What Is DNS Hijacking?

DNS hijacking has been used to take over the web domain of The New York Times. What is it, and how does it work?

3 min read

When a group of hackers known as the Syrian Electronic Army took over the web domain of The New York Times in 2013, the website became unavailable. Even after service was restored, the hijackers disrupted the site a second time. In 2016, in a massive case of bank fraud that lasted over six hours, a Brazilian bank’s websites were taken over, and online customers were routed to the attackers’ phishing sites. In all cases, the attackers used DNS hijacking.

 

Cybercriminals know that DNS – or Domain Name System – is a trusted, ubiquitous protocol, and many organizations don’t monitor their DNS traffic for malicious activity. Because of this, DNS can serve as the medium for a variety of attacks against company networks. In fact, DNS-based attacks have been on the rise in the last decade.

 

DNS is the protocol that translates human-friendly URLs into machine-friendly IP addresses. Once you initiate a query by typing ww.paloaltonetworks.com into your browser, for instance, a request is sent to a DNS resolver, a computer that tracks down the IP address – in this case, 199.167.52.137. The DNS resolver does this by communicating with top-level domain and root servers, and then sending a response back to your computer.

Here are two common ways in which DNS hijacking occurs:

  1.  “Man-in-the-middle” attacks: An attacker intercepts a user’s DNS requests and redirects them to the attacker’s own compromised DNS server.




  2. Attacks that use malware: An attacker infects a victim’s machine through email or other malicious activity. The malware changes the victim’s settings and redirects DNS requests to the attacker’s DNS server. As long as the user’s browser displays the original URL, the user will likely believe the website is genuine. Roaming Mantis, one such piece of malware, infected Android-based tablets and smartphones around the world in 2018.

 

DNS hijacking can be used for phishing, to serve users statistics or advertisements, or to collect user information.

How do you stop attackers from using DNS against you? Read our white paper to learn the steps you can take to stop DNS attacks.