What is DNS Hijacking?
DNS hijacking, also known as DNS redirection, is a form of DNS attack in which DNS queries are wrongly resolved, causing users to be redirected to malicious websites without their knowledge. The attackers either install malware on user machines, seize over routers, or decrypt or hack DNS communication to carry out the attack.
DNS hijacking could be used for pharming (where attackers show unauthorized ads to create income) or phishing (where attackers display modified versions of sites users visit in order to capture data or credentials).
One of the most dangerous risks is “DNS Hijacking,” which attacks the base of a web link. If an attacker gains control of a DNS server, they may use malicious IP addresses to substitute legitimate domains. When you request a website, you are given the IP address of a fake site that is planning to steal your credentials. The fake website is normally designed to look exactly like the one you asked, so you log in and your credentials are stolen.
“Cache Poisoning” is another DNS-related attack. DNS servers keep a database of name-IP address pairs so that they don’t have to look up a domain name. Attackers may place their harmful IP addresses in a DNS server’s cache, similar to DNS hijacking.
This poisoning has two consequences. You will be directed to the wrong website if you connect to the compromised DNS server. Adjacent DNS servers will begin caching the incorrect IP, further disseminating the false information over the Internet.
DNS hijacking attack types
There are five basic types:
Rogue DNS Server – Hackers can access a DNS server and alter DNS records to reroute DNS requests to malicious sites.
Local DNS hijacking occurs when an attacker installs Trojan software on a user’s device and modifies the user’s local DNS settings to guide them to infected sites.
Man in the middle DNS attacks – Attackers intercept contact between a user and a DNS server and include separate target IP addresses leading to malicious websites.
DNS spoofing Traffic is diverted from a real source, such as www.google.com, to a malicious site, such as google.attacker.com, in a DNS spoofing attack. DNS redirection can be used to spoof DNS. Attackers can, for example, compromise a DNS server and use it to “spoof” internet sites and direct users to malicious sites.
DNS hijacking via router — several routers have password protection or firmware flaws. Gain strategic control of a router and change the DNS settings, impacting all users who are connected to it.
Mitigation techniques
Since A DNS name server can be hacked and utilized by hackers to launch attacks on others, it is a highly vulnerable infrastructure that requires strict protection measures:
Use a randomized source port, modify query ID, and randomly select upper/lower case in domain names to avoid cache poisoning.
Watch for resolvers on your network- Keep an eye out for DNS resolvers on your network; those that are not in use should be turned off. Genuine resolvers should be held underneath a firewall, with no entry from the outside.
Fix known vulnerabilities as soon as possible — cybercriminals are constantly looking for DNS servers that are vulnerable.
Severely restrict access to a name server – Physical security, multi-factor authentication, a firewall, and a security system can all be implemented.
Separate the authoritative name server and the resolver — don’t put them on the same server so that a DDoS attack on one won’t bring down the other.
Mitigation for end users
Redirection of DNS information can be avoided for copyright holders who use a Domain Name Registrar.
Secure access – To escape compromise, use two-factor authentication when entering the DNS registrar. Create a whitelist of IP addresses that can use DNS settings if possible.
Client lock – Check to see if your DNS registrar accepts client lock (also known as update lock), which forbids modifications to your DNS records from being made without the permission of a designated user.DNSSEC — Enable DNSSEC using a DNS registrar that supports it. DNSSEC encrypts DNS traffic, making it harder (but not unattainable) for hackers to decrypt and spoof it.
Reference
https://www.imperva.com/learn/application-security/dns-hijacking-redirection/
https://blog.engineroomtech.com/website-security-protecting-your-networks