DNS hijacking
Encyclopedia
DNS hijacking or DNS redirection is the practice of redirecting the resolution of Domain Name System
(DNS) names to other DNS servers. This is done for malicious purposes such as phishing
; for self-serving purposes by Internet service providers (ISPs) to direct users' HTTP traffic via the ISP's own webservers where advertisements are served, statistics can be collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.
into an IP address
that applications need to connect to an Internet resource such as a website. This functionality is defined in various formal internet standard
s that define the protocol in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.
s use DNS-changing trojans
to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming
. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing
.
, Comcast
, Time Warner
, Cox Communications
, RCN
, Rogers
, Charter Communications
, Verizon, Virgin Media
, Frontier Communications, Bell Sympatico
, UPC
, T-Online
, Optus
, Mediacom
,, ONO
and Bigpond
(Telstra
) use DNS hijacking for their own purposes, such as displaying advertisements or collecting statistics. This practice violates the RFC
standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting
attacks.
Redirecting can be more benign, allowing a DNS server provided by a service such as OpenDNS
to intercept and block sites known to be malicious or with content which the user wishes to block, etc. The provider of the DNS server may charge a fee for this service, or also show advertisements, collect statistics, etc.
The concern with DNS hijacking has to do with this hijacking of the NXDOMAIN response. Internet and intranet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get a NXDOMAIN response - informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a Web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page
of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.
Examples of functionality that breaks when an ISP hijacks DNS:
In some cases, the ISPs provide settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Some ISPs, however, instead use a web browser cookie to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit dns error page (as exampled by charter here. Notice the "Manage Opt-In settings" link). Applications other than web-browsers cannot be opted out of the scheme using cookies as the opt-out targets only the HTTP protocol, when the scheme is actually implemented in the protocol-neutral DNS protocol.
ICANN
, the international body responsible for administering toplevel domain names, has published a memorandum highlighting its concerns, and affirming:
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(DNS) names to other DNS servers. This is done for malicious purposes such as phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
; for self-serving purposes by Internet service providers (ISPs) to direct users' HTTP traffic via the ISP's own webservers where advertisements are served, statistics can be collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.
Technical background
One of the functions of a DNS server is to translate a domain nameDomain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
into an IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
that applications need to connect to an Internet resource such as a website. This functionality is defined in various formal internet standard
Internet standard
In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force .-Overview:...
s that define the protocol in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.
Rogue DNS server
A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computerZombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s use DNS-changing trojans
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming
Pharming
Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving...
. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
.
Manipulation by ISPs
A number of consumer ISPs such as Cablevision's Optimum OnlineOptimum Online
Optimum Online is a broadband Internet service provider subsidiary of Cablevision.Optimum Online serves some parts of the New York City metropolitan area, the Bronx, Brooklyn, Westchester, and parts of the states of New York, New Jersey, Connecticut, and Pennsylvania.-Standard offering:The basic...
, Comcast
Comcast
Comcast Corporation is the largest cable operator, home Internet service provider, and fourth largest home telephone service provider in the United States, providing cable television, broadband Internet, and telephone service to both residential and commercial customers in 39 states and the...
, Time Warner
Time Warner
Time Warner is one of the world's largest media companies, headquartered in the Time Warner Center in New York City. Formerly two separate companies, Warner Communications, Inc...
, Cox Communications
Cox Communications
Cox Communications is a privately owned subsidiary of Cox Enterprises providing digital cable television, telecommunications and wireless services in the United States...
, RCN
RCN Corporation
RCN Corporation, founded in 1993 and based in Herndon, Virginia, is the first American facilities-based competitive provider of bundled telephone, cable television and high-speed internet service delivered over its own fiber-optic local network to consumers in the Boston, New York, Eastern...
, Rogers
Rogers Hi-Speed Internet
Rogers Hi-Speed Internet is a broadband Internet service provider in Canada, owned by Rogers Communications. Rogers previously operated under the brand names Rogers@Home, Rogers Yahoo! Hi-Speed Internet, and Road Runner in Newfoundland...
