Tuesday, January 19, 2016

What is DNS Hijacking ?

When we want to visit a website, we simply type the URL of the website in the address bar of the browser and the webpage loads. We do not need to memorize the IP address of the website. This process is called Domain Name Resolution. And, the servers responsible for this are called DNS Servers.







How Domain Name Resolution Works


When we type a URL of a website in the address bar of the browser, our computer contacts the Domain Name Servers or DNS Servers to resolve the IP address of the website. These DNS Servers are coordinated by ICANN or Internet Corporation for Assigned Names and Numbers. Normally, our computer uses a DNS Server which is used by our ISP or Internet Service Provider.


So, our computer makes a DNS query with the URL to the DNS Server and the corresponding DNS Server responds with proper IP address. And, using this IP address our browser opens the website in the browser.



What is DNS Hijacking


Our computer opens a website using the IP address that the DNS Server has returned. In case of DNS Hijacking, an attacker changes the DNS settings in a computer, so that, whenever the computer makes a DNS query to resolve some IP address, a rogue DNS Server controlled by the attacker is contacted instead of the actual DNS Server used by our ISP. This normally happens when the computer is infected by a malware like DNSChanger Trojan. The malware infects a computer and then changes the DNS settings, replacing the authentic DNS Server with a malicious one.

As a result, the victim computer obtains a malicious IP address of attacker's website, instead of the intended IP address and the browser ends up opening the malicious website.




Purpose of DNS Hijacking


An attacker may have many nefarious purposes behind DNS Hijacking. One such purppose may be Pharming, in which lots of innocent traffic is forwarded to a website to generate advertising revenue illegitimately. For example, you may type facebook.com and end up being a website full of pop-ups and advertisements and controlled by hackers to generate monetary revenues.

Another purpose may be Phishing. In that case, the attacker may create a website that looks like a legitimate website and asks for actual username and password. The attackers can use those credentials for hacking the account and doing other malicious activities.

And, the other purpose may be spreading malware. If a malicious website opens up, it can easily spread malware even on just visiting the website, using Drive-By Download.




Prevention Mechanisms



There are a couple of steps that we can take to prevent DNS Hijacking.


  • Keep your Operating Systems updated with recent patches. Most of the cases, malware infects a computer exploiting the security vulnerabilities of Operating Systems. Normally, the more updated an Operating System is, the less vulnerabilities it has.
  • Keep your browser or other commonly used software updated with recent patches, so that they have less security vulnerabilities.
  • Keep your computer updated with an anti-malware program from a trusted source.
  • Do not download any software from any untrusted sources. They are very likely to contain malware.
  • Use a good firewall. Though hardware based firewall is the best, but in case you do not have it, you can turn on router firewall.
  • In case you are a victim of DNS Hijacking, do not panic ! Recovering from DNS Hijacking is fairly simple. Look into your DNS Settings and check whether it contains any suspicious looking blacklisted DNS Servers. If yes, simply change the DNS Settings as per your ISP's guidelines and remove the malware with a good anti-malware program.



So, beware of the recent threats so that you can protect yourself better and stay safe, stay secured.

No comments:

Post a Comment