Internet Identity

Written by Heidi Harris.

Part of IID's DNS Dojo Series

In our ongoing DNS Dojo series, we’ve talked about how the Domain Name System works and the risks to websites when a domain’s DNS is hijacked by cyber criminals. But websites aren’t the only entities at risk in a DNS hijacking. The DNS may be tied to a domain, but a domain isn’t just the website that resolves on it; a domain’s DNS might be responsible for many different non-web transactions and back-end functions, including email, Virtual Private Networks (VPNs) and automated data transfer. By hijacking an enterprise’s DNS, hackers can gain access to traffic containing vital data like financial and customer information, passwords, emails and proprietary documents.

As we’ve discussed previously, the DNS is working constantly in the background to connect people to the places they want to go online. When a domain’s DNS is hijacked, it is accessed by an unauthorized party and its configurations changed so that it communicates with name servers other than those chosen by the domain owner or the domain’s authoritative name servers are compromised to point the domain to a new location. A criminal hijacker may redirect traffic to the website on that domain to another Internet location as a way to drive visitors to malware drop sites or to politically motivated defacement pages. Such redirects can cause problems for both the visitor and the enterprise that owns the domain. Even in the absence of malware, the redirection of a company’s website away from their legitimate page to some other page out of their control causes harm by halting the business that takes advantage of that domain.

A Hijacked Domain Means Hijacked Email (and more!)

Disturbances to non-Web based uses of the domain, like email, can cause major headaches for the victim enterprise as well. The mail exchanger record (MX record), a record within the DNS, is responsible for the delivery of email for the domain and associated hostnames. When the DNS for the domain is hijacked, the MX record is likewise affected, leaving mail undeliverable and perhaps worse, visible to the hackers who control the DNS servers they’ve pointed the domain to. The hackers have not just pointed the domain away from the owner’s chosen DNS servers, remember, but have pointed it toward one that they control, making DNS hijacking a double whammy: not only can enterprise employees and customers not access the data they need, but the criminals can.

Sensitive information is at risk of falling into the hands of the bad guys once they control DNS for your enterprise’s domains. And online transactions with extended enterprise partners are at risk, too. Data captured during a hijack could include information about purchases or sales made between your business and your partners, and may even include their banking or payment information. If your company has an online shop that uses an extended enterprise partner’s shopping cart API or payment apparatus, those functions will yield information for the hackers that you and your partners would have preferred stayed private.

Criminals know the DNS has weak spots, and the rate at which those weak spots are being abused is on the rise. Enterprise security necessitates a two-pronged approach on the DNS front: protect DNS configurations from hijacking, and actively monitor your domains (and those of your extended enterprise partners) for unauthorized changes so that you can shut off connections to those domains in the event of a breach.

DNS hijacking can be a headache at best, and a nightmare at worst. Your customers may never know anything is amiss if the hijacking doesn’t affect a domain that resolves to an associated webpage. If it does, though, and that website is unavailable or redirects to a fraud or malware page, the customer becomes another victim of the attack. Hijacking doesn’t have to be the only cause of an unavailable website, though. In a future DNS Dojo post, we’ll take a look at the possible reasons that your customers may not be able to access your website and what you might need to do to get back online.