What Is DNS Hijacking?

G. Wiesen

DNS hijacking is a process by which Internet users may be redirected to a different website than they are attempting to reach. The domain name system (DNS) is a set of protocols used to allow users to connect to various websites on the Internet. When a user types in a particular web address, a DNS server translates that address into an Internet protocol (IP) address and directs the user to the proper site. DNS hijacking changes this process, however, so that the user is directed to an IP address other than the proper one.

DNS hijacking is used to redirect traffic to a fraudulent site.
DNS hijacking is used to redirect traffic to a fraudulent site.

The way in which DNS hijacking occurs is based on how users on the Internet connect to websites. Most users go to a website by typing an address into a browser, or through a search engine that displays website addresses based on search results. When a user types in an address, such as www.wisegeek.com, then a DNS server receives this request, but Internet websites are not actually hosted on servers using these types of address names. IP addresses, which are unique and consist of a series of numbers, are used to organize and assign locations on the Internet for every website.

DNS hijacking transfers users to improper IP addresses.
DNS hijacking transfers users to improper IP addresses.

A DNS server translates the address typed by a user into the proper IP address, and then connects that user to the appropriate server for that website. DNS hijacking, however, occurs when a DNS server directs a user to a website other than the one that should be reached based on the typed address. This can be an especially dangerous type of attack when used by hackers, since the user may be completely unaware that he or she is not looking at the proper website. DNS hijacking effectively occurs “behind the scenes” of Internet navigation, and the user’s browser window is likely to display the correct name for the website.

When hackers use DNS hijacking to redirect users to a malicious version of a website, it is known as “pharming.” A compromised DNS server may, for example, receive a request by a user for www.pretendbank.com. Rather than sending the user to the actual bank website, however, it sends the user to a fake version of the site, often created to appear just like the real version. When the user attempts to enter his or her security information, the website logs that information, and then indicates to the user that the system is unavailable at the moment. This information can then be used to access the user’s actual bank account and perform fraudulent activity.

Some Internet service providers (ISPs) have also begun using DNS hijacking for less malicious purposes. These ISPs use “DNS redirecting” to send users to a particular page when an invalid web address is entered. Rather than displaying the standard screen for invalid sites, a page is displayed by the ISP that often includes advertisements for other services. While this is not necessarily malicious, many users have decried this practice as inherently dishonest and in violation of established Internet standards against DNS hijacking.

You might also Like

Discuss this Article

Post your comments
Forgot password?