, Charter Communications
Charter Communications
Charter Communications is an American company providing cable television, high-speed Internet, and telephone services to more than 4.7 million customers in 25 states. By revenues, it is the fourth-largest cable operator in the United States, behind Comcast, Time Warner Cable, and Cox Communications...
, Verizon, Virgin Media
Virgin Media
Virgin Media Inc. is a company which provides fixed and mobile telephone, television and broadband internet services to businesses and consumers in the United Kingdom...
, Frontier Communications, Bell Sympatico
Bell Sympatico
Bell Internet, originally and frequently called Sympatico, is the residential Internet service provider division of Bell Canada. It was affiliated with MSN. As of June 2009, Bell Internet had over 2 million subscribers in Ontario and Quebec and was the largest ISP in Canada.- History :Sympatico was...
, UPC
UPC Broadband
UPC Broadband is a Pan-European Communications company owned by Liberty Global and is active in several European countries providing bundled cable television, internet and telephone services....
, T-Online
T-Online
T-Online, a former subsidiary and now business unit of Deutsche Telekom, is the biggest internet service provider in Germany. It evolved out of the proprietary German Bildschirmtext information service in 1995...
, Optus
Optus
SingTel Optus Pty Limited is the second largest telecommunications company in Australia, and is a wholly owned subsidiary of Singapore Telecommunications...
, Mediacom
Mediacom
Mediacom is a cable television and communications provider in the United States. Founded in July 1995, it serves primarily smaller markets in the Midwest and Southern United States. Formerly a publicly traded firm, it went private in a $600.0 million transaction in March 2011 and is, as of 2011,...
,, ONO
ONO (Spain)
ONO is a Spanish broadband communication and entertainment company, delivering integrated telephone, television and Internet services to its residential customers. In this segment, it has 3.7 million services contracted and over six million users....
and Bigpond
BigPond
BigPond is an Australian Internet service provider and is a product of Telstra. BigPond is Australia's largest ISP and based in Melbourne.- Internet :...
(Telstra
Telstra
Telstra Corporation Limited is an Australian telecommunications and media company, building and operating telecommunications networks and marketing voice, mobile, internet access and pay television products and services....
) use DNS hijacking for their own purposes, such as displaying advertisements or collecting statistics. This practice violates the RFC
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
attacks.
Redirecting can be more benign, allowing a DNS server provided by a service such as OpenDNS
OpenDNS
OpenDNS is a DNS resolution service. OpenDNS extends DNS adding features such as misspelling correction, phishing protection, and optional content filtering...
to intercept and block sites known to be malicious or with content which the user wishes to block, etc. The provider of the DNS server may charge a fee for this service, or also show advertisements, collect statistics, etc.
The concern with DNS hijacking has to do with this hijacking of the NXDOMAIN response. Internet and intranet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get a NXDOMAIN response - informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a Web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page
ISP redirect page
An ISP redirect page is a page used by major ISPs including: Cox Communications, Embarq, Verizon, Rogers, Earthlink, and various others.If a user types in an incorrect url , the ISP's DNS server will catch this, and offer a suggestion on what the user might have meant.-How this works:Domain Name...
of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.
Examples of functionality that breaks when an ISP hijacks DNS:
- Roaming laptops that are members of a Windows Server domainWindows Server domainA Windows domain is a collection of security principals that share a central directory database. This central database contains the user accounts and security information for...
will falsely be led to believe that they are back on a corporate network because resources such as domain controllerDomain controllerOn Windows Server Systems, a domain controller is a server that responds to security authentication requests within the Windows Server domain...
s, email servers and other infrastructure will appear to be available. Applications will therefore attempt to initiate connections to these corporate servers, but fail, resulting in degraded performance, unnecessary traffic on the internet connection and timeouts. - Many small office and most home networks do not have their own DNS server, relying instead on broadcast name resolution. However because DNS lookups are prioritized over local broadcasts, all names will falsely resolve to a server belonging to the ISP, and local networking will not work.
