As easier as DNS has made our lives by helping directly resolve connection requests between web-connected devices and websites, it’s not without its flaws. You see, cybercriminals can actually exploit DNS servers and addresses in many ways to get away with your precious data.
In this article, we’ll be focusing on DNS hijacking – what it is, how to test for it, and how to prevent it.
DNS stands for Domain Name System, and it’s a naming system that translates IP addresses into website names, effectively making communication between Internet-connected devices and online websites significantly more convenient (basically, you don’t have to type the IP address of a website in your browser to access it).
DNS hijacking is a method cybercriminals use to interfere with your device’s attempts at resolving an IP address to establish a connection to a URL (website or webpage).
While a legitimate DNS server is attempting to resolve the URL for you, cybercriminals take advantage of the delay to send a fake IP address that actually belongs to them to your device. Sometimes, they outright send the fake addresses directly, without any genuine DNS server being involved.
Cybercriminals manage to do all of the above by infecting your computer/laptop/mobile device with malware (normally through phishing schemes).
Once the malware is on your device, it replaces the default trusted DNS so that your browser will contact the hackers’ fake DNS server instead of a legitimate one that belongs to ICANN (an organization responsible for registering and managing domains, as well as providing them with IP addresses – among other things) whenever it tries to resolve a URL.
When your device makes contact with the fake DNS server as your browser is resolving a URL, the fake server in question will give your device the wrong IP address. As a result, you’ll be redirected to a malicious/phishing website.
Sometimes, cybercriminals might also hack into your router and change its DNS settings. In rare cases (like the MEW DNS hijack), they might even hack into a DNS server belonging to an ISP, and change the web addresses to have users automatically redirected to a fake website when they look up certain domains.
Whichever the case, one of the following will always happen:
Whichever the case, the end result is usually the same if you fall for the phishing attempts – your bank accounts get emptied, strange charges start popping up on your credit cards, and you might become a victim of identity theft (even worse, you might have your personal data sold off on the deep web).
Because these two types of attacks work somewhat similarly, it’s easy to get them mixed up.
Here’s the main point: unlike DNS hijacking, DNS poisoning targets your DNS Cache, and aims to overwhelm it with fake values whose ultimate goal is to redirect you to malicious or phishing websites.
Essentially, while the genuine DNS servers try to resolve the URLs you request, cybercriminals use fake DNS servers to bombard your device with tons of fake IP addresses in an attempt to get it to equate a fake IP address with the URL you requested.
Also, instead of relying on malware to achieve its goals, DNS poisoning uses methods like the following example:
Say you type in paypal.com. Until a genuine DNS server can look up the requested address, your device gets bombarded with multiple resolutions from cybercriminals’ own DNS servers claiming paypal.com can be found at various IP addresses. Even if the genuine DNS server sends the correct resolution to your device, there’s a chance it can get overwhelmed and believe one of the fake IP addresses it received was the correct one.
Of course, just because it isn’t detrimental to your online security, that doesn’t mean ISP DNS hijacking isn’t annoying, and quite intrusive to be honest.
Basically, some ISPs like to hijack users’ DNS traffic in an attempt to make a profit. They can do that since they control the DNS server their users connect to.
Here’s an example – you accidentally type in a website domain that doesn’t exist. Instead of just getting an error page telling you the website doesn’t exist or the domain is for sale, you’re redirected to a different website.
So what’s actually happening?
Well, your ISP likely has an affiliate deal with that website or owns it. By redirecting users there, it makes money off of exposing them to ads.
That’s not all – ISP DNS hijacking can also be used by governments whenever they want to censor online content. Essentially, whenever you try to access a website that’s blacklisted by the authorities, you will be redirected to an “approved” website instead.
It’s not “as bad” as regular DNS hijacking, but it certainly isn’t any better.
Some common DNS hijacking signs including slow-loading webpages, pop-up ads you’ve never seen before on pages you frequent often, and ads you are used to seeing being modified to contain malicious or indecent content.
However, all that is mostly guesswork, and doesn’t offer a clear answer.
One of the real best ways to diagnose DNS hijacking is to ping a domain that doesn’t exist. If it resolves, there’s a pretty big change your DNS traffic has been hijacked.
You can usually do that through your OS’s Command Prompt/Terminal, but there are online services that help you do that:
Also, there are tools you can use to check if you’re dealing with DNS hijacking or not.
WhoIsMyDNS.com is such an example. If you don’t recognize the DNS displayed (it should belong to your ISP), you might have a problem.
WhiteHat Security also has software you can download to monitor for DNS hijacking.
Besides all that, you can use F-Secure Router Checker to see if you’re a victim of a DNS hijack. But keep in mind this tool is meant to be used to find out if your router has been exploited through DNS hijacking.
