DNS Security – Why Cyber Criminals Want to Take Over Your Internet Traffic
Helping you understand why your DNS settings are crucial for your online safety
Sometimes, when I go about my daily tasks, mostly glued to my laptop, I realize that maybe I’m taking technology for granted. Hardware and software are so deeply rooted in our lives that we often overlook how exquisitely intricate systems they are.
But complexity brings about security issues, which cyber criminals absolutely love to exploit.
Today I want you to put your worst outfit on, because things are about to get messy. We’re going to go under the hood of your computer and talk about DNS security.
Remember that time we mentioned the importance of multilayered security? Well, DNS is a key layer in that protection system and you’ll be a bit wiser once you’ve read about the threats that target it.
How DNS works
What’s easier to remember: WordPress.org or 188.8.131.52?
The former is a domain name and the latter is an IP address (Internet Protocol address), used to locate and identify devices or computer services connected to the Internet.
Now you understand why we need the Domain Name System (better known as DNS).
DNS is a core part of how the Internet works, because it translates domain names, such as WordPress.org, into IP addresses, helping users retrieve the information they need in the blink of an eye or even faster.
I’ve never been good at memorizing numbers. I can barely remember 2 phone numbers. So I bet that most of us could never remember websites by their IP addresses. But I could list at least three dozen websites whose names I know by heart, and I’m sure you can too.
Let’s visualize how DNS works for a moment, because this will be useful in the next chapter:
A helpful way to think about this is to see DNS as a GPS that guides your request along the intricate roads of the Internet and brings you to your destination.
Because of its function, DNS is a highly sensitive component of your digital life. It’s everywhere, it’s used by everyone and all your Internet traffic flows through it. DNS helps point your traffic to the right destination (if no one tampers with this process).
So it’s easy to imagine why cyber attackers would want to take control of your DNS. It would give them unlimited possibilities to abuse your system, to infect it and extract any and all data from it.
If’s you’re a not a techie, you probably never ran into the DNS settings on your PC. By default, Windows is set to „obtain DNS server address automatically.”
You can check your own DNS settings by going to: Control Panel > Network & Internet > Network Connections > right click on your current Internet connection > click on Internet Protocol Version 4 (TCP/IPv4) > and then click on Properties.
Without getting too technical, you should know that there are 3 entities which can set your DNS:
- Your Internet Service Provider (which happens most frequently because of these automatic settings)
- Google Public DNS (which can only be set manually and provides the largest public DNS service available in the world)
- A cyber security solution that provides DNS-based traffic filtering as part of its protection suite.
When you think about DNS, picture a server that analyzes your requests to see websites or download media. That will help you understand where all the action I’m about to describe actually happens.
Since the way the Domain Name System works is quite complex, cyber criminals will never stop trying to attack it at every stage.
How DNS security can be compromised
Malicious attackers can hack DNS settings in two ways:
- By compromising the way DNS works
- By exploiting security vulnerabilities present on the servers that run the DNS services.
In both cases, the consequences for victim are bound to high-impact.
DNS Cache Poisoning / DNS Spoofing
DNS cache poisoning or DNS spoofing, as it’s also called, consists of corrupting the “translation” process that’s specific to how DNS works.
Let me be more specific: just like your browser, a DNS server also has a cache where it stores data. Cached data means that the next time you want to browse Time.com, the DNS will be able to serve it faster.
A poisoning attack means that cyber criminals will try to insert corrupt data into the DNS cache. If successful, the attack will cause the DNS server to return an incorrect IP address to the victim. To put it briefly: cyber crooks will be able to redirect the victim’s Internet traffic to malicious websites or servers under their control.
From this point forward, cyber criminals can feed the affected PC with malware downloaded from websites they set up and command.
A poisoned DNS server will be tricked into accepting incoming content from a non-authentic server, which often is set up to spread malicious software to unsuspecting victims.
Now imagine that a DNS server isn’t used for a single computer. If provided by an Internet service provider, it can be used by thousands of users. If compromised, all those users will be affected: their Internet traffic will be diverted to malware-laden websites, which will exploit the vulnerabilities in their system to infect their PCs.
For the regular user, DNS cache poisoning/spoofing is difficult to detect, especially if the attacker uses second-generation malware, which is both stealthy and far-reaching.
And then there’s….
This straightforward attack implies changing your DNS settings altogether, so that all your Internet traffic requests are directed to a rogue DNS server.
As a consequence, the results you will receive (aka the websites which you’ll see in your browser) will all be corrupted and most likely infected.
While the attack may be easier to understand than DNS cache poisoning, it doesn’t mean it’s easy to detect.
Malicious hackers use Trojans that are specifically designed to alter DNS settings and change it from automatic to manual.
Sometimes, DNS hijacking involves a preliminary stage, where the affected computers are enrolled into a botnet that gives attackers control over the system.
Another way to perform this attack is to modify how a trusted DNS server acts, so that it no longer complies with Internet standards.
In either situation, the result is the same: the victims will be delivered malicious websites that are intended for pharming or phishing. The websites can either be an impersonation of the website that the victim wanted to see or different websites set up in such an attractive manner that the victim is persuaded to give away confidential information.
In most cases, the intentions behind the attack are clear: extracting valuable data, such as passwords, usernames and other personal information that can help them get into bank accounts or reach more potential victims.
