DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...

(DNS) queries. This can be achieved by malware that overrides a computer's

TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...

configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards. These modifications may be made for malicious purposes such as

phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

, for self-serving purposes by

Internet service providers An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privatel ...

(ISPs), by the

Great Firewall of China The Great Firewall (''GFW''; ) is the combination of legislative actions and technologies enforced by the People's Republic of China to regulate the Internet domestically. Its role in internet censorship in China is to block access to selected for ...

and public/router-based online DNS server providers to direct users' web traffic to the ISP's own

web server A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...

s where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of

censorship Censorship is the suppression of speech, public communication, or other information. This may be done on the basis that such material is considered objectionable, harmful, sensitive, or "inconvenient". Censorship can be conducted by governments ...

Technical background

One of the functions of a DNS server is to translate a

domain name A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...

into an

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

that

applications Application may refer to: Mathematics and computing * Application software, computer software designed to help the user to perform specific tasks ** Application layer, an abstraction layer that specifies protocols and interface methods used in a c ...

need to connect to an Internet resource such as a

website A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google Search, Google, Facebook, Amaz ...

. This functionality is defined in various formal

internet standards In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow ...

that define the

protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...

in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.

Rogue DNS server

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their

ISP An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...

s. A router's assigned DNS servers can also be altered through the remote exploitation of a vulnerability within the router's firmware. When users try to visit websites, they are instead sent to a bogus website. This attack is termed

pharming Pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the computer. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a ...

. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is called

Manipulation by ISPs

A number of consumer ISPs such as

AT&T AT&T Inc. is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the world's largest telecommunications company by revenue and the third largest provider of mobile tel ...

Cablevision Cablevision Systems Corporation was an American cable television company with systems serving areas surrounding New York City. It was the fifth-largest cable provider and ninth-largest television provider in the United States. Throughout its ex ...

Optimum Online Optimum is an American Internet, television, mobile and home phone company serving Arizona, Arkansas, California, Connecticut, Idaho, Kentucky, Louisiana, Mississippi, Missouri, New Jersey, New York, North Carolina, Oklahoma, Pennsylvania, Texas ...

CenturyLink Lumen Technologies, Inc. (formerly CenturyLink) is an American telecommunications company headquartered in Monroe, Louisiana, that offers communications, network services, security, cloud solutions, voice, and managed services. The company is ...

Cox Communications Cox Communications, Inc. (also known as Cox Cable and formerly Cox Broadcasting Corporation, Dimension Cable Services and Times-Mirror Cable) is an American digital cable television provider, telecommunications and home automation services. It i ...

, RCN,

Rogers Rogers may refer to: Places Canada *Rogers Pass (British Columbia) * Rogers Island (Nunavut) United States * Rogers, Arkansas, a city * Rogers, alternate name of Muroc, California, a former settlement * Rogers, Indiana, an unincorporated communit ...

, Charter Communications (Spectrum),

Plusnet Plusnet plc is a British triple play internet service provider (ISP); providing broadband, landline and mobile services. The company was founded in 1997 in Sheffield, England, and became a public limited company (plc) in July 2004 when it was f ...

Verizon Verizon Communications Inc., commonly known as Verizon, is an American multinational telecommunications conglomerate and a corporate component of the Dow Jones Industrial Average. The company is headquartered at 1095 Avenue of the Americas in ...

, Sprint,

T-Mobile US T-Mobile US, Inc. is an American wireless network operator headquartered in Overland Park, Kansas and Bellevue, Washington, U.S. Its largest shareholder is a multinational telecommunications company Deutsche Telekom AG, which , holds 48.4 perc ...

Virgin Media Virgin Media is a British telecommunications company which provides telephone, Cable television, television and Internet access, internet services in the United Kingdom. Its headquarters are at Green Park in Reading, Berkshire, Reading, Engla ...

Frontier Communications Frontier Communications Parent, Inc. (known as Citizens Utilities Company until May 2000 and Citizens Communications Company until July 31, 2008) is an American telecommunications company. The company previously served primarily rural areas and s ...

Bell Sympatico Bell Internet, originally and frequently still called Sympatico, is the residential Internet service provider (ISP) division of BCE Inc. As of May 3, 2012, Bell Internet had over 3 million subscribers in Ontario and Quebec, making it the larges ...

