In DNS hijacking, visitors of your website are diverted to another webpage because your DNS data have been tampered with. How does this work and how can you protect your domain name from it?
What is DNS hijacking?
The Domain Name System translates your domain name into a numerical IP address that is linked to a computer somewhere on the internet, with your website on it, for instance.
In a DNS hijacking, the DNS settings of your domain name are tampered with. The hijackers can not only see the traffic to your website, but also divert it to a website under their control.
Suppose, for instance, that hackers hijack the DNS data of a bank. They can then gain access to the customers' login details in various ways, and lead them to a perfectly replicated site of the bank. The customers enter their name and password, and the hackers can intercept them and use them to carry out transactions on the real website. In such a hacking situation, there is a great chance that suspicions will be aroused because the customers cannot carry out any transactions on counterfeit website.
A second way is when the hacker takes them to the real website of the bank, but intercepts their login details to use them later. This is more dangerous, because the customers are not aware of any problems.
How does a DNS hijacking attack work?
Various techniques are used in a DNS hijacking.
- First of all, the hijackers get a hold of the login data of the person or account who has access to the DNS data, and is also authorised to change them. That can be the IT manager, the webmaster or a developer. All sorts of techniques are used to that end, such as identity fraud, phishing or spear phishing (phishing targeting a certain person), a keylogger (hardware or software used to intercept your keystrokes), etc.
- The hacker uses these data to log in. He can now change the DNS records: A records (the Address), MX records (Mail exchanger), NS records (Name Server). He replaces the present data by those of an address under his control. In this way, he diverts the traffic to his own infrastructure. Or he looks into the traffic before sending it to the normal destination.
- The attackers can also request a valid encryption certificate in the name of your domain. Such an encryption or SSL certificate is necessary in order to bring about a secure https connection between the user’s computer and a website. Because the attacker can show that he has control over the domain at that time, he can request a new certificate, e.g. through Let’s Encrypt. In this way, he can decipher the intercepted encrypted traffic, and read the data.
How to protect yourself against a DNS hijacking attack
The number of DNS hijackings has gone up significantly recently. These four actions must be undertaken as promptly as possible according to the advice of the American Department of Homeland Security (DHS):
- Check your DNS records. Make sure that both the primary and the secondary DNS servers refer to the desired address. And repeat this check regularly.
- Change the passwords for all accounts that have access to systems where changes can be made to the DNS records.
- Activate Multi-Factor Authentication (MFA) for all accounts on systems that can change the DNS records, in the following order of preference: U2F (universal 2 factor), TOTP (Time-based One Time Password), HOTP (HMAC or encrypted One Time Password), SMS passcode.)
- Monitor the Certificate Transparency logs to see whether certificates are issued for your domain name which you have not requested. You can do this for instance on https://crt.sh/
Follow also these tips to protect your DNS data:
- Check who has administrative access to your system and limit that access to what is strictly necessary.
- Use secure passwords. Tips for a strong and secure password are provided in our article "Tips for extra security on the web".
- The e-mail address that you use for communication with your registrar (the company with which you registered your domain name) must be well protected with, inter alia, multi-factor authentication and a strong password. That address is used particularly in the “forgot password” procedure. Do not use a personal e-mail address (email@example.com) but an address in your organisation (firstname.lastname@example.org)
- Make sure that all security updates are applied in your system.
- Monitor the logfiles of your system/website to track and trace unauthorised access.
- Check each DNS record that falls under your authority, and look through the history whether changes were made.
- Train your employees in how to recognise a phishing attack.