DNS hijacking or DNS redirection is the practice of redirecting the resolution of Domain Name System (DNS) names to other DNS servers. This is done for malicious purposes such as phishing; for self-serving purposes by Internet service providers (ISPs) to direct users' HTTP traffic via the ISP's own webservers where advertisements are served, statistics can be collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.
One of the functions of a DNS server is to translate a domain name into an IP address that applications need to connect to an Internet resource such as a website. This functionality is defined in various formal internet standards that define the protocol in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.
Rogue DNS serverEdit
A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing.
Manipulation by ISPsEdit
A number of consumer ISPs such as Cablevision's Optimum Online, Comcast, Time Warner, Cox Communications, RCN, Rogers, Charter Communications, Verizon, Virgin Media, Frontier Communications, Bell Sympatico, UPC, T-Online, Optus, Mediacom,, ONO and Bigpond (Telstra) use DNS hijacking for their own purposes, such as displaying advertisements or collecting statistics. This practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting attacks.
Redirecting can be more benign, allowing a DNS server provided by a service such as OpenDNS to intercept and block sites known to be malicious or with content which the user wishes to block, etc. The provider of the DNS server may charge a fee for this service, or also show advertisements, collect statistics, etc.
The concern with DNS hijacking has to do with this hijacking of the NXDOMAIN response. Internet and intranet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get a NXDOMAIN response - informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a Web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.
Examples of functionality that breaks when an ISP hijacks DNS:
- Roaming laptops that are members of a Windows Server domain will falsely be led to believe that they are back on a corporate network because resources such as domain controllers, email servers and other infrastructure will appear to be available. Applications will therefore attempt to initiate connections to these corporate servers, but fail, resulting in degraded performance, unnecessary traffic on the internet connection and timeouts.
- Many small office and most home networks do not have their own DNS server, relying instead on broadcast name resolution. However because DNS lookups are prioritized over local broadcasts, all names will falsely resolve to a server belonging to the ISP, and local networking will not work.
- Browsers such as Firefox no longer have their 'Browse By Name' functionality (Where keywords typed in the address bar take you to the closest matching site.).
- The local DNS client built into modern operating systems will cache results of DNS searches for performance reasons. If a client switches between a home network and a VPN, false entries may remain cached, thereby creating a service outage on the VPN connection.
- DNSBL anti-spam solutions rely on DNS; false DNS results therefore interfere with their operation.
- Confidential user data might be leaked by applications that are tricked by the ISP into believing that the servers they wish to connect to are available.
- User choice over which search engine to consult in the event of a URL being mistyped in a browser is removed as the ISP determines what search results are displayed to the user; functionality of applications like the Google Toolbar do not work correctly.
- Computers configured to use a split tunnel with a VPN connection will stop working because intranet names that should not be resolved outside the tunnel over the public Internet will start resolving to fictitious addresses, instead of resolving correctly over the VPN tunnel on a private DNS server when an NXDOMAIN response is received from the Internet. For example, a mail client attempting to resolve the DNS A record for an internal mail server may receive a false DNS response that directed it to a paid-results web server, with messages queued for delivery for days while retransmission was attempted in vain.
- It breaks Web Proxy Autodiscovery Protocol (WPAD) by leading web browsers to believe incorrectly that the ISP has a proxy server configured.
In some cases, the ISPs provide settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Some ISPs, however, instead use a web browser cookie to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit dns error page (as exampled by charter here. Notice the "Manage Opt-In settings" link). Applications other than web-browsers cannot be opted out of the scheme using cookies as the opt-out targets only the HTTP protocol, when the scheme is actually implemented in the protocol-neutral DNS system.
In the UK, the Information Commissioner's Office have acknowledged that the practice of involuntary DNS hijacking contravenes PECR, and EC Directive 95/46 on Data Protection which require explicit consent for processing of communication traffic. However they have refused to intervene, claiming that it would not be "sensible" to enforce the law because "it would not cause significant (or indeed any) demonstrable detriment to individuals".
"ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in existing gTLDs, ccTLDs and any other level in the DNS tree for registry-class domain names."
- "Rogue Domain Name System Servers". Trend Micro. http://blog.trendmicro.com/rogue-domain-name-system-servers-5breposted5d/. Retrieved 2007-12-15.
- "Optimum Online DNS Assistance". http://www.optimum.net/Article/DNS.
- "Comcast trials
Domain Helper serviceDNS hijacker". The Register. http://www.theregister.co.uk/2009/07/28/comcast_dns_hijacker/. Retrieved 2009-10-07.
- "Who Stole My Web Browser?". http://infiniteedge.blogspot.com/2009/10/who-stole-my-web-browser.html.
- "Rogers Uses Deep Packet Inspection for DNS Redirection". dslreports.com. 2008-06-20. http://www.dslreports.com/shownews/Rogers-Uses-Deep-Packet-Inspection-for-DNS-Redirection-96239. Retrieved 2010-06-15.
- "Bell Starts Hijacking NS Domain Queries". http://tech.slashdot.org/story/09/08/04/1512248/Bell-Starts-Hijacking-NX-Domain-Queries.
- "UPC FAQ about the "navigation service"". http://service.upc.ie/service/?cid=123&aid=143.
- T-Home-Team (2009-04-09). "Neues Leistungsmerkmal 'Navigationshilfe' [New 'Navigation Help' Feature]" (in German). http://foren.t-online.de/foren/read/service/browser/t-online-browser/neues-leistungsmerkmal-navigationshilfe,164,3808480,fid=84b72be.html. Retrieved 2009-12-02. "Ist die Navigationshilfe aktiviert, werden DNS-Server zugewiesen, die dieses Leistungsmerkmal unterstützen; ist sie deaktiviert, werden herkömmliche DNS-Server zugewiesen."
- Optus' "About the Search Results Page"
- "Want a real world example of why we need network neutrality? I have one here.". http://www.reddit.com/r/programming/comments/9o3as/want_a_real_world_example_of_why_we_need_network/.
- XSS Reflected dnssearch.Ono.es NXD redirect « iniqua
- BigPond redirects typos to 'unethical' branded search page - CRN Australia
- "Charter Corrupting DNS protocol ie hijacking hosts". http://www.dslreports.com/forum/r17871432-Charter-Corrupting-DNS-protocol-ie-hijacking-hosts.
- "road runner dns hijack causing slow web-pages". http://jeffturner.net/2008/03/road-runner-dns-hijack-causing-slow-web-pages/.
- "Rogers violates net neutrality by hijacking failed DNS lookups". http://www.digitalhome.ca/content/view/2689/206/.
- "ISPs Error Page Ads Let Hackers Hijack Entire Web Researcher Discloses". http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html.
- "Negative Caching of DNS Queries". https://tools.ietf.org/html/rfc2308.
- "Using Firefox + NoRedirect Extension to Avoid DNS Hijacking". http://www.earobinson.org/2009/08/01/using-firefox-noredirect-extension-to-avoid-dns-hijacking/.
- "Harms Caused by NXDOMAIN Substitution in Toplevel and Other Registry-class Domain Names". ICANN. 2009-11-24. http://www.icann.org/en/topics/new-gtlds/nxdomain-substitution-harms-24nov09-en.pdf. Retrieved 2010-09-23.