The Problem: So the story goes that in December of 1955, an officer of the United States Air Force receives a call on a classified hotline phone at a secure location. This number is to be used only in cases of extreme emergency, so he fears the worst when picking it up. On the other end of the phone, a tiny voice asks “Is this Santa Claus?”. The officer was understandably confused, but before long they were overwhelmed by calls from people attempting to call the north pole. The cause of this was a Sears Roebuck ad asking people to call Santa directly and listed a number. However, due to a printing error, the number that was listed was not the one to contact a sales person for Sears, but a commanding officer at NORAD- the North American Aerospace Defense Command. So instead of receiving an order from the White House, they were getting calls from children asking if they were elves.
“DNS Hijacking” is the act of redirecting traffic from its intended destination by way of changing where a particular URL points to (as in the recent case of Lenovo). DNS (Domain Name System) is essentially the Internet’s phone book: It is a massive, massive list of records- each containing a human friendly domain name such as “www.amazon.com” and the IP (Internet Protocol) address that they correspond with like “126.96.36.199”. When IP addresses change, such as going from one location to another, the DNS records can be updated so that from the user’s perspective when they type in the URL nothing has changed. So in our example, the DNS record is the advertisement, the URL ‘Santa’, and the IP address the mistyped phone number.
The Solution: DNS Hijacking is a function that can be done at a number of different levels- either at the user level by way of malware on the affected system, all the way up to poisoning the DNS server itself that the user is performing a look-up against. This is done for a number of different reasons- sometimes for direct payments in a style similar to ransomware, other times for advertising revenue, or for malware distribution. We will be looking at defending against this type of attack at a lower level.
Solution the First: Contact your ISP
ISP’s recently have begun using DNS lookups to inject their own ads and error pages directly into user’s web browsers- resulting in potential privacy, security and censorship issues. Most ISP’s that perform this action provide a method to ‘opt-out’ of this type of modification, and the method of doing so varies from provider to provider- either through a web form or through a phone call. There are however some hostile providers that believe that if you do not want to be tracked, that you should not use their DNS servers which leads us to our next solution.
Solution the Second: OpenDNS
OpenDNS offers the use of their DNS servers free of charge for public use, which can used on any internet-connected device. They also support the use of DNS Encryption- protecting lookups from end to end. If you start to run into problems with your ISP’s DNS servers- whether that is downtime or issues with what they are directing you to, this is an excellent alternative to consider.
Solution the Third: Malware Defenses
Spybot and MalwareBytes are exceptionally good anti-malware utilities that have free versions available for home use. If you begin seeing unusual activity when you try to logon to sites such as www.google.com, you may have malware installed on your computer which is redirecting your request to a different web server. Both products are excellent overall security tools, and are capable of protecting your HOSTS file– a hard-coded lookup method that pre-dates DNS, but is still in use for most computers.
DNS Hijacking is one of the few types of attacks that scales to an incredible degree depending on the skill of the attacker: from a single system, to the 13 root DNS Servers of the Internet. It is also a method that many otherwise legitimate organizations feel that they can use to help line their pockets by redirecting bad look-ups to their own websites. Regardless of the intent, it is still changing traffic from where it needs to go and needs to be prevented wherever possible.