DNS Hijacking is essentially when your ISP “Internet Service Provider” does redirect your DNS traffic to it’s own DNS servers and does DNS resolution without your consent or knowledge. This is actually quite common and normally users dont even have a clue. In this article I am going to explain how to detect DNS hijacking and how to protect yourself.
The tutorial below is for a non-technical audience. For the sake of making complex technical terms and scenarios easier to understand, not all of the explanations are 100% correct if read by technical experts.
DNS Hijacking – The terms
Domain name : The website name such as www.google.com that is the better known address of the website you would like to visit.
IP Address : A numerical address such as 126.96.36.199 which is in essence an address just like your zip code and street no and house no. Each website must have an IP address.
DNS : Doman Name Service, this is an Internet service that runs on port 53 and translate a domain name such as Google.com to an IP address such as 188.8.131.52. All traffic on the Internet is exchanged using IP addresses. As a result, the first thing that must happen for you to open a web page is to resolve the domain name to an IP Address.
ISP : Internet Service Provider, basically the provider of your Internet connection.
Ping : A command line tool found on all operating systems that can be used to translate from a domain name to an IP address. Useful to detect if DNS hijacking is occurring.
This is more common in EU, US and CA than you might think, I do interact with hundreds of users a week and I know for a fact that a lot of users in the mentioned regions are victims of Transparent proxies and DNS Hijacking.
A thought to consider
DNS Hijacking – The dangers
DNS Hijacking by ISPs exposed
As you an see in the illustration above, your ISP redirects all your DNS traffic to it’s own DNS servers and resolves the domain names on it’s own servers. Please see the below for the problems with this approach
If the ISP DNS server goes down or is overloaded, you wont be able to browser the Internet.
The ISP DNS might be logging all your DNS traffic and can determine at any time what you were watching.
The ISP DNS is a single point of failure and weakness you are exposed to, if that DNS server is exploited it can be used to send you to rogue webpages that look like the web page you intended to visit “Such as your bank site, or your email” and you mistakenly think it is the correct site. What happens next, is that you enter your logon information and that is recorded on the rogue web page. The rest I will leave to your imagination.
DNS Hijacking – How to detect
The fastest way to detect DNS hijacking is by using the ping utility. If you ping a non-existent domain and it resolves, that is probably a very strong indicator that your ISP is hijacking your DNS traffic. This is an excellent tutorial on how to ping on different OS. The idea here is to ping the hostname thevpnguru-dns-exposed.tld this should fail if it does actually return an IP address you are the victim of DNS hijacking.
Another way which gives you a 100% confirmation if your DNS is being hijacked, is to change your DNS address on a device you use to 0.0.0.0 and 0.0.0.1 . If after that your Internet still works and you can open up web pages normally your DNS traffic hijacked.
DNS Hijacking – The solution
DNS Hijacking by ISPs exposed – Unblock with VPN
Now that DNS hijacking and it’s dangers are exposed, it is time to talk about work arounds. Fortunately there are two work arounds, one is quite easy to achieve and one requires a bit more technical expertise.
The easy way : Get a VPN connection, VPN stands for Virtual Private Tunnel, what a VPN service would do is encrypt all you traffic and send it through a virtual tunnel. This goes for all your traffic DNS/Web traffic and so on. As a result your ISP will not be able to decipher your traffic. Now all you traffic goes through the virtual tunnel and it looks to your ISP like gibberish. Have a look at the illustration above, you can notice that the man with the red cravat is Xed out now, and all your traffic is locked down. Another benefit of VPN is that you can use it while travelling to protect your traffic and in Internet cafes and so on. One final benefit is that it allows you to change your Internet location, so you can watch Netflix USA while not in USA or BBC Iplayer while not in UK. I personally do use a VPN service called ExpressVPN, with apps that allow you to get started in seconds on IOS-Android-Mac and Windows,ExpressVPN hides my traffic from all intentional or un-intentional interception :) . More importantly ExpressVPN use the highest encryption standards available at the time of writing this article.
The hard way : Given that your DNS provider supports port DNS on port 54 “Smart DNS Proxy Provide Unlocator support port 54″ you can use a router that supports DD-WRT and flush it with an upgrade to DD-WRT and then use iptables rules to force DNS traffic to port 54. This way your DNS traffic will sneak it’s way past your ISPs DNS server. If I will get enough requests or questions about this, I might write an article about it. DNSSEQ is another way to overcome this, but due to the complex nature for newbies I opted out of going into detail. See Video and Picture guides for setup here. Smart DNS should unlock around 90 channels and sites.
DNS Hijacking – Final Thoughts
Finally, please do share this article and send some love in form of Likes ! if you did benefit from reading the content above. Thanks for reading.
A technical wizard of 10 year experience. Certified in Linux, Ethical Hacking and all sorts of technical stuff . I did work on projects around the world worth millions of dollars. My aim is to free you the reader from location restrictions and protect your privacy.