DNS Hijacking: What You Need to Know
Crashed websites and slow loading pages can be devastating for any site owner. But there’s another type of threat that often goes undetected.
A report published by FireEye on Thursday details a particular type of DNS hijacking that allows hackers to easily steal information. These attacks have been going on for approximately two years and involve three different methods that compromise websites without alarming users.
Who’s At Risk?
These DNS hijacking attacks target a variety of organizations. Victims include telecommunication companies, ISP providers, internet infrastructure providers, government and commercial organizations.
How the Attacks Work
In order for the hackers to gain access to DNS records, they first obtain credentials to get into a victim’s website. This may be through the domain registrar or web hosting account. It’s unclear how credentials are obtained.
Once they have access to a website, one of three methods is used to steal information:
The first method involves changing the DNS A Record. (For more about record types, see our DNS support article.)
First, the hacker logs in to a Proxy Box (also called a jump server). When the attacker uses compromised credentials to log in to the victim’s website, they change the A record and setup a method to listen to all open ports and redirect traffic back to the correct site.
Next, they obtain a valid SSL certificate from Let’s Encrypt or another service. This SSL certificate is a key part of the attack. By creating a valid certificate they are able to escape detection by browsers and users are unaware of any security issues.
Sensitive information like usernames and passwords are collected and stored by the hackers. There may be a slight delay for the user logging in, but these delays generally go unnoticed.
The second method attackers use is almost identical to the first. Instead of changing the A record, hackers change the NS (nameserver record). As in the first method, they log in to a Proxy Box and obtain valid SSL certificates to escape detection.
The third method hijackers use to take control of a website is similar to the first two. The attacker changes the A or NS DNS record of a website as described above. Next, a DNS redirector routes the traffic to the attacker’s IP and back to the original site.
How to Stay Protected
Though these attacks often go undetected from website visitors and users, administrators have ways to make sure DNS hijacking attacks are caught quickly before any damage is done.
Here are some ways to keep your site safe from hackers:
- Engage in security best practices. Use strong passwords. Change them when people with access leave your organization. Do not stay logged in to critical sites like your hosting service or domain registrar.
- Monitor individual DNS records for changes. Uptime.com allows you to create individual checks for DNS record types or all types. At a minimum, create a check for your A and NS records. Validate any changes and edit your check when records change for valid reasons.
- Periodically audit your environment for security issues. Regular internal investigations reveal any flaws in your infrastructure and allow you to take preventative measures.
- Regularly check logs for suspicious IP addresses. Keep an eye on your OWA/Exchange logs for patterns that could indicate security threats.
- Keep an eye on your SSL certificates. A sudden change in SSL certificate expiration dates could mean a new certificate was issued. Verify all certificates are valid and revoke any created without permission.
DNS Monitoring is Critical
Website availability and page speed are critical components of site performance. To ensure the safety of user information, create DNS checks to make sure your site isn’t compromised.
Uptime.com gives you the freedom to check DNS records as a whole, as well as individual record types. Any changes in these records triggers an alert that lets you know immediately so you can be proactive in protecting user information.
By keeping an eye on DNS record changes, you’ll be able to act quickly in the event of an attack. Keep in mind that changes made to DNS records can take up to 24 hours to take effect. If you have any questions about changes to your records that appear to be valid, contact your web hosting service.
Minute-by-minute Uptime checks.
Start your 14-day free trial with no credit card required at Uptime.com.