And, of course, a clear sign of ISP DNS hijacking is the fact that you’re redirected to ad-infested websites when you access an non-existing domain, or that you’re redirected from a website your government considers to be “problematic” to an “approved” one.
While a Smart DNS can’t really help with regular DNS hijacking perpetrated by cybercriminals, it can help you deal with ISP DNS hijacking that can get in the way of the online content you want to access.
If you’re not sure what a Smart DNS is, it’s a service that replaces your ISP-assigned DNS (that contains info revealing your geo-location) with a different DNS address that doesn’t leak your real geographical location. The service also intercepts your connection requests to various websites, and replaces any data in those requests that can leak your geo-location with other info that points to an “approved” geographical location.
Still, you should know that – sometimes – ISP DNS hijacking can actually interfere with your Smart DNS service, making it not work properly. There’s a way to fix that issue, luckily.
You just need to configure the Smart DNS on your router (it has to be a DD-WRT-enabled router that supports IP tables). Once it’s set up or if you already have the Smart DNS configured on your router, you just need to direct DNS requests from port 53 to port 54 to bypass ISP DNS hijacking.
To do that, you have to add the following commands to your IP firewall:
In the example above we used the Google Public DNS address (188.8.131.52) but you can use a SmartyDNS DNS address, OpenDNS, Cloudflare or any other DNS address you prefer.
In case that solution doesn’t help you prevent ISP DNS hijacking, your best bet is to use a VPN (we discussed it more in-depth below at #5).
According to our research, these are the best things you can do to lower your chances of being exposed to DNS hacking:
A very good way to prevent DNS hijacking is to steer clear of phishing attempts since that’s one of the main ways cybercriminals infect your device(s) with malware.
Here are some useful tips:
Even if you do your best to avoid malware, it’s always a good idea to use anti-virus/anti-malware software as a backup plan just in case. Plus, some malware might make its way into your device without you even realizing until it’s too late.
Here are some of the best anti-virus/anti-malware software providers on the market:
By the way, you should know that there’s virtually no difference between anti-malware and anti-virus software. Both do the same thing – a virus is, in fact, a self-replicating malware, after all.
Since malware is released on an almost constant basis (back in 2017, new malware popped up every 4.2 seconds), it’s important to keep up with operating system and security software updates. Why? Because it’s those updates (specifically security updates) that upgrade the OS/security software to ensure it can deal with new threats.
We recommend setting up the OS/security software to update automatically on a regular basis. Alternatively, you should actively check for updates at least once a week or every couple of days.
Oh, and you should keep your router’s firmware updated too since hackers can exploit security weaknesses in routers as well. Speaking of which …
Since hackers can exploit router security flaws to expose you to DNS hijacking, it’s best to change your router’s default username and password. Note we’re not referring to your WiFi network password, but the password/username that give you access to your router’s administrative settings.
Usually, you just have to type a default IP address (like 192.168.0.1 or 192.168.1.1, though it can vary so check with the manufacturer) into your browser, and use the password and username that are written on your router to gain access. Once you’re in, replace the username and password.
Don’t forget – it’s very easy for a hacker to find the manufacturer-issued password and username for your router on the Internet. That’s why it’s so important to change them ASAP.
A VPN is a service you can use to secure your online traffic on the Internet by encrypting it. Besides that, it can also help you hide your online identity and bypass geo-blocks by masking your real IP address (which can actually help you bypass ISP DNS hijacking).
How does it help you prevent DNS hijacking, though?
Well, here are the main ways:
Please keep in mind that a VPN won’t protect you against malware, so it’s paramount you use a VPN alongside reliable anti-malware/anti-virus software for extra protection.
We here at SmartyDNS offer high-speed VPN servers with military-grade 256 bit AES encryption and highly-secure VPN protocols (OpenVPN, SoftEther and IKEv2) and we adhere to a strict no-log policy.
Our VPN servers double as proxy servers and we also offer a Smart DNS service that lets you unblock Netflix, BBC iPlayer and other 300+ worldwide geo-restricted websites.
We offer user-friendly VPN apps for Windows, Mac, iPhone/iPad, Android, and Fire TV/Stick and browser extensions for Chrome and Firefox.
Oh, and we’ll also have your back with our 30-day money-back guarantee.
DNS hijacking is a method used by cybercriminals to commit identity theft and harvest/steal sensitive information (like bank account details, login credentials, credit card numbers, etc.). It usually involves infecting your device with malware which then changes your DNS. Alternatively, hackers could exploit security flaws in your router to change its DNS, or they could target ISP DNS servers directly.
The end result is the same – your device and browser are tricked into accessing malicious or phishing websites when trying to connect to legitimate websites instead.
The best way to protect yourself against a DNS hijack attempt is to properly secure your router, avoid phishing websites and emails, use anti-malware/anti-virus software, regularly install security updates, and use a VPN service.
Get SmartyDNS for $2.33/mo!