Domain Name System hijacking (DNS hijacking) is a tactic used to redirect you to websites different from the ones you intend to visit, usually to steal your personal data, display unwanted ads, or impose internet censorship.
Jump to…
What is DNS?
How DNS hijacking works
Why are DNSs hijacked?
Common types of DNS hijacking attacks
How to detect DNS hijacking
Ways to prevent DNS hijacking
DNS hijacking vs DNS spoofing vs cache poisoning
Real-world examples of DNS hijacking
What is DNS?
The Domain Name System (DNS) is the part of the internet that translates human-friendly domains (such as www.expressvpn.com) to computer-friendly IP addresses (long strings of numbers), which in turn allow your computer to connect where it needs to and load the correct pages.
Every time you try to visit a web page by clicking on a link or typing in a URL, a DNS lookup occurs before you are brought to the correct web page. Your ISP and Wi-Fi admin can see what you’re looking at through DNS information. When you connect with ExpressVPN turned on, our servers handle all of your DNS requests—not your ISP. In fact, because ExpressVPN secures your traffic, your ISP can’t even tell if you make a DNS request. We never log DNS requests, and when we look up a name on your behalf, all any other DNS server can see is our server address—they can never see you.
Want to know more about what a DNS does? Watch the video below:
How DNS hijacking works
When a computer reaches out to a DNS server to find a website, it doesn’t check whether it’s connecting to the correct server. This enables attackers to imitate the DNS server and deliver incorrect responses.
It is also possible for a DNS server itself to poison its records. This means replacing the IP address of the site you want to visit with that of another site or simply removing the IP address altogether. This is similar to altering a phone book, removing certain names or companies or swapping a listing’s address to that of another company.
DNS hijacking makes it possible for a sophisticated attacker to impersonate websites, gathering personal information such as passwords and IP addresses.
Why are DNSs hijacked?
As DNS is one of the most important aspects of the internet, it’s subsequently a target of various forms of attack for a range of reasons, like the following:
Display ads to generate revenue
Attackers can hijack your DNS to display unwanted ads and generate revenue using a technique known as pharming. In a less fraudulent sense, your internet service provider can also manipulate your DNS requests to show ads to you.
Steal your personal information
DNS hijackers will redirect you to fake websites that look like legitimate ones, aiming to steal your login credentials and other of your personal data. This is a common technique known as phishing.
Government or organizational censorship
Governments can use DNS hijacking to suppress political opposition or prohibit certain online content. Users won’t be able to access the censored website and will be redirected to a different website. Schools and organizations can also manipulate DNS requests to prevent inappropriate content from showing to their users.
Common types of DNS hijacking attacks
Local DNS hijack
Attackers start by installing malware on a user’s computer. The attacker can then change your DNS settings and redirect you to malicious websites, usually to steal your personal data.
Router DNS hijack
An attacker can change your router’s DNS settings by exploiting software vulnerabilities. They can also break into your router’s configuration page with the default username and password. This allows them to redirect you to malicious websites to obtain your personal information or do harm to your device. That’s why it’s important to keep your router updated to repair vulnerabilities. (ExpressVPN for routers updates automatically to save you the hassle!)
Router vulnerabilities
This vulnerability also goes through the router. In this case, attackers take advantage of a vulnerability in your router, and they change your DNS configurations to hijack them. Ensure your router’s firmware is always up to date to mitigate this risk.
Man-in-the-middle DNS attacks
A man-in-the-middle (MITM) attack intercepts the communication between you and another party, which is usually a website or application you’re trying to access. Instead of seeing the real website, you’ll be presented with a malicious one.
Rogue DNS server attacks
This happens when an attacker hacks a DNS server and changes its DNS records. Your DNS requests will return with malicious sites.
How to detect DNS hijacking
There are usually some telltale signs your DNS has been hijacked. For starters, websites can load more slowly than usual, or you may see random pop-ups that say your computer is infected. Of course, these signs aren’t enough, and thankfully, there are tools you can use to verify if your DNS has been hijacked.
