Domain name services are an essential part of our IP network. They are servers that take website names and map them to IP addresses. Suppose you can change the information on the DNS server. In that case, you could potentially send someone to an IP address that doesn’t necessarily match where they think they were initially going. One way to do it is to change the files on the computers. For example, Changing the HOSTS.txt file will cause the computer to connect to the IP address specified in the file instead of sending a query to the DNS server.
That way, you can direct someone to the IP address specified in the file on that person’s machine. Unfortunately, changing the contents of a single file on many devices can be too difficult a task. That’s why attackers focus on changing what’s on the DNS server. Thus, there is no need to make changes on the client side. Instead, make one change on the DNS server, and now the answer to all those clients will be updated to reflect what the attacker has changed. Although there are enough ways to do this, most involve taking control of the DNS server.
What is a DNS and DNS Server?
First, let’s remember What DNS is? It is a “domain name system,” and to fully understand it, it is essential to clarify some of the related terms.
- An IP address (Internet Protocol) is an identifier of a string of numbers for each unique computer and server on the network. Computers use these identifiers to find and “communicate” with each other.
- A domain is a text name that people use to remember, identify, and connect to specific Web site servers. For example, a domain such as “www.google.com” is used as an easy way to understand the identifier of the target server, i.e., the IP address.
- The Domain Name System (DNS) translates a domain into the corresponding IP address.
- Domain Name System (DNS) servers are a collection of four types of servers that make up the DNS lookup process. These include resolving name servers, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, we detail only the resolver server.
- A resolver name server (or recursive resolver) is a translation component of the DNS lookup process that resides on your operating system. Its job is to query several web servers for the target IP address of a domain name.
How DNS works?
When you write the domain name of a website, the following process occurs:
- Your web browser and operating system (OS) try to recall the IP address associated with the domain name. If you visit earlier, the OS can recognize the IP address from the computer’s internal memory or cache.
- The process continues if neither component knows where the destination IP address is. Next, the OS requests a resolving name server for the IP address. This request searches through the chain of servers to find the appropriate IP address for the domain.
- As a result, the resolver finds and relays the IP address to the OS, which sends it back to the web browser.
The DNS lookup process is a vital structure used throughout the Internet. Unfortunately, criminals can abuse vulnerabilities in DNS, so you need to be aware of possible redirects.
DNS hijacking is probably a general term that encompasses the other methods. DNS hijacking can be considered any attack that tricks an end user (exactly, his computer) into thinking it is interacting with a legitimate domain name. Instead, however, it interacts with a domain name or IP address set by an attacker. This is sometimes referred to as DNS redirection.
There are many ways to hijack DNS, but not all are illegal. For example, the most common method we see is used by an authorized portal, such as a pay-per-use WiFi access point: before the user pays for access, the access point service intercepts all DNS requests and, regardless of what has been set, it returns the page of the payment server so that the user can purchase WiFi access.
Changing the client device settings to a different DNS server is another standard attack method. An attacker can change a user’s DNS settings so that instead of 126.96.36.199, it uses the IP address of the DNS server under the attacker’s control. When the user requests an online banking website, the rogue DNS server can return an IP address outwardly disguised as the target website. It can act as a proxy to capture all the data sent to the website. This is what the DNSChanger trojan/malware does – fortunately, it is pretty rare these days.
Another way to gain unauthorized access to authoritative DNS data, exploit a DNS login system vulnerability or use some other tricky method. Some attacks are based on the fact that certain domains look identical in different fonts or encodings (homograph attack). One of the first phishing attempts was using the domain name paypaI.com. The attacker then registered the domain name and wrote the letter i in uppercase to make it look like a lowercase L. That way, many people thought it was the real PayPal.com. Now that the DNS supports international characters, it’s even harder to tell the difference between terms with the exact spelling.
DNS spoofing also refers to any attack that tries to change the DNS records returned to the requester to a response chosen by the attacker. This can include some techniques such as using cache poisoning or some type of man-in-the-middle attack. We sometimes use the terms “DNS hijacking” and “DNS spoofing” as synonyms. This method is also widely used by paid Wi-Fi access points in airports and hotels. In some cases, network security groups can use it as a quarantine tool to isolate an infected device.
DNS Spoofing VS DNS Hijacking
Although DNS spoofing is often confused with DNS hijacking because both occur at the local system level, they are two different types of attacks. In most cases, DNS spoofing or cache poisoning simply involves overwriting the local DNS cache values with fake ones to redirect the victim to a malicious website. On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infection to hijack this critical system service. In this case, malware hosted on the local computer can change the TCP/IP configuration to point to a malicious DNS server, eventually redirecting traffic to the phishing website.
As you can see, DNS is critical to the day-to-day operation of websites and online services. Unfortunately, attackers may see it as an attractive opportunity to attack your networks. This is why monitoring your DNS servers and traffic is crucial. We must be careful where we go on the Internet and what emails we open. Even the slightest difference, for example, the absence of an SSL certificate, is a signal to check the website you want to visit.