The UK National Cyber Security Centre published an advisory this week regarding the ongoing and increasing risk of DNS hijacking.

DNS is the system that converts domain names to IP addresses allowing the world wide web to function. Its architecture is designed to be distributed in order to be resilient and stable. This distributed and hierarchical structure does however make it vulnerable to attack as the whole system is only as secure as its least secure component.

To illustrate the scale of the problem, Avast in Brazil recently published a report detailing how their software had blocked 4.6 million CSRF (Cross Site Request Forgery) attempts to compromise domestic internet routers – and had detected that a further 180,000 routers had their DNS hijacked in the first half of 2019.

The power and danger of DNS hijacking attacks is they can invisibly reroute internet traffic to or through servers controlled by the attackers.

DNS hijacking attacks against domestic users and small businesses often target the broadband router or the DNS subsystem on the target computer in order to redirect the user to phishing websites in order to steal bank or email credentials.

Many DNS hijacking attacks against enterprises start by compromising the target organisation’s account with their DNS registrar. This is usually an account with a third party that is accessed by several administration staff. Often these accounts have existed for many years and do not have two-factor authentication enabled. If the registrar account is compromised, it is then possible for attackers to reroute internet traffic intended for the organisations webservers to phishing websites or transparently proxy the traffic via a credential stealing server before sending the traffic on to its intended destination.

The NCSC recommends organisations take these steps to protect their DNS security:

• Protect registrar account through good security practices that mirror those employed to protect critical internal systems. This includes strong passwords, two factor authentication and regularly reviewing who has access.
• Ensure contact details in the DNS registration records are correct and contact email addresses are monitored
• Use role accounts not personal emails for contact details to ensure no message are missed if people change jobs or leave your organisation
• Monitor DNS records regularly for unexpected changes

The full NCSC advisory can be accessed here