Deutsche Telekom AG Deutsche Telekom AG (; short form often just Telekom, DTAG or DT; stylised as ·T·) is a German telecommunications company that is headquartered in Bonn and is the largest telecommunications provider in Europe by revenue. Deutsche Telekom was ...

Optus Singtel Optus Pty Limited (commonly referred to as Optus) is an Australian Telecommunications in Australia, telecommunications company headquartered in Macquarie Park, New South Wales, Australia. It is a wholly owned subsidiary of Singapore, Si ...

Mediacom Mediacom Communications Corporation is the United States' fifth largest cable television provider based on the number of video subscribers, and among the leading cable operators focused on serving smaller cities and towns. The company has a s ...

, ONO, TalkTalk,

Bigpond Telstra Group Limited is an Australian telecommunications company that builds and operates telecommunications networks and markets voice, mobile, internet access, pay television and other products and services. It is a member of the S&P/ASX 20 ...

(

Telstra Telstra Group Limited is an Australian telecommunications company that builds and operates telecommunications networks and markets voice, mobile, internet access, pay television and other products and services. It is a member of the S&P/ASX 20 ...

), TTNET, Türksat, and all Indonesian customer ISPs use or used DNS hijacking for their own purposes, such as displaying advertisements or collecting statistics. Dutch ISPs XS4ALL and Ziggo use DNS hijacking by court order: they were ordered to block access to

The Pirate Bay The Pirate Bay (sometimes abbreviated as TPB) is an online index of digital content of entertainment media and software. Founded in 2003 by Swedish think tank Piratbyrån, The Pirate Bay allows visitors to search, download, and contribute ma ...

and display a warning page while all customer ISP in Indonesia do DNS hijacking to comply with the National DNS law which requires every customer Indonesian ISP to hijack port 53 and redirect it to their own server to block website that are listed i
Trustpositif
by

Kominfo The Ministry of Communication and Information Technology ( id, Kementerian Komunikasi dan Informatika; abbreviated as Kominfo) is a ministry of the government of Indonesia that is responsible for communication, information affairs and internet ...

under Internet Sehat campaign. These practices violate the

RFC RFC may refer to: Computing * Request for Comments, a memorandum on Internet standards * Request for change, change management * Remote Function Call, in SAP computer systems * Rhye's and Fall of Civilization, a modification for Sid Meier's Civ ...

standard for DNS (NXDOMAIN) responses, and can potentially open users to

cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...

attacks. The concern with DNS hijacking involves this hijacking of the NXDOMAIN response. Internet and

intranet An intranet is a computer network for sharing information, easier communication, collaboration tools, operational systems, and other computing services within an organization, usually to the exclusion of access by outsiders. The term is used in c ...

applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (for example www.example.invalid), one should get an NXDOMAIN response – informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...

, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information. Examples of functionality that breaks when an ISP hijacks DNS: * Roaming laptops that are members of a

Windows Server domain A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controlle ...

will falsely be led to believe that they are back on a corporate network because resources such as

domain controller A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, sto ...

s, email servers and other infrastructure will appear to be available. Applications will therefore attempt to initiate connections to these corporate servers, but fail, resulting in degraded performance, unnecessary traffic on the Internet connection and timeouts. * Many small office and home networks do not have their own DNS server, relying instead on

broadcast Broadcasting is the distribution of audio or video content to a dispersed audience via any electronic mass communications medium, but typically one using the electromagnetic spectrum ( radio waves), in a one-to-many model. Broadcasting began ...

name resolution. Many versions of Microsoft Windows default to prioritizing DNS name resolution above NetBIOS name resolution broadcasts; therefore, when an ISP DNS server returns a (technically valid) IP address for the name of the desired computer on the LAN, the connecting computer uses this incorrect IP address and inevitably fails to connect to the desired computer on the LAN. Workarounds include using the correct IP address instead of the computer name, or changing the DhcpNodeType registry value to change name resolution service ordering. * Browsers such as

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...

no longer have their 'Browse By Name' functionality (where keywords typed in the address bar take users to the closest matching site). * The local DNS client built into modern operating systems will cache results of DNS searches for performance reasons. If a client switches between a home network and a

VPN A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...

