What is DNS Hijacking?

DNS (Domain Name System) hijacking is also known as DNS redirection or DNS spoofing.

DNS hijacking is the process of redirecting the requesting IP address to servers other than the originally requested DNS server.

DNS hijacking is used for malicious purposes, primarily for phishing. Technically speaking, DNS hijacking does not fall in the category of cybercrime. However, it may be a source or a tool that can be used to perform criminal activities.

DNS redirection is also used by certain Internet service providers to redirect the HTTP traffic to their own servers for displaying advertisements. Internet service providers may use DNS redirection to collect statistics or to block specific websites that have been flagged as malicious or harmful by users or customers.

DNS servers play a vital role in Internet structure; they are responsible for translating the domain names requested by the user to their corresponding machine-readable IP addresses.

To accomplish a DNS hijacking and execute an attack, the attacker or hacker first poisons the legitimate DNS server and transforms it into a rogue DNS server.

The attacker uses DNS-changing Trojans to change the automatic domain name assigning service to a manual domain name service. Now the DNS server translates the domain names to only those IP addresses that have been fed into it by the attacker.

These IP addresses belong to malicious and harmful websites known as booby traps. Once the web surfer opens that website, a malicious script could be injected into his or her computer, a virus could be transferred, sensitive information could be hijacked, or the machine may be infected with spyware.

If that website is actually harmful, then the DNS redirection is called phishing. If the website does not pose a direct threat to the computer, the attack would be called pharming. There are basically two types of DNS redirections:

  • DNS cache poisoning
  • DNS ID spoofing