But not only cyber criminals are interested in DNS hijacking. Although done for non-malicious purposes, some Internet Service Providers also use the technique to enhance their profits:
A number of consumer ISPs such as Cablevision’s Optimum Online, Comcast, Time Warner, Cox Communications, RCN, Rogers, Charter Communications, Plusnet, Verizon, Sprint, T-Mobile US, Virgin Media, Frontier Communications, Bell Sympatico, UPC, T-Online, Optus, Mediacom, ONO, TalkTalk, Bigpond (Telstra), and TTNET use DNS hijacking for their own purposes, such as displaying advertisements or collecting statistics. This practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting attacks.
However, it doesn’t mean that this practice is ethical or legal. It can also expose your system to other cyber attacks, such as cross-site scripting (XSS), as mentioned above.
You can think of DNS cache poisoning/spoofing and DNS hijacking as Man-in-the-middle attacks. Through these techniques, an attacker can slip between the victim’s computer and a web-based service the victim is trying to reach.
By supplying false DNS information to the victim, cyber criminals can display fake copies of websites in the browsers used on the affected computer.
For example, if your DNS security is compromised, cyber crooks can display a fake copy of your online banking website and collect your banking credentials that they can later use to empty your bank account.
Unfortunately, antivirus can’t help you with these attacks, because it looks at your files and system behavior, not at your Internet traffic. So you’ll need another layer of protection to supplement your protection.
Who should I trust with my DNS settings?
I don’t mean to make you (more) paranoid and you do need do trust someone with your DNS security, so let’s see what options you have.
There have been attempts at using your DNS logs to weaken the user’ privacy, which is why it’s good to keep up to date with changes in the security and technology world.
Then there’s Google Public DNS, which many people use, because, well, it’s Google. Their service is quite fast, but there are privacy concerns around it too. As one Reddit user put it: ”I figure they know enough about me already, no sense giving them even more data points.”
Another option is to use a DNS service delivered as part of a security suite.
For example, Heimdal PRO users benefit from the secure DNS that our team builds. Heimdal will set your DNS to 127.0.0.1, which points toward “home” – your computer. If you set this up manually, you’d discover that you can’t connect to the Internet.
But with Heimdal installed, all your Internet traffic will be filtered through our intelligence database. This will keep you safe by blocking:
- phishing and pharming websites
- websites that have malicious code injected
- traffic redirects
- malicious downloads
- exploit kits
- data leakeage
- malware-laden traffic that tries to drop ransomware and other threats and the list could go on.
We recommend that you always check how trustworthy a security product is before installing it. Try to invest some time into understanding how it works.
If you need more details, contact the company and ask all the questions you need. The quality of their support will most likely reflect the quality of the service.
Types of malware that target your DNS
By now, I hope you understand why you should be protective of your DNS settings.
Since we’ve only talked about concepts, let me provide some examples of malware that was hell-bent on taking over your DNS and your Internet traffic as a result.
For 5 years (2007-2012), a DNS-changing Trojan called DNSChanger infected over 4 million computers. The threat originated in Estonia and the company that created it amassed approximately $14 million in profits from fraudulent advertising. DNSChanger injected ads in the web pages that the victims saw.
Remember: controlling your DNS means that attackers can display anything they want in your browser.
Keep in mind that cyber threats evolve over time, and so did DNSChanger. In a later stage, the Trojan was distributed in another form, called RSPlug.
In 2011, the FBI stepped in and captured those responsible. Five years later, cyber criminals involved in the DNSChanger scheme are still being sentenced:
An Estonian man was sentenced to seven years and three months in a U.S. prison for his role in a cybercriminal operation that infected more than 4 million computers with DNS hijacking malware.
Vladimir Tsastsin, 35, from Tartu, Estonia, was one of the key players in a $14 million click fraud scheme. He is the sixth individual to be sentenced in the case and has received the longest prison sentence. The sentence was handed down Tuesday in U.S. District Court for the Southern District of New York.
This potentially unwanted application (also called PUA) was spotted by ESET in the summer of 2016. It featured compatibility with all Windows versions from XP to Windows 10, looking to target as many users as possible.
What’s more, DNS Unlocker used a new way to change DNS settings, by digging deep and making this change in the Windows registry. The objective was to make their DNS hijacking undetectable.
If you think you’re infected with DNS Unlocker, these removal instructions may come in handy.
Another threat to DNS services was the Moose worm, in 2015. Moose targeted Linux routers and services, hijacking their DNS. Instead of exploiting vulnerabilities in the software, the worm hacked into them by breaking weak usernames and passwords. And we all know that there are plenty of those on the web, unfortunately.
The attackers sought to use the victim’s Internet connections for social networking fraud. Moose would use affected systems and their Internet connections to “like” pages, view videos and follow other accounts on social media platforms.
Two days after Moose was first spotted, researchers from TrendMicro shared their findings on the malware themselves, which was being used to steal users’ credentials by mixing DNS hijacking with brute force attacks.
These are just 3 examples of malware looking to compromise DNS security, but they’re not the only ones.
Cyber criminals find multiple advantages to targeting DNS services, because the attack:
- It’s stealthy and difficult to detect
- It avoids antivirus detection, which most users rely exclusively on
- It opens up compromised systems to a huge array of attack vectors
- It gives attackers a direct channel to feed the system with malware
- It provides a way to use a combination of attack methods that can use the system for DDoS attacks and other malware-spreading campaigns.
Once again, I have to emphasize the importance of using a reliable, secure DNS service on all your devices. As soon as more cyber criminals start exploiting the potential of DNS hacking, we might have another problem on our hands that can grow as big as ransomware is today.