- Browsers such as Firefox no longer have their 'Browse By Name' functionality (Where keywords typed in the address bar take you to the closest matching site.).
- The local DNS client built into modern operating systems will cache results of DNS searches for performance reasons. If a client switches between a home network and a VPNVirtual private networkA virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
, false entries may remain cached, thereby creating a service outage on the VPN connection. - DNSBLDNSBLA DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
anti-spam solutions rely on DNS; false DNS results therefore interfere with their operation. - Confidential user data might be leaked by applications that are tricked by the ISP into believing that the servers they wish to connect to are available.
- User choice over which search engine to consult in the event of a URL being mistyped in a browser is removed as the ISP determines what search results are displayed to the user; functionality of applications like the Google ToolbarGoogle ToolbarGoogle Toolbar is an Internet browser toolbar only available for Internet Explorer and Firefox .-Google Toolbar 1.0 December 11, 2000:New features:*Direct access to the Google search functionality from any web page*Web Site search...
do not work correctly. - Computers configured to use a split tunnelSplit tunnelingSplit tunneling is a computer networking concept which allows a VPN user to access a public network and a local LAN or WAN at the same time, using the same physical network connection...
with a VPN connection will stop working because intranet names that should not be resolved outside the tunnel over the public Internet will start resolving to fictitious addresses, instead of resolving correctly over the VPN tunnel on a private DNS server when an NXDOMAIN response is received from the Internet. For example, a mail client attempting to resolve the DNS A record for an internal mail server may receive a false DNS response that directed it to a paid-results web server, with messages queued for delivery for days while retransmission was attempted in vain. - It breaks Web Proxy Autodiscovery ProtocolWeb Proxy Autodiscovery ProtocolThe Web Proxy Auto-Discovery Protocol is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL...
(WPAD) by leading web browsers to believe incorrectly that the ISP has a proxy serverProxy serverIn computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
configured.
In some cases, the ISPs provide settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Some ISPs, however, instead use a web browser cookie to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit dns error page (as exampled by charter here. Notice the "Manage Opt-In settings" link). Applications other than web-browsers cannot be opted out of the scheme using cookies as the opt-out targets only the HTTP protocol, when the scheme is actually implemented in the protocol-neutral DNS protocol.
Response
In the UK, the Information Commissioner's Office have acknowledged that the practice of involuntary DNS hijacking contravenes PECR, and EC Directive 95/46 on Data Protection which require explicit consent for processing of communication traffic. However they have refused to intervene, claiming that it would not be "sensible" to enforce the law because "it would not cause significant (or indeed any) demonstrable detriment to individuals".ICANN
ICANN
The Internet Corporation for Assigned Names and Numbers is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998 to oversee a number of Internet-related tasks previously performed directly...
, the international body responsible for administering toplevel domain names, has published a memorandum highlighting its concerns, and affirming:
See also
- TCP reset attackTCP reset attackTCP reset attack, also known as "forged TCP resets", "spoofed TCP reset packets" or "TCP reset attacks". These terms refer to a method of tampering with Internet communications. Sometimes, the tampering is malicious, other times, it is beneficial....
- Domain hijackingDomain hijackingDomain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant....
- Dynamic Host Configuration ProtocolDynamic Host Configuration ProtocolThe Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...
- Point-to-Point ProtocolPoint-to-Point ProtocolIn networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
- PharmingPharmingPharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving...
- PhishingPhishingPhishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
- DNS cache poisoningDNS cache poisoningDNS cache poisoning is a security or data integrity compromise in the Domain Name System . The compromise occurs when data is introduced into a DNS name server's cache database that did not originate from authoritative DNS sources. It may be a deliberate attempt of a maliciously crafted attack on a...