Community Blog Analyzing DNS Hijacking

Analyzing DNS Hijacking

This article is a crash course on DNS hijacking, analyzing various types of DNS hijacking one by one.

By DNS Team

Today, let's talk about DNS hijacking. Let's review the concept of DNS hijacking first. DNS hijacking refers to fiddling with the mapping relationship between a correct domain name and IP address through technical means, so the domain name is mapped to a wrong IP address. Therefore, DNS hijacking can be considered a DNS redirection attack. DNS hijacking can be used for domain name fraud (displaying irrelevant information to earn income when users visit web pages) and phishing (displaying fake websites visited by users and then illegally stealing users' personal information).

Principle of DNS Resolution

Before introducing the principle of DNS hijacking, you need to understand the typical DNS resolution process.


A client initiates a recursive DNS request. Local recursive DNS (carrier DNS in most cases) or public DNS requests multiple-level authoritative DNS servers through iterative queries and returns the query results to the client. You can see a complete DNS query below:

  • Long Procedure: The query process includes multiple and multi-level network communication.
  • Many Involved Roles: The query process involves roles such as clients, DNS recursive servers, and authoritative servers. DNS Hijacking may occur in each procedure of a complete DNS query link. The following chapters will analyze various types of DNS hijacking one by one.

Classification of DNS Hijacking

We will divide DNS hijacking into three categories: client-side, recursive DNS server, and authoritative DNS server.

1. Local DNS Hijack

DNS hijacking on the client side is named local DNS hijack. Local DNS hijack refers to:

  1. Hackers invade PC and fiddle with DNS configurations (hosts file, DNS server address, DNS cache, etc.) with Trojans or malicious programs.
  2. Hackers exploit router vulnerabilities or break the router administrator account to invade the router and fiddle with DNS configurations.
  3. Some enterprise proxy devices (such as Cisco Umbrella intelligent proxy) hijack and resolve specific domain names to specified results for internal enterprise scenarios.

2. DNS Resolution Path Hijacking

DNS hijacking that occurs during DNS resolution when the client communicates with the DNS server online is classified as DNS resolution path hijacking. After dividing the hijacking paths of DNS resolution packets in the query phase, DNS resolution path hijacking can be divided into the following three categories:

  • DNS Forwarding

Redirect DNS traffic to other DNS servers through technical means (middle box, software, etc.).



The picture above is from Wu Junfeng, Shen Han. DNS Control Practice of Different Networks Based on Bypass Response Mechanism. Telecommunications Technology [J]

  • DNS Replication

The DNS query is copied to the network device with the optical splitter, and the DNS hijacking result is returned before the normal response.

Case: One packet capture of the DNS query returns two different responses.


  • DNS Answering

Network device or software directly replaces the DNS server to answer DNS queries.

Case: Some DNS servers implement the functions of SERVFAIL rewrite and NXDOMAIN rewrite.


3. Fiddling with DNS Authoritative Records

Fiddling with DNS authoritative records refers to hackers illegally invading the DNS authoritative record administrator account and then directly modifying DNS records.

Case: Hackers hack into the administrator account of the domain name, fiddle with the authoritative DNS records, and redirect users to their malicious servers to implement DNS hijacking.


Hackers hack into the administrator account of the upper-level domain name registry, fiddle with the NS authorization records of the domain name, and authorize the domain name to a malicious DNS server (built by hackers) to implement DNS hijacking.


Hackers hack into the administrator account of the upper-level domain name registry, fiddle with the NS authorization records of the domain name, and authorize the domain name to a malicious DNS server (built by hackers) to implement DNS hijacking. (Please see the FireEye blog for more information.)

Response Strategy of DNS Hijacking

DNS hijacking seems to have become a common occurrence on the Internet, but how can we deal with various DNS hijackings? If you suspect that you are experiencing DNS hijacking, the first thing to do is confirm the problem.

How to Confirm DNS Hijacking

Check whether the router DNS configuration has been fiddled with or altered

View the DNS server that replies to the DNS response with tools and check whether the DNS resolution is redirected

Some DNS-related test tools can be installed on the mobile terminal for troubleshooting:

  • Android ping & DNS
  • iOS iNetTools

DNS Hijacking Prevention

  • Install antivirus software to defend against Trojan viruses and malware, modify the password of the router administrator account, and update the firmware regularly.
  • Select a domain name registrar with strong security technology and lock the authoritative data of your domain name to prevent it from being fiddled with or altered.
  • Select a domain name resolution service provider that supports DNSSEC and implement DNSSEC for your domain name. DNSSEC can ensure the communication between the recursive DNS server and the authoritative DNS server is not fiddled with or altered. As a professional DNS resolution service vendor, Alibaba Cloud DNS has been continuously improving and polishing product functions. DNSSEC is already under development and will be released in a few days.
  • Use DNS encryption techniques (such as DNS-over-TLS, DNS-over-HTTPS, etc.) in the last mile of communication between the client and the recursive DNS server.

Related product: https://www.alibabacloud.com/product/emas/httpdns

0 0 0
Share on

Alibaba Cloud Community

535 posts | 51 followers

You may also like