2022's best place for Cybersecurity Insights and Advice for Everyone

#1 - Signup to our list and get regular insights and advice on how to be cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

What is DNS Hijacking?

by Cyberguy | Last Updated | October 20, 2021
Cyber Dictionary|CyberSecurity - SMB

DNS hijacking is no laughing matter. It is a serious security threat that is encompassing the cyber world. 

The results of the 2021 Global DNS Threat Report done by security firm EfficientIP in collaboration with the International Data Corporation (IDC) are alarming. The report is now in its seventh year.

The figures depict the critical role of DNS for network security, both as a security safeguard and threat vector. Here are the highlights of the report:

Attackers targeted organizations relying on remote work as a result of the pandemic. They have also diversified their toolkits to enable them to carry out more sophisticated attacks.

About 87% of organizations surveyed suffered DNS attacks, experiencing an average of 7.6 attacks. The report estimated the cost of each attack to be around $950,000.

The most affected country was India with an average of 10 attacks. Malaysia, Spain and France also experienced significant increases in damages.

Aside from DNS hijacking, the EfficientIP report included other forms of attacks that increased, such as:

The report also showed a noticeable increase in data theft caused by DNS attacks. Among the organizations surveyed, 26% reported that sensitive customer data were stolen.

That is the sad state of the world’s DNS security systems in 2020. But not all is lost. The EfficientIP report suggests three recommendations to protect data, cloud services, apps and users that include the following:

What is a DNS?

To better understand DNS hijacking, let us look at some basic things about a DNS or domain name system. 

Every device connected to the Internet has its own Internet Protocol (IP) address to identify itself when communicating with other devices. When browsers want to connect to a website, they type the domain name of that website in the search bar instead of the IP address, which is a string of alphanumeric characters. 

For example, if I want to access the website of XYZ Company, I enter its domain name xyzcompany.com instead of its IP address of, say, 192.120.1.2. The DNS turns human readable domain names into unintelligible numeric IP addresses. This eliminates the need for browsers to memorize boring, lengthy numbers, while feeding machines with something they work best with — numbers.

How does DNS work?

When you type a URL into the search bar, this URL has to go through four servers that work together to find and deliver the correct IP address to you. They include:

DNS recursor

Also known as DNS resolver, the DNS recursor receives queries from DNS clients. Then it communicates the queries to the other three DNS servers.

Root nameserver

The root nameserver contains the root zone which is home to various specific locations. The job of the root nameserver is to answer requests sent to it by sending back a list of the authoritative nameservers that go with the top level domain (TLD).

TLD nameserver

The TLD, or top level domain, nameserver hosts the IP addresses of the second level domains contained in the TLD. It then releases the IP address of the specific website and sends the query to the domain’s nameserver. 

Authoritative nameserver

The authoritative nameserver is the last stop in the query. If it has access to the requested record, it will return the requested IP address back to the DNS recursor that made the initial request.

What is DNS Hijacking - DNS process

#2 So here we are at the middle of the post. We still think it's a good idea to signup.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

What is DNS hijacking and how does it work?

So now we know the role of DNS when we are surfing the net. It plays the crucial function of helping us go to websites and accounts we need in our businesses, jobs and daily lives. But we also know that domain name systems are vulnerable to attacks. 

Cyber criminals are aware that a domain name system is a trusted protocol and use it as a significant part of the attack process. Also called a redirection attack, DNS hijacking is an attack on a domain system. It could be a vicious move to redirect website users to malicious websites or an attack on the DNS to make it unavailable.

How DNS hijacking works

Why would attackers want to hijack a DNS? 

The most obvious reason for hijacking DNS is money. Profiteering hijackers steal money from users’ bank accounts, credit cards or sell stolen personal data on the dark web.

In other cases, crooks resort to DNS hijacking for phishing purposes. They hijack the DNS to redirect users to malicious websites that are aimed at stealing users’ credentials and other data. Some hackers also use DNS hijacking for pharming, a scheme similar to phishing in that users are redirected to fake sites. In pharming, these fake sites display unwanted ads which, when clicked, generate revenue for the hackers.

It is also common knowledge that some Internet Service Providers (ISPs) use DNS redirection to collect data from users to tailor ads in line with their preferences. A few government agencies also use DNS hijacking for censorship.

