Principles and Defense of DNS Hijacking and DNS Spoofing/Pollution

Principles and Defense of DNS Hijacking and DNS Spoofing/Pollution

1. Knowledge Point Description
DNS Hijacking and DNS Spoofing/Pollution are two common network attack methods aimed at tampering with DNS resolution results to redirect users to malicious websites or intercept normal services.

  • DNS Hijacking: By attacking DNS servers or user devices, directly modifying DNS responses to resolve domain names to incorrect IP addresses.
  • DNS Spoofing/Pollution: During the DNS query process, attackers forge fake DNS response packets, arriving at the user's end before legitimate responses, causing resolution errors.

2. Common Techniques of DNS Hijacking
Step 1: Attacking DNS Servers

  • Attackers exploit vulnerabilities to infiltrate ISP or public DNS servers and modify their DNS records. For example, changing the IP of www.example.com to a malicious IP.
  • Result: All users relying on this DNS server are affected.

Step 2: Local Device Hijacking

  • Malware modifies the user device's Hosts file or DNS settings (e.g., router DNS is tampered with).
  • Result: Only affects a single device or local network users.

Step 3: Man-in-the-Middle (MITM) Attack

  • Attackers intercept DNS queries (e.g., via ARP spoofing) in the network link and return forged IP addresses.

3. Implementation Principle of DNS Spoofing/Pollution
Key Point: Forging DNS Response Packets

  • The DNS protocol uses UDP for transmission, lacking connection verification mechanisms. Attackers monitor DNS queries (typically targeting port 53) and preemptively send forged response packets.
  • Technical Details:
    1. The user sends a query request to the DNS server, including a randomly generated 16-bit Query ID (used to match requests with responses).
    2. Attackers need to forge matching Query IDs, source ports, and destination IPs, but often predict these values through traffic analysis.
    3. The forged response packet specifies an incorrect IP address and sets a short TTL (Time to Live) to avoid long-term impact.

4. Defense Measures
Against DNS Hijacking:

  • Use DNSSEC (DNS Security Extensions): Verifies the authenticity of DNS responses through digital signatures.
  • Deploy HTTPS: Even if DNS is hijacked, SSL certificate verification prevents access to fake websites (though risks may persist during the first visit).
  • Regularly check router DNS settings and avoid using default passwords.

Against DNS Spoofing/Pollution:

  • Use DNS over HTTPS (DoH) or DNS over TLS (DoT): Encrypts DNS queries to prevent eavesdropping and tampering.
  • Configure firewall rules to block unsolicited DNS responses from external IPs to the local network.

5. Real-World Cases

  • In 2014, Brazilian bank users experienced DNS hijacking where malware modified router DNS settings, redirecting users to phishing websites.
  • Some regional ISPs implement content filtering by returning incorrect DNS resolution results (a form of DNS spoofing/pollution).

Summary
The core difference between DNS hijacking and spoofing/pollution lies in the attack layer: hijacking targets servers or devices, while spoofing/pollution targets the query process. Defense requires a combination of encryption protocols (e.g., DoH/DNSSEC) and system security hardening.