With the increasing shift towards a mobile workforce, businesses need to be informed that DNS monitoring is a paramount to protect their financial assets and reputation. There has been an alarming increase in the number of DNS hijacking attacks worldwide. A recent report highlighted that the DNS hijacking attack resulted an average cost of USD 950,000 across all sectors. These high costs can be avoided with effective DNS hijacking prevention.
DNS Hijacking: A Deep Dive
DNS hijacking is an attack-type wherein the DNS records are tampered with/ TCP/IP configurations replaced and DNS queries are incorrectly resolved to unexpectedly redirect users to malicious websites. It is also known as DNS redirection. To orchestrate this attack, attackers may intercept the DNS communications, install malware on users’ devices, take over routers, and so on.
How Does DNS Hijacking Work?
DNS or Domain Name System is the way in which a human-readable domain name (such as www.example.com) gets converted into machine-readable IP addresses to service requests for web and email content.
Typically, when a DNS query is initiated for a particular domain name, for instance, www.example.com, on the browser, a request is sent to the DNS Resolver. The DNS resolver tracks down the associated IP address by communicating with top-level domains and root servers. Finally, a response is sent to the device.
In the case of DNS hijacking, the strategies used for the attack may vary, but the flow is as follows.
- The attacker creates a malicious/ fraudulent website similar to their target website.
- The attacker leverages a targeted attack (usually phishing or spear-phishing) to obtain login credentials to the admin panel of the targeted website’s DNS provider.
- In the DNS admin panel, the attacker tampers with the DNS records for the targeted website so that the users will be redirected to the malicious request.
- When innocent users go to the URL of the compromised website, they are redirected to the malicious website. Since the browser still displays the original URL and the website contains SSL, the user believes that the website they are visiting is the legitimate one.
- The users end-up sharing their login credentials, credit card details, or other sensitive information on the fake website, to be harvested by the attacker later.
Types of DNS Redirection Attacks
- Local DNS hijacking attacks wherein attackers change the local DNS settings by installing malware on the user’s device to redirect them to the malicious website.
- Router DNS hijacking attacks wherein attackers take advantage of the routers that use default passwords or those containing firmware vulnerabilities to take over the router and tamper with the DNS settings, thereby, impacting all the connected users.
- Man-in-the-middle DNS attacks wherein attackers intercept the DNS communications to route users to the different destination IP addresses belonging to malicious websites.
- Rogue DNS Server wherein attackers change the DNS records by hacking the DNS server to redirect users to malicious websites.
Why is DNS Hijacking Dangerous?
DNS hijacking is used by attackers for:
- Pharming (displaying unwanted ads for revenue generation)
- Phishing attacks
- DNS-based malware attacks
- DDoS attacks
- DNS tunneling
- Zero-Day vulnerabilities
- DNS Spoofing, etc.
Causing More Than Just Monetary Losses
The average cost of DNS hijacking is USD 950,000 as mentioned earlier. While the financial damage forms a significant part of the cost of these attacks, it isn’t the only contributor. The common ramifications of these attacks are:
- Financial damage permeating from:
- Application and cloud service downtimes
- Loss of customer trust
- High customer attritions
- Impediments to time-sensitive transactions
- Massive reputational and brand damage
- Penalties and legal costs
- Stolen Information from the compromised website
How to Prevent DNS Hijacking?
DNS hijacking prevention needs to be implemented at all the levels, starting from the DNS provider to website owners and end-users.
DNS Hijacking Protection: What DNS Providers Must Do?
- Strengthen access controls and enforce multi-factor authentication to access DNS admin panels.
- Place legitimate DNS resolvers behind the next-gen firewalls and remove unnecessary resolvers.
- Severely restrict access to the DNS name servers, a highly sensitive infrastructure.
- Do not run authoritative name servers and resolvers on the same server.
- Restrict zone transfers (partial copy of DNS records), since zone records contain information useful to attackers.
- Instantly patch all the vulnerabilities, at least through virtual patching.
What Website Owners Can Do to Prevent DNS Hijacking?
- Enforce multi-factor authentication for DNS registrar access.
- Define a whitelist of the IP addresses allowed to access the DNS settings.
- Implement client lock if your DNS registrar allows it.
- Use a DNS registrar that supports DNSSEC to digitally-sign DNS communications.
- Use a global CDN-based DDoS protection service like AppTrana to ensure no DNS queries directly reach the origin server.
- Change the default passwords.
- Update the router’s firmware.
- Detect and instantly patch the vulnerabilities.
The Way Forward
DNS hijacking attacks are costly, so take proper precautions to stay as safe as possible. Organizations must harden their application security and prevent DNS hijacking.
