In June this year, the U.S. government shut down more than 30 news media websites in Iran for "violating sanctions" and transferred the analysis of the targeted websites to IP controlled by the United States. In this incident, the technical means used by the United States to "sanction" Iranian websites is DNS hijacking. This attack had a serious impact on the normal access and use of websites by many Iranian users, and caused serious damage to the Iranian government's external image and Iran's network security protection capabilities. This shows the huge threat of DNS hijacking.

What is DNS hijacking?

DNS hijacking, also known as domain name hijacking, is that attackers use flaws to tamper with the user's DNS and point the domain name from a normal IP to an IP controlled by the attacker, thus causing visitors to be hijacked to an unreachable or fake website, so as to achieve illegal theft User information or the purpose of disrupting normal network services.

DNS hijacking can be used for DNS domain spoofing (usually to show unwanted advertisements to generate revenue) or for phishing (to get users to fake websites and steal users' data and credentials). Internet Service Providers (ISPs) may also use DNS hijacking to take over users' DNS requests, collect statistics and return ads when users visit unknown domains or block access to specific websites.

The dangers of DNS hijacking

For users: DNS hijacking seriously affects the user's online experience. The user is hijacked to a fake website and cannot access the target website normally. At the same time, the user may be tricked into some illegal and fraudulent websites, which will further lead to the leakage of information and even the user's property and personal life. A serious threat to security.

For domain name holders: DNS hijacking is also a very serious problem for domain name holders. It will cause the holder to lose control of the domain name, the site cannot be accessed by users, and the traffic accumulated by the domain name will be directed to the malicious IP, causing serious economic losses to the domain name holder, and may even be due to the illegal operation of the malicious IP. Unnecessary legal risk for domain name holders.

DNS Hijacking Attacks

DNS cache infection

Attackers use DNS requests to place data in the cache of a vulnerable DNS server. These cached information will be returned to the user when the user accesses the DNS, thereby guiding the user's access to the normal domain name to the Trojan horse, phishing and other pages set by the intruder.

DNS information hijacking

By listening to the conversation between the client and the DNS server, the intruder can guess the DNS query ID that the server responds to the client. Each DNS message includes an associated 16-bit ID number, and the DNS server obtains the request source location based on this ID number. An attacker can trick the client into visiting a malicious website by handing a fake response to the user before the DNS server.

DNS redirection

If an attacker redirects an authoritative DNS server to a malicious DNS server, the resolution of the hijacked domain name is completely under the attacker's control.

ARP spoofing

ARP attack is to achieve ARP spoofing by forging IP address and MAC address, which can generate a large amount of ARP traffic in the network to block the network. As long as the attacker continuously sends forged ARP response packets, the IP in the ARP cache of the target host can be changed. - MAC entries, causing network outages or man-in-the-middle attacks.

Native Hijacking

After the computer system is infected by Trojans or rogue software, there may be abnormal access to some domain names, such as accessing phishing sites, inaccessibility, etc. The local hijacking includes hosts file tampering, local DNS hijacking, SPI chain injection, BHO plug-ins, etc. , although not all of them are completed through the DNS link, but will cause the consequences of not being able to obtain the correct address or content according to the user's wishes.

How to deal with DNS hijacking

1. Regularly check the account information and resolution status of the domain name for abnormalities, and regularly check the content of the site corresponding to the domain name to check whether there are pages not set by me or the company.

2. Regularly modify the account password of the domain name management system platform, use a more complex password combination, and use a different password from other platforms, so as to prevent attackers from obtaining account passwords through traversal methods, so as to perform analysis and modification operations.

3. Regularly check the information of website indexes and external links. Once any abnormality is found, it must be checked and solved in a targeted manner to avoid threats to your website due to these indexes and external links.

4. The client is configured with a safe and reliable recursive parsing server, and the website side sets a small TTL value to avoid hijacking by ensuring the correct recursive parsing and caching.

5. To lock the domain name. Domain name locking is the most effective way to deal with DNS hijacking. During the locking period, any changes made by the user in DNS resolution, including the modification of the domain name server, are not accepted, thus fundamentally preventing the attacker from modifying the DNS records to achieve the purpose of hijacking the domain name.

6. If you choose a professional DNS service provider, you can get more powerful domain name resolution and domain name monitoring services, and timely find out the abnormal state of the domain name and solve it quickly. The latest domain name security monitoring system is adopted to seamlessly monitor the status of users' domain names for 24 hours, find problems at the first time, and respond in a timely manner, so as to escort the security of users' domain names at all times.

7. Install the SSL certificate. The SSL certificate has the function of server authentication, which can make the connection error caused by DNS hijacking detected and terminated in time. At the same time, the HTTPS protocol can encrypt the data transmission during data transmission to protect the data from being stolen and modified.

DNS hijacking is a very common and ferocious means of network attack. It will not only affect the normal access and use of websites by users, but also cause serious harm to the interests and image of domain name holders. Therefore, website managers and operators We must be vigilant, choose a regular and professional domain name resolution service provider, regularly check the domain name resolution situation, and contact the service provider in time if any problems are found, so as to effectively deal with DNS hijacking and other types of network attacks, and ensure the security of both users and domain name holders. Benefit.