, false entries may remain cached, thereby creating a service outage on the VPN connection. *

DNSBL A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whe ...

anti-spam solutions rely on DNS; false DNS results therefore interfere with their operation. * Confidential user data might be leaked by applications that are tricked by the ISP into believing that the servers they wish to connect to are available. * User choice over which search engine to consult in the event of a URL being mistyped in a browser is removed as the ISP determines what search results are displayed to the user. * Computers configured to use a split tunnel with a VPN connection will stop working because intranet names that should not be resolved outside the tunnel over the public Internet will start resolving to fictitious addresses, instead of resolving correctly over the VPN tunnel on a private DNS server when an NXDOMAIN response is received from the Internet. For example, a mail client attempting to resolve the DNS A record for an internal mail server may receive a false DNS response that directed it to a paid-results web server, with messages queued for delivery for days while retransmission was attempted in vain. * It breaks

Web Proxy Autodiscovery Protocol The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to de ...

(WPAD) by leading web browsers to believe incorrectly that the ISP has a

proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...

configured. * It breaks monitoring software. For example, if one periodically contacts a server to determine its health, a monitor will never see a failure unless the monitor tries to verify the server's cryptographic key. In some, but not most cases, the ISPs provide subscriber-configurable settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Other ISPs, however, instead use a web browser

cookie A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, n ...

to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit DNS error page. Applications other than web browsers cannot be opted out of the scheme using cookies as the opt-out targets only the

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

protocol, when the scheme is actually implemented in the protocol-neutral DNS.

Response

In the UK, the Information Commissioner's Office has acknowledged that the practice of involuntary DNS hijacking contravenes PECR, and EC Directive 95/46 on Data Protection which require explicit consent for processing of communication traffic. However, they have refused to intervene, claiming that it would not be sensible to enforce the law, because it would not cause significant (or indeed any) demonstrable detriment to individuals. In Germany, in 2019 it was revealed that the Deutsche Telekom AG not only manipulated their DNS servers, but also transmitted network traffic (such as non-secure cookies when users did not use

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

) to a third party company because the web portal T-Online, at which users were redirected due to the DNS manipulation, was not (any more) owned by the Deutsche Telekom. After a user filed a criminal complaint, the Deutsche Telekom stopped further DNS manipulations.

ICANN The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...

, the international body responsible for administering top-level domain names, has published a memorandum highlighting its concerns, and affirming:

Remedy

End users, dissatisfied with poor "opt-out" options like cookies, have responded to the controversy by finding ways to avoid spoofed NXDOMAIN responses. DNS software such as

BIND BIND () is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named (pronounced ''name-dee'': , short for ''name daemon''), performs both of the main DNS server roles, acting as an authoritative ...

and

Dnsmasq dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server, router advertisement and network boot features, intended for small computer networks. dnsmasq has low requirements for ...

offer options to filter results, and can be run from a gateway or router to protect an entire network. Google, among others, run open DNS servers that currently do not return spoofed results. So a user could use

Google Public DNS Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, in an effort described as "making the web faster ...

instead of their ISP's DNS servers if they are willing to accept that they use the service under Google's privacy policy and potentially be exposed to another method by which Google can track the user. One limitation of this approach is that some providers block or rewrite outside DNS requests.

OpenDNS OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbre ...

, owned by Cisco, is a similar popular service which does not alter NXDOMAIN responses. Google in April 2016 launched DNS-over-HTTPS service. This scheme can overcome the limitations of the legacy DNS protocol. It performs remote DNSSEC check and transfers the results in a secure HTTPS tunnel. There are also application-level work-arounds, such as the NoRedirect

Firefox extension This is a list of WebExtensions that are recommended by Mozilla. Mozilla software Firefox Firefox compatibility Thunderbird Notes References External links Official add-ons site for Mozilla products {{DEFAULTSORT:List Of Firefox ...

, that mitigate some of the behavior. An approach like that only fixes one application (in this example, Firefox) and will not address any other issues caused. Website owners may be able to fool some hijackers by using certain DNS settings. For example, setting a TXT record of "unused" on their wildcard address (e.g. *.example.com). Alternatively, they can try setting the CNAME of the wildcard to "example.invalid", making use of the fact that '.invalid' is guaranteed not to exist per the RFC. The limitation of that approach is that it only prevents hijacking on those particular domains, but it may address some VPN security issues caused by DNS hijacking.

References