How To Diagnose DNS Hijacking?
DNS Hijacking is a method of attack in which the records (DNS) provided by the Domain Name Server (DNS) that matches domain name (e.g. “example.org”) to an Internet Protocol address are being changed so that users are directed to servers controlled by an attacker, rather than the legitimate server for the website .
When this happens, information can be modified or replaced so that it points to a different location. In some cases, a user may see a webpage not hosted at the expected URL.
In other cases, an attacker can directly change DNS records to point users towards malicious servers .
There have been several reports on this type of attack recently .
Detect DNS Hijacking:
It’s important to know that DNS hijacking can be done by compromising the security of your Domain Name Server or through exploiting security vulnerabilities in the website. The following are some of the ways you can check if your website is being redirected to another place without you knowing it:
1- Check DNS Records For Your Website Using nslookup
Open up a command line and type “nslookup” followed by domain name (e.g., example.org).
There is no record for the mail server set for this domain which means that we cannot send emails directly from our email address (the address we use to register our domain) or reply to emails sent to this email address. Additionally, there are no A/AAAA records for the website itself which means that users cannot connect directly to the server through IPv4 and IPv6 addressing. This is a good indicator of DNS hijacking taking place on your website.
2- Check via “dig” Command Line Tool For Your Domain Name
You can use the dig command line tool in order to diagnose DNS hijacking. Type “dig” followed by domain name (e.g., example.org). If you get an error message similar to “It doesn’t appear that NS1.GOOGLE.COM cares about our query,” then it’s likely that you’ve been redirected towards another website.
3- Check Your Domain Name Server Via Command Line For Suspicious Records
There are several public DNS servers available to check whether your domain name is affected by malware or another type of attack. The following command can be used in order to check for suspicious records:
nslookup -query=any google.com 184.108.40.206
If you notice that there are no records for name servers for your domain, it could be an indication of DNS hijacking on your website. It goes without saying that the above command should be used cautiously in diagnostic scenarios because although it can help you determine if someone has changed your website’s name server records, but attackers may have created other types of false positive indicators to throw off a regular user who is trying to diagnose a possible security breach on their website.
IMPORTANT NOTE: In the event that you find any false positive or suspicious DNS entries, we recommend that you check them out thoroughly and contact with web hosting company before making any
As you might have noticed, there are two types of anomalies present
1) No records exist for the hostname (example.org), and
2) MX (Mail Exchange) record has been added
with an IP address that does not belong to the original website’s configuration (e.g., the IP address 220.127.116.11). Even though these look like very straightforward changes, this is in fact an indication of DNS hijacking taking place on the website
4- Check For Suspicious Record Changes Using Command Line
You can easily check to see if your website has been altered by checking the version number that was assigned to your records when you initially signed up for your hosting plan. You can do this by typing “dig SOA example.org” (e.g., dig SOA example.com) and comparing it with what you see using whois command line tool (e.g., whois example.org).
If you notice changes in the serial number or timestamp, it might be a sign that someone has altered your website.
5- Check Your DNS Records Using The Command Line For Suspicious Entries
You can use the dig command line tool to check for suspicious entries on your website’s DNS records. Type “dig” followed by domain name (e.g., example.org). If you see any weird looking records with long lines of characters for mail server settings, MX record, NS1 records and so forth, then this is an indicator that someone has compromised the security of your hosting account and made unauthorized changes to your website’s configuration.
How to Diagnose DNS Hijacking:
At its basic level, DNS hijacking can be resolved by reverting to safe name servers and MX records. To do this, you will need to contact your hosting company for assistance as they should allow you to reset the primary name server records for your website’s domain. In addition, one should also request that the host changes their primary mail server from the compromised IP address back to where it belongs (e.g., 18.104.22.168).
The above steps are a good way of detecting possible signs of DNS hijacking on a website hosted with a specific provider but other scenarios may exist as well e.g., IP address hijacking or subdomain hijacking so we strongly recommend that our customers perform regular security audits on all of their domains.
Reverse IP Lookup
You can use a reverse IP lookup tool like: https://www.ip-tracker.org/ and insert the IP address you want to check if it has changed or not, you will need to upload a full list of ip’s for that specific domain (For example: http://pastebin.com/raw/NX4kMSga) and copy one by one in the field “Enter an IP Address” and click on “Lookup”. If after several minutes you notice that most of them are pointing to another hosting company this means that most probably your website is hacked or infected with malware so we recommend doing an entire website backup and restore from scratch as soon as you notice that your website is hacked or showing any strange behavior.
DNS hijacking is a serious issue and we hope you will keep these steps in mind as you move forward with resolving the problem. In addition, to prevent this from happening again, one should always take time to secure their website’s DNS records as well as the rest of the website configuration files that may have been altered.