DNS Hijacking
DNS stands for Domain Name System. We know that the main function of DNS is to translate the domain name into an IP address for the computer to recognize, so that we can directly access the corresponding server by entering the domain name. So in the whole network access process, the role of DNS is very important. However, if the attacker tampered with the DNS resolution settings and pointed the domain name from the normal IP to the illegal IP controlled by the attacker, it will cause us to visit the domain name and open not the corresponding website, but an unreachable or fake website. This kind of attack is DNS hijacking.
From Wikipedia’s definition of DNS hijacking, we can know that DNS hijacking is the act of interfering with the resolution of Domain Name System (DNS) queries. This can be accomplished by malware that overrides a computer’s TCP/IP configuration to point to a rogue DNS server under the attacker’s control, or by modifying the behavior of a trusted DNS server so that it no longer complies with Internet standards. These changes can be made by Chinese Great Firewall and public/router-based online DNS server providers for self-service purposes by Internet Service Providers (ISPs) for malicious purposes, such as phishing, to prevent users’ web traffic to the ISP. Proprietary web servers capable of serving advertisements, gathering statistics, or other purposes of the ISP. Access to selected domains is also blocked by the DNS service provider as a form of censorship.
The types of DNS attacks
Due to the huge data resources of the DNS system and its inherently weak security protection capabilities, it has gradually become the focus of network attacks. In recent years, attacks against DNS have been increasing day by day, and the types of attacks have also shown a trend of diversification and complexity. Below, the three parties will briefly introduce several common types of DNS attacks:
DNS hijacking
DNS hijacking is also known as domain name hijacking. This type of attack generally obtains DNS resolution control through malware, modifying caches, and controlling domain name management systems. Then, by modifying DNS resolution records or changing resolution servers, users are directed to unreachable locations Websites or illegal websites controlled by attackers in order to illegally obtain user data and seek illegal interests.
Reflective DNS amplification attack
The DNS reflection amplification attack mainly uses the characteristic that the DNS reply packet is larger than the request packet to amplify the traffic, forging the source IP address of the request packet to be the victim IP, and introducing the traffic of the reply packet to the victim server.
Cache poisoning
The attacker transmits the illegal network domain name address to the DNS server. Once the server receives the illegal address, its cache will be attacked. There are many ways to realize it. For example, it can be attacked or controlled by exploiting the vulnerability of the DNS cache server of the client ISP, so as to change the response result of users in the ISP accessing the domain name; For example, when the user’s authoritative domain name server can be used as a cache server at the same time, hackers can poison the cache and store the wrong domain name records in the cache, so that all users who use the cache server get wrong DNS resolution results. Unlike phishing attacks that use illegal URLs, DNS cache poisoning uses legitimate URLs. Users often think that they are logging in to a website they are familiar with, but it is actually another website.
DDoS attack
By controlling multiple computers and forging a large number of source IP addresses, the attacker continuously initiates massive DNS query requests to the attack target, causing the DNS server to frequently perform global iterative queries, resulting in the exhaustion of network bandwidth and the inability to perform normal DNS query requests. Attackers can also exploit vulnerabilities in the DNS protocol to maliciously create an overloaded request, causing the target DNS server to crash.
How to prevent DNS hijacking?
DNS servers are a highly sensitive infrastructure that requires strong security measures as they can be hijacked by hackers and used to mount DDoS attacks on others:
Be careful with resolvers on the network: DNS resolvers that are not needed should be turned off, legitimate resolvers should be placed behind firewalls and not accessible from outside the organization;
Detach authoritative nameservers from resolvers: don’t run on the same server, so a DDoS attack on either component won’t take down the other;
Restricted zone transfers: slave nameservers can request zone transfers, which are partial copies of DNS records that contain information valuable to an attacker;
Stay away from virus websites: considering that in many cases the attack is carried out through a Trojan horse or similar malware program, it is highly recommended to stay away from virus websites in the first place. These viruses are usually delivered via video or audio codecs, cracked games or other similar free online tools;
Take action against cache poisoning: use random origin ports, randomize query IDs, and randomize upper/lower case in domain names;
Use VPN service: using a VPN service is also one of the most common and effective ways to protect yourself from DNS hijacking, a V.PN will encrypt all internet traffic and send it through a virtual tunnel, since this includes all DNS/web traffic, your hijacker There will be no way to decipher your traffic, which ultimately means you don’t have to deal with any annoying or dangerous redirects;
Patch Known Vulnerabilities Immediately: hackers actively search for vulnerable DNS servers;
Strictly restrict access to name servers: physical security, multi-factor access, firewall, and network security measures should be used.
About DeHacker
DeHacker is a team of auditors and white hat hackers who perform security audits and assessments. With decades of experience in security and distributed systems, our experts focus on the ins and outs of system security. Our services follow clear and prudent industry standards. Whether it’s reviewing the smallest modifications or a new platform, we’ll provide an in-depth security survey at every stage of your company’s project. We provide comprehensive vulnerability reports and identify structural inefficiencies in smart contract code, combining high-end security research with a real-world attacker mindset to reduce risk and harden code.
