Support >
  About cybersecurity >
  Common DNS domain name hijacking methods
Common DNS domain name hijacking methods
Time : 2023-03-20 15:00:58
Edit : Jtti

DNS hijacking, also known as domain name hijacking, refers to intercepting domain name resolution requests within the hijacked network range, analyzing the requested domain name, and releasing requests outside the scope of review, otherwise it will return a fake IP address or do nothing to make the request unresponsive. The effect is that a specific network cannot be accessed or a fake URL is accessed.

Method 1: Use DNS server to carry out DDOS attack

The normal DNS server recursive inquiry process may be exploited as a DDOS attack.

Assume that the attacker knows the IP address of the attacked machine, and then the attacker uses this address as the source address for sending the parsing command. In this way, when the DNS server is used to query recursively, the DNS server responds to the original user, and this user is the victim. Then if the attacker controls enough broilers and performs the above operations repeatedly, the victim will be attacked by the response information DDOS from the DNS server.

Method 2: DNS cache infection

The attacker uses DNS requests to place data into the cache of a vulnerable DNS server. These cached information will be returned to the user when the customer accesses the DNS, so that the user's visit to the normal domain name will be directed to the page installed by the intruder to mount a horse, phishing, etc., or obtain the user's password through forged emails and other server services information, leading to further infringement on customers.

Method 3: DNS information hijacking

In principle, the TCP/IP system avoids the insertion of counterfeit data through various methods such as serial numbers, but if an intruder listens to the dialogue between the client and the DNS server, he can guess the DNS query ID that the server responds to the client.

Each DNS message includes an associated 16-bit ID number, and the DNS server obtains the location of the request source based on this ID number.

The attacker sends a false response to the user before the DNS server, thereby deceiving the client to visit a malicious website. Assume that when the data packet of the domain name resolution request submitted to a certain domain name server is intercepted, then a false IP address is returned to the requester as the response information according to the intention of the interceptor. At this time, the original requester will connect this fake IP address as the domain name it wants to request. Obviously, it is deceived to other places and cannot connect to the domain name it wants to connect at all.

https://www.jtti.cc/uploads/UEditorImages/202303/20/41b2d6cbb4f247eb47182ba5e9d8c64b.jpg

Method 4: DNS redirection

If an attacker redirects DNS name queries to a malicious DNS server. Then the resolution of the hijacked domain name is completely under the control of the attacker.

Method 5: ARP spoofing

ARP attack is to achieve ARP spoofing by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network and block the network. As long as the attacker continuously sends out forged ARP response packets, the IP in the target host's ARP cache can be changed. -MAC entries, causing network outages or man-in-the-middle attacks.

ARP attacks mainly exist in the LAN network. If a computer in the LAN is infected with an ARP Trojan, the system infected with the ARP Trojan will try to intercept the communication information of other computers in the network by means of "ARP spoofing", and thus cause network damage. Communication failure with other computers in the network. ARP spoofing is usually in the user's local network, causing the wrong direction of the user's access to the domain name. However, after the IDC computer room is invaded, the attacker may use ARP packets to suppress normal hosts or DNS servers. The situation where the access guide is misdirected.

Method 6: local machine hijacking

After the computer system is infected by Trojan horses or rogue software, there may be abnormal access to some domain names, such as access to Trojan horses or phishing sites, failure to access, etc., local hijacking with hosts file tampering, local DNS hijacking, SPI chain injection, BHO Plug-ins and other methods, although not all completed through the DNS link, will result in the consequence that the correct address or content cannot be obtained according to the user's wishes.

JTTI-Defl
JTTI-COCO
JTTI-Selina
JTTI-Ellis
JTTI-Eom