When a group of hackers known as the Syrian Electronic Army took over the web domain of The New York Times in 2013, the website became unavailable. Even after service was restored, the hijackers disrupted the site a second time. In 2016, in a massive case of bank fraud that lasted over six hours, a Brazilian bank’s websites were taken over, and online customers were routed to the attackers’ phishing sites. In all cases, the attackers used DNS hijacking.
Cybercriminals know that DNS – or Domain Name System – is a trusted, ubiquitous protocol, and many organizations don’t monitor their DNS traffic for malicious activity. Because of this, DNS can serve as the medium for a variety of attacks against company networks. In fact, DNS-based attacks have been on the rise in the last decade.
DNS is the protocol that translates human-friendly URLs into machine-friendly IP addresses. Once you initiate a query by typing ww.paloaltonetworks.com into your browser, for instance, a request is sent to a DNS resolver, a computer that tracks down the IP address – in this case, 184.108.40.206. The DNS resolver does this by communicating with top-level domain and root servers, and then sending a response back to your computer.
Here are two common ways in which DNS hijacking occurs:
DNS hijacking can be used for phishing, to serve users statistics or advertisements, or to collect user information.
How do you stop attackers from using DNS against you? Read our white paper to learn the steps you can take to stop DNS attacks.