Use the ping command
You can detect DNS hijacking by running a ping command, which essentially tests whether an IP address exists. If you ping a non-existent domain name and it resolves, there’s a good chance your DNS is hijacked. If it doesn’t resolve, this means your DNS is safe.
Ensure you try to ping a web domain that doesn’t exist. Otherwise, you will get a response and get a false positive.
On Mac
- Open Terminal.
- Enter the following command: ping [a random website name].
If it says “cannot resolve,” your DNS is safe.
On Windows
- Open the Command Prompt.
- Enter the following command: ping [a random website name].
If it says “cannot resolve,” your DNS is safe.
On Linux
- Open Terminal.
- Enter the following command: ping [a random website name].
If it says “cannot resolve,” your DNS is safe because the random domain you tried to ping will not match any actual IP addresses.
Check DNS settings on your router
This process involves accessing your router’s admin panel through its IP address, typically found in your device’s network settings. Once logged in, navigate to the DNS settings to see which DNS servers your router is configured to use. Verify that these servers are legitimate and authorized, often provided by your Internet Service Provider (ISP) or a trusted third-party service like Google DNS or OpenDNS. Checking these settings manually gives you control and a clear understanding of your network’s security status.
Use WhoIsMyDNS.com
WhoIsMyDNS shows you the DNS servers you’re using and the company that owns them. Unless you’re connected to a VPN, you’ll be using the IP addresses of the DNS servers provided by your internet service provider. If you don’t recognize the company name, there’s probably something wrong with your DNS.
Check your URLs
URLs or uniform resource locators is the technical term for an internet address. It’s what you type on the address bar of your web browser to go to a website. It’s important that if you’re suspicious, you check the entire URL once your browser’s loaded the website you’re trying to visit. If it’s even slightly different (imagine expressvon.com instead of expressvpn.com), your DNSs could be compromised.
Ways to prevent DNS hijacking
Thankfully, there are ways to prevent DNS hijacking.
For general internet users
Here are a couple of things you can do to prevent DNS hijacking:
- Change your router’s default username and password. This prevents attackers from trying to access your router’s settings with the default login credentials commonly used for routers.
- Ensure your software is up to date. This includes operating systems and any applications you use, as they’re all potentially vectors for an attack. Additionally, check your router’s firmware is also up to date.
- Install antivirus software. Antivirus software can detect and eliminate malware that performs DNS hijacking. Some antivirus software performs constant scans, detecting attacks at the moment they occur.
- Use a VPN. ExpressVPN runs its own encrypted, secure DNS servers, so when you’re connected to ExpressVPN, you automatically use these servers. No one else can get hold of your information or hijack your connection. This also ensures you can’t be censored by a government or your internet service provider.
- If your ISP’s DNS servers aren’t safe, use an alternative DNS service like Google Public DNS, OpenDNS, or Cloudflare DNS.
If you do all of the above, you will have a multi-layered defense against DNS hijacking.
For name servers and resolvers
- Shut down unneeded DNS resolvers. Also, legitimate resolvers should be placed behind a firewall.
- Restrict access to a name server. Network security measures should be used.
- Take precautions against cache poisoning. For example, use a random source port and query ID. Also, randomize upper and lower cases in domain names.
- Patch known vulnerabilities. Hackers actively exploit vulnerabilities in DNS servers.
- Separate the authoritative nameserver from the DNS resolver. A DDoS attack happening on one won’t affect the other one.
For website owners
If you use a Domain Name Registrar, a business that registers a domain name on your behalf, take the following steps to avoid DNS redirection:
Limit DNS access
Limit DNS access to only a few members of the IT team. Make sure they use two-factor authentication whenever accessing the domain name server registrar.
Enable client lock
Some DNS registrars support client lock, which prevents changes to your DNS records without approval. If your DNS registrar supports it, you should enable this option.
