DNS Hijacking and DNS Poisoning/Spoofing are two common DNS security attack methods that aim to tamper with DNS resolution results and redirect users to malicious websites.
DNS Hijacking Details
What is DNS Hijacking
DNS hijacking refers to attackers using various means to control or tamper with the DNS resolution process, causing users to visit malicious websites instead of intended targets.
Types of DNS Hijacking
1. Local Hijacking
Attack Methods:
- Modify local hosts file
- Tamper with router DNS settings
- Malware modifies system DNS configuration
Common Scenarios:
# Attacker modifies hosts file 192.168.1.100 www.bank.com # Points to phishing site
2. Router Hijacking
Attack Methods:
- Exploit router default passwords or vulnerabilities
- Modify router DNS server addresses
- All devices using the router are affected
3. ISP Hijacking
Attack Methods:
- ISP-level DNS servers are attacked or maliciously configured
- Return incorrect resolution results
- Some ISPs even hijack non-existent domains to ad pages
4. Authoritative DNS Hijacking
Attack Methods:
- Attack domain registrar accounts
- Tamper with domain's NS records
- Point domain to attacker-controlled DNS servers
Dangers of DNS Hijacking
| Threat Type | Specific Manifestations |
|---|---|
| Phishing Attacks | Users visit forged banking, e-commerce sites |
| Information Theft | Steal user account passwords, personal information |
| Ad Injection | Force insertion of ads or redirect to ad pages |
| Malware Distribution | Induce download of trojans, viruses |
DNS Poisoning/Spoofing Details
What is DNS Poisoning
DNS poisoning (also called DNS cache poisoning) refers to attackers injecting false DNS records into DNS servers, polluting DNS cache so subsequent queries return incorrect results.
How DNS Poisoning Works
1. Attacker sends large amounts of forged DNS responses to local DNS server 2. Before legitimate response arrives, forged response is cached 3. When subsequent users query the domain, wrong IP address is returned 4. Users are redirected to malicious websites
DNS Poisoning vs DNS Hijacking
| Feature | DNS Hijacking | DNS Poisoning |
|---|---|---|
| Attack Target | DNS configuration or server control | DNS cache |
| Attack Location | Client, router, DNS server | Mainly DNS server cache |
| Persistence | Long-term (until configuration restored) | Limited by TTL |
| Impact Scope | Depends on attacked layer | Affects all users of that cache |
Prevention Measures
1. Use DNSSEC (DNS Security Extensions)
Principle:
- Add digital signatures to DNS records
- Verify authenticity and integrity of DNS responses
- Prevent DNS spoofing and cache poisoning
Workflow:
1. Authoritative DNS server digitally signs records 2. Resolver uses public key to verify signature 3. Only use resolution result if verification passes
Limitations:
- Complex deployment, requires support throughout the chain
- Increases DNS response size
- Some domains and ISPs not yet supported
2. Use HTTPS (DoH) and TLS (DoT)
DNS over HTTPS (DoH)
Client ←──HTTPS encrypted tunnel──→ DoH server (like Cloudflare 1.1.1.1)
- Encrypt DNS queries through HTTPS protocol
- Prevent man-in-the-middle eavesdropping and tampering
- Port 443, difficult to identify and block
DNS over TLS (DoT)
Client ←──TLS encrypted tunnel──→ DoT server
- Encrypt DNS queries through TLS protocol
- Dedicated port 853
- More lightweight but easily identifiable
3. Use Trusted DNS Servers
Recommended Public DNS:
| Provider | IPv4 | Features |
|---|---|---|
| Cloudflare | 1.1.1.1 | Fast, supports DoH/DoT |
| 8.8.8.8 | Stable, global coverage | |
| Quad9 | 9.9.9.9 | Built-in malicious domain blocking |
| Alibaba | 223.5.5.5 | Fast domestic access |
4. Regular Checks and Hardening
Client Protection
# Check if hosts file has been tampered with cat /etc/hosts # Check DNS configuration cat /etc/resolv.conf # Use dig to verify resolution results dig @1.1.1.1 www.example.com
Router Protection
- Change default management password
- Disable remote management
- Regular firmware updates
- Use reliable DNS servers
5. Application Layer Protection
HTTP Strict Transport Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubDomains
- Force HTTPS connections
- Prevent SSL stripping attacks
Certificate Pinning
- Application embeds server certificate fingerprints
- Verify server identity, prevent man-in-the-middle attacks
Methods to Detect DNS Hijacking
1. Multi-DNS Server Comparison
# Compare resolution results from different DNS servers dig @8.8.8.8 www.example.com dig @1.1.1.1 www.example.com dig @223.5.5.5 www.example.com
2. Online Detection Tools
- DNSChecker.org
- WhatsMyDNS.net
- Google Admin Toolbox
3. Monitoring and Alerts
- Monitor domain resolution result changes
- Set DNS record change alerts
- Regularly check domain WHOIS information
Summary
| Protection Measure | Protected Against | Implementation Difficulty | Recommendation |
|---|---|---|---|
| DNSSEC | DNS spoofing | Medium | ⭐⭐⭐⭐ |
| DoH/DoT | Man-in-the-middle | Easy | ⭐⭐⭐⭐⭐ |
| Trusted DNS | Various attacks | Easy | ⭐⭐⭐⭐⭐ |
| Regular Checks | Local hijacking | Easy | ⭐⭐⭐⭐ |
| HSTS | Protocol downgrade | Easy | ⭐⭐⭐⭐ |