Related Posts with Thumbnails

DNS hijacking

{ Posted on 12:29 AM by badman }
DNS hijacking is the practice of redirecting the resolution of Domain name system (DNS) names to IP addresses to rogue DNS servers, particularly for the practice of phishing, or the practice of some ISPs resolving otherwise non-existent domains to the ISPs own servers.

Contents

Technical Background

A DNS server is used to translate a domain name (such as wikipedia.org) into an IP address (such as 208.80.152.2). The DNS can be used for all Internet traffic, not just Web sites. Computers and hardware use the network of servers that comprise the DNS to simplify description of Internet hosts, such as e-mail servers and Web sites, because a domain name is easier to remember and type than an IP address.

The integrity of the DNS system is of greater concern with the transition to IPv6, as the IP address is significantly longer to remember and infeasible to use.

[edit] Rogue DNS server

A rogue DNS server translates legitimate domain names (of search engines, online banks, online brokers, etc.) into IP addresses of malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. When users then try to visit legitimate domain names, they are sent to another bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing.[1]

[edit] Use by ISPs

Several consumer ISPs such as Cablevision's Optimum Online[2], Comcast[3],Time Warner, RCN, Rogers, Charter Communications, Verizon, Virgin Media, Frontier, and Bell Sympatico[4] have also started the practice of DNS hijacking on non-existent domain names [5][6][7], for the purpose of making money by displaying advertisements[8]. This practice violates the RFC standard for DNS (NXDOMAIN) responses.[9], and can potentially open users to cross-site scripting attacks[8]

The concern with DNS hijacking has to do with this hijacking of the NXDOMAIN response. Internet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get a NXDOMAIN response - informing the application that the name is invalid and taking the appropriate action (for example, displaying an error). However, if the domain name is queried on one of these non-compliant ISPs, one would receive an IP address belonging to the ISP. In a Web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead initiate connections to this IP address, potentially exposing sensitive information.

In some cases, the ISPs provide settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Some ISPs, however, instead use a web browser cookie to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit HTTP 404 page.

No Response to "DNS hijacking"

Post a Comment

Subscribe to: Post Comments (Atom)

TAGS

hosting domain web hosting domain name free website free hosting domain names domain registration free websites free web hosting website hosting webhosting free domain free domain name webhost hosting free domain free domains free web domain free webhosting free web hosting domain web hosting free domain free web site web host domain hosting free host web domain webspace php hosting domain web hosting web space best web hosting free website hosting free web host