The novice’s guide to DNS hijacking

Featured article by Micke Ahola, Independent Technology Author

DNS hijacking is a serious cybersecurity threat. Compromised DNS can be used to serve you spam advertisements and to direct you to phishing websites, which are designed to steal things like passwords and bank credentials. While DNS hijacking poses a real danger to your online activity, it is unfortunately something that many people have never even heard of.

If you’re still wondering what DNS even means, don’t worry. In this article we will go through what DNS is, how it can be compromised, and how you can prevent your own DNS queries from being hijacked to keep your online browsing safe.

What is DNS?

Each computer that connects to the internet has a unique IP (Internet Protocol) address that can be used to identify it, and the same is true for web pages. When you visit a website such as Google, you enter a text-based URL into your search bar and are served the page with the IP address for that URL. How does your browser know which number corresponds with which web page? By asking the DNS.

DNS (Domain Name Servers) are essentially servers that keep a long list of web domains (website names) and the IP addresses that they correspond to. Your computer simply needs to know the address of a DNS – usually provided by your ISP (Internet Service Provider) – and the DNS will check its list before sending back the IP address of the website you wish to visit.

How DNS can be hijacked

While the DNS system works well in many ways, things are – as always – not quite so simple in the real world. Since there are an incredible amount of websites on the internet and more are created all the time, there is not one DNS that holds all the web domains and their addresses on it. As such, your DNS queries are likely to go through a whole series of servers before getting to their destinations.

Since the entire system relies on trust, the process can break down when just one server gets compromised and directs your query the wrong way. A compromised DNS can send you to another website than one you intended to visit. This is particularly dangerous when used for phishing, when the website you are sent to pretends to be the website you wanted to end up on.

Your DNS queries can also be hijacked before they even get to the first server. Malware programs can edit the internet settings on your computer and send all your queries to whichever DNS or web server that the cybercriminal chooses. Routers are also common targets for DNS hijacking, as a compromised router can control where all the DNS queries from their network are sent to.

Why does DNS hijacking happen?

The most profitable reason for cybercriminals to perform DNS hijacking is for its ability to divert you to phishing websites. For example, you may have entered your bank’s website in the address bar of your browser, but a compromised router or DNS sends you to a cybercriminal’s web server – which serves you a fake version of your bank’s web page instead. Once you enter your details, the cybercriminal has access to your bank account.

Another frustrating, through less serious, form of DNS hijacking is that carried out by ISPs. If you try to access a website that doesn’t exist – often done by mistyping a website address – your ISP’s DNS may realise that the website doesn’t exist and route you to a website with advertising instead. This type of advertising can provide a major source of income to ISPs, but can be annoying to have to deal with.

Lastly, you can experience simple DNS leaks as well as hijacks. A DNS leak is something that can occur when you’re trying to conceal your IP address online using a VPN (Virtual Private Network) tool, whereby instead of hiding your IP and keeping your privacy protected, DNS requests can leak your IP address to third parties and leave you at risk.

How to check if your DNS is vulnerable

The easiest way to check if your DNS queries are leaking is to use a DNS leak test. Many of them, such as HMA!’s free DNS Leak Test, are available online for free and only take a moment to tell you if your DNS queries are vulnerable.

How to prevent DNS hijacking

DNS hijacking can come from many different angles. These are some of the steps you should take to ensure that your computer, router and the DNS you use are safe from being hijacked:

– Ensure you have an up-to-date antivirus. Since malware can divert your DNS queries from the start, using an effective antivirus program is essential for protecting your web traffic.

– Change your router password. Routers often come with default passwords which leave them highly vulnerable to attack if you don’t change it. Also make sure to install any available firmware updates to ensure your router is up-to-date and patched against vulnerabilities.

– Use a VPN. To ensure that your DNS queries won’t be diverted by a rogue server, use a VPN you can trust. VPNs divert your web traffic – including DNS queries – through their own servers, preventing it from being hijacked or snooped on along the way. Reliable VPNs cost a few pounds a month, but are one of the most effective solutions to online privacy. While VPNs can sometimes leak DNS requests, this is a dramatic improvement on DNS requests not being concealed at all.

In the end, the most important thing about cybersecurity is being aware of the threats. If you are ever being diverted to websites filled with ads or suspect you may be being served fake phishing sites, ensure that you’ve taken precautions and are not leaving yourself as easy prey for cybercriminals.

About the Author

Micke Ahola is a professional researcher and copywriter, specialising in technology news and cyber security advice.