DNS hijacking

The Domain Name System is a way to map a domain name to an IP address. DNS hijacking, DNS poisoning, and DNS redirection are names for changing this mapping. Usually, this is done by pointing to a different name server.^[1] This name server will then return a different IP address for the domain.

Hackers use this, for example for phishing, or to show advertisments. The government also uses it sometimes: accessing certain domains may be illegal, in certain countries. Using this technique, the government can require internet service providers to block such domains.

If the government says that certain domains must no longer be accessible, this is a form of censorship.

How it works

When the DNS server has no entry for a domain, it will return an NXDOMAIN respone. The government could therefore require ISPs to return NXDOMAIN responses for the domains that are forbidden.

The DNS server operated by the ISP or by hackers could send the user to a page where adverts are shown, were statistics can be collected, or other things can be done.

There's also a different problem: Most web applications rely on the fact that they get an NXDOMAIN response for domains that do not exist. If they now get a valid page (for example with advertisments), this breaks the appliction.

What can be done against it

One way to overcome this problem is to use Domain Name System Security Extensions, often shorened to DNSSec. DNSSec is an extennsion of DN which uses asymmetric cryptography, and digital signatures for DNS entries. In practice, this makes it impossible to change the entry of the DNS record.

Response

ICANN, the international body responsible for administering top-level domain names, has published a memorandum highlighting its concerns, and affirming:^[2]

ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in existing gTLDs, ccTLDs and any other level in the DNS tree for registry-class domain names.

DNS Hijacking Media

Screenshot of a dig command, showing a false response from an Iranian DNS server for a request to resolve Persian Wikipedia

References

↑ "What is a DNS Hijacking | Redirection Attacks Explained | Imperva". Learning Center. Archived from the original on 2022-04-12. Retrieved 2020-12-13.
↑ "Harms Caused by NXDOMAIN Substitution in Toplevel and Other Registry-class Domain Names" (PDF). ICANN. 2009-11-24. Archived (PDF) from the original on 2010-06-26. Retrieved 23 September 2010.

[1] "What is a DNS Hijacking | Redirection Attacks Explained | Imperva". Learning Center. Archived from the original on 2022-04-12. Retrieved 2020-12-13.

[ICANN-2] "Harms Caused by NXDOMAIN Substitution in Toplevel and Other Registry-class Domain Names" (PDF). ICANN. 2009-11-24. Archived (PDF) from the original on 2010-06-26. Retrieved 23 September 2010.

[1]

[2]