, iOS, Android, and Linux, if you believe the DNS servers provided by your internet service provider aren’t secure. If you’re already connected to ExpressVPN, there’s no need to change your DNS servers, as you’ll be using ExpressVPN’s private, encrypted DNS servers.
What’s the problem with DNS spoofing to censor the Internet?
Many countries implement internet censorship by requiring internet service providers to drop certain domains from their DNS servers, though this is a relatively easily circumvented form of censorship. But when the entire network is controlled by an authoritarian regime they could block non-complicit DNS servers entirely or employ Deep Packet Inspection to selectively block or misdirect requests.