Community Tip - Best Practices to Address DNS Hijacking

Issue
In DNS hijacking, the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Try the suggestions in this Community Tip for best practices for dealing with DNS hijacking.

Background


hi·jack
/ˈhīˌjak/
verb
past tense: hijacked; past participle: hijacked
unlawfully seize (an aircraft, ship, or vehicle) in transit and force it to go to a different destination or use it for one’s own purposes.

  • steal (goods) by seizing them in transit.
  • take over (something) and use it for a different purpose.

You may be familiar with the term hijack and understand the meaning, DNS Hijacking may be a twist you’re unfamiliar with. Wikipedia says DNS hijacking, or DNS redirection, is the practice of subverting the resolution of Domain Name System (DNS) queries. When this happens, your domain has effectively been hijacked. Note, some amount of DNS modification or redirection is normal for some organizations and for ISPs implementing government-level blocking. This tip considers DNS hijacking to be malicious changes to the DNS path between the user and the server but it does also address issues of non-malicious redirection.

Quick Fix Ideas for Malicious Hijacking

  1. Rotate your API key, especially if you believe the key has been compromised.

  2. While browsing, your session is hijacked by your ISP. Check if your privacy is compromised.

  3. Turn on DNSSEC to address redirection due to cache poisoning. DNSSEC ensures the supporting client will get a validated DNS respons to combat cache poisoning. (This is where a malicious actor between the client and the DNS server intercepts the DNS request then responds with a fake response to direct the client to another location.)

  4. Do not point to Cloudflare name servers without having your domain signed up in your account first. When you point to Cloudflare name servers without claiming the site first (or the site is deleted), you are effectively opening up DNS control to whomever signs up the domain first or re-signs the zone on our platform. The fix is to add the zone to your account first and then point it to your Cloudflare assigned name servers.

  5. If you believe your Cloudflare account is compromised and you don’t want to, or are unable to login, email support AT cloudflare DOT com.

  6. It’s best to avoid the issue altogether, enable two-factor authentication for your domain registrar, Cloudflare dashboard, third-party web hosting/cPanel, and all domain-related administrative email accounts.

  7. Consider using 1.1.1.1 or other (encrypted) DNS provider.

Quick Fix Ideas for Non-Malicious Redirection

  1. Verify you are using the correct IP address for your origin server for your DNS records.

  2. Flush your DNS cache and/or check your router to ensure it’s not forcing clients to use it’s DNS.

  3. DNS resolution is not happening properly, check to see if you have any typos in DNS details you shared with your registrar.

  4. You’re seeing errors like DNS_PROBE_FINISHED_NXDOMAIN or ERR_CONNECTION_REFUSED in certain geographic locations. Your ISP or local authorities are blocking access and there is little that Cloudflare can do. (If the local government blocks any particular website but a request reaches Cloudflare, we will not block them.) And note that DNSSEC does not help with government blocks.

Lite Reading


The Basics

Detecting HTTPS Interception
MITMEngine
MALCOLM

Background Resources
Knowledge Base
YouTube
Featured Video

Research The Issue
Community
Google

If You Need More Help
This community of other Cloudflare users may be able to assist you, if not, login to Cloudflare and then contact Cloudflare Support. When you contact support, make sure to include as much of this information as possible: domain name, screen shots, Ray ID, and/or HAR file(s).

Expert Comments Appreciated
This Community Tip will remain open for input from Community experts and those familiar with this issue. We really appreciate comments that start with words like: “The three things I always try”, or “Do this first”, or “In my experience”.

This is a Cloudflare Community Tip, to review other tips click here.

Çevirmek…traduzir…翻译…traducir…Traduire…Übersetzen…:globe_with_meridians: Translate

4 Likes

One of the best ways to minimize your risk is to enable two-factor authentication for your Registrar, Cloudflare, Web hosting/cPanel and all administrative Email accounts.

2 Likes

Thank you @Withheld, added. And thank you @publicarray for suggesting the tip topic and review as long the way.

Tip topic ideas and improvements are always appreciated, thank you!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.