What are the types of DNS hijacking?

When attackers hijack your DNS, they are able to intercept your email communications and entire web traffic. They do it in various ways which brings us to the types of DNS hijacking.

DNS Cache Poisoning

DNS cache poisoning is how hackers achieve DNS spoofing, by replacing DNS data that redirects users to an unsafe, hacker controlled website.

What is DNS Hijacking - Dns Cache Poisoning

DNS Spoofing

DNS spoofing is the process where users are actually redirected to an unsafe or hacker controlled website because the cache poisoning process worked, making users vulnerable to cyber threats and data being stolen.

DNS Hijacking - Dns Spoofing

Local DNS hijacking

This type of hijacking happens when cyber criminals hack an internal computer to install Trojan malware disguised as legitimate software. Once inside the computer, the Trojan gives hackers access to the computer’s network systems to steal data and change the DNS settings to redirect requests to fake websites. 

Router DNS hijacking

DNS routers are often the first points of attack because criminals know that many users do not change their default admin login credentials from the time the devices were delivered. A DNS router is a piece of hardware used by domain name service providers to link domain names to their corresponding IP addresses. 

Hijackers target vulnerable DNS routers and once logged in, they override and reconfigure the DNS settings to redirect traffic to their own server to control the conversion of a domain name to an IP address. They then send users to malicious sites to enable them to do their craft.

Man-in-the-middle DNS hijacking

In a man-in-the-middle attack, fraudsters operate within the communication of a network server and a DNS server to intercept information. Many DNS requests lack encryption. This enables criminals to read, manipulate and map out the communications to a malicious IP address. The genuine DNS server is bypassed and never gets to receive the request.

What is DNS Hijacking - Man in the Middle

Rogue DNS hijacking

Rogue hijacking involves the Internet service provider’s domain name server. Hackers get partial control of the server so that even if users technically access the “correct” server, they can still be redirected to harmful websites.

Domain name server providers with sufficient resources at their disposal have boosted their security standards. However, hackers are similarly improving their techniques and if they do gain access, an enormous number of users can be compromised. 

How to prevent DNS hijacking

Have you ever experienced site unavailability, browser redirects, slow downs, frequent pop-ups and other unusual behavior of your device when browsing? Chances are you may be a victim of DNS hijacking attempts. Here are some ways of mitigating DNS hijacking.

Preventive measures for nameservers

A “nameserver” is a valuable part of the domain name because it connects a URL to its corresponding IP address hosted in the website’s server. As such, it must be protected with powerful security measures to prevent hackers from launching attacks, such as:

Preventive measures for website owners

Website owners using a Domain Name Registrar should take the following steps to avoid DND redirection:

Preventive measures for website users

Website users can help prevent DNS hijacking by: 

Impact of DNS hijacking to business

The impact of DNS hijacking to business varies depending on the threat. If the attack is on privacy or confidentiality, the impact may be minimal. 

What could end up with a huge impact is a DNS hijacking that involves data breach on personal information. The business owner could face legal action and hefty damages.

Financial institutions like banks, credit card companies and lenders are especially vulnerable and are the favorite targets of criminals. If personal information of their clients are leaked or stolen in a DNS attack, they could suffer massive financial losses and loss of trust and confidence.

DNS Hijacking - Use Case Example

Owners of legitimate sites that are spoofed could also experience irreparable brand damage, lawsuits and financial losses.

For online business owners, lengthy outage bouts caused by DNS attacks could lead to massive loss of sales, opportunity and reputation.

In the final analysis, DNS hijacking is a clear and present danger to all things online. It is one of the most sophisticated, often unnoticed, cyberattacks. The bad actors are stepping up their hijacking strategies on businesses, government agencies, healthcare systems, educational institutions and other important organizations.

While the threats are real, they can be prevented if you stay vigilant to security alerts and detect the symptoms early on. By employing DNS hardware and software best practices, patching vulnerabilities proactively and responding to security alerts quickly, your core network services should remain secure. 

From now on, be on the lookout for unusual activity on your website and take immediate action on the first suspicion of a threat.

#3 You really should sign up. "Scouts Promise" ... it really will help you stay cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.