Use a DNS registrar that supports DNSSEC
DNSSEC stands for Domain Name System Security Extensions. It makes it more difficult for hackers to intercept your DNS requests. If your DNS registrar supports DNSSEC, make sure to enable this option.
DNS hijacking vs DNS spoofing vs cache poisoning
DNS hijacking, DNS spoofing, and cache poisoning are all methods of cyber manipulation involving the Domain Name System (DNS), but they differ in their mechanisms and impact:
- DNS hijacking: This occurs when an attacker redirects queries to a DNS server to a malicious DNS server, often by altering DNS settings on a network device such as a router. This can lead the user to fraudulent websites without their knowledge, potentially resulting in the theft of sensitive information.
- DNS spoofing: Also known as DNS cache spoofing, this involves corrupting the DNS query process by inserting false information into the cache of a DNS resolver. This misleads users into visiting a spoofed site rather than the legitimate one they intended to visit, similar to hijacking but often occurs at the resolver level rather than at the user’s device.
- Cache poisoning: A specific form of DNS spoofing, cache poisoning involves sending corrupt DNS cache data to a DNS resolver. This incorrect information is then stored in the DNS cache, causing users who query the resolver to receive incorrect responses and directing them to unauthorized or malicious websites.
Real-world examples of DNS hijacking
There are many real-life examples of DNS hijacking. We’ve collated a few significant ones below:
The Sea Turtle campaign
In early 2017, a mysterious group called Sea Turtle targeted 40 organizations spreading across 13 countries, primarily in the Middle East and North Africa. They compromised third parties that handled the victims’ DNS queries, redirecting them to fake websites to steal their login credentials.
The Twitter, New York Times & Huffington Post DNS hijack
In 2013, a group of hackers called the Syrian Electronic Army hijacked the DNS servers of Twitter, the New York Times, and the Huffington Post among other media outlets.
The ICANN DNS hijack attack
The Internet Corporation for Assigned Names and Numbers (ICANN) was hijacked by a Turkish hacker group, NetDevilz, in 2018. Its site users were redirected to a page that says “You think that you control the domains but you don’t! Everybody knows wrong.”
A DNS attack against WikiLeaks
In 2017, a Saudi Arabian-based hacker group known as OurMine compromised the DNS servers of WikiLeaks, directing its users to a fake website.
FAQ: About DNS hijacking
Is DNS hijacking common?
DNS hijacking is common among all types of DNS attacks. In a survey, 47% of its respondents had been affected by DNS hijacking, followed by DDoS attacks (46%) and DNS tunneling (35%).
Does VPN prevent DNS hijacking?
Yes. A VPN helps prevent DNS hijacking. Most VPN services run their own DNS servers, preventing your DNS queries from being intercepted. ExpressVPN runs its own encrypted DNS on every VPN server, keeping your internet traffic protected.
What can someone do with your DNS?
Attackers can do harm to your DNS in various types of DNS attack. For example, someone can hijack your DNS to redirect you to malicious websites, usually to steal your personal data or spread malware to your device. In DNS spoofing, your DNS records can be altered to redirect you to fraudulent websites.
What’s the difference between DNS poisoning and DNS hijacking?
DNS spoofing (or called cache poisoning) overwrites your local DNS cache values with fake ones to redirect you to malicious websites. DNS hijacking, also known as DNS redirection, often involves installing malware onto your device to hijack your DNS.
How do I change my DNS servers?
You can change your DNS servers within the settings of your Mac, Windows, iOS, Android, and Linux, if you believe the DNS servers provided by your internet service provider aren’t secure. If you’re already connected to ExpressVPN, there’s no need to change your DNS servers, as you’ll be using ExpressVPN’s private, encrypted DNS servers.
What’s the problem with DNS spoofing to censor the Internet?
Many countries implement internet censorship by requiring internet service providers to drop certain domains from their DNS servers, though this is a relatively easily circumvented form of censorship. However, when an authoritarian regime controls the entire network, it can block non-complicit DNS servers entirely or employ Deep Packet Inspection to block or misdirect requests selectively.
