Domain Name System (DNS) hijacking — when a hacker seizes domain ownership from the rightful owner — is a major issue that affects both the private and public sectors. Because DNS is used for locating the right internet service to connect to, an attacker that can successfully execute a DNS hijack can mount a multitude of attacks ranging from installing malware on users’ devices to stealing credentials or redirecting purchases. DNS attacks can result in financial loss and damaged reputation to affected domain owners.

In recent years, DNS hijacking cases have increased, and at DigiCert, we’ve noticed. According to a 2021 study, 72% of organizations had experienced a DNS attack in the past 12 months and 47% experienced DNS hijacking. As our industry and threat landscape evolves, it is important for us to identify existing vulnerabilities in DNS and to build preventative measures to protect our customers when issuing certificates. So we’ve set out to better understand how DNS hijacking happens in practice and how we can proactively protect against hijacking attacks.

DNS levels of vulnerability

Attackers may gain access to a domain in various ways, including through the organization or individual that owns the domain (registrant), the TLD operator or registry and the domain registrar. Depending on how an attacker gains access, they may be able to gain different levels of access. For instance, if a registry is attacked, the attacker can gain access to all domains managed by the registry. If the registrar is vulnerable, it allows access to all domains managed by the registrar, whereas if the registrant is attacked, the hackers only have access to domains owned by the registrant. Often domain registrars are considered the weakest link, as they have a large attack vector and are thus attractive to hackers.

Past studies

In 2018, Cisco Talos discovered DNSpionage, a DNS attack utilizing malicious websites with Microsoft Office documents containing malware. The attackers created fake job websites containing malicious documents that, once downloaded, allowed the attackers to have remote administration. Just a year later, after the Sea Turtle attack, Cisco warned, “We are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system.” That same year, the U.S. Department of Homeland Security issued a directive on DNS hijacking after several executive agencies were hit by attacks redirecting and intercepting web and email traffic.

Three years later, organizations are still fighting off DNS hijacking. Enterprises rely on web and email for business continuity, yet less than one third of organizations are very confident they are prepared to deal with a DNS attack, and 27% are not confident. To prevent DNS hijacking, organizations should keep their security up to date, implement phishing training to help employees avoid clicking questionable links and avoid public Wi-Fi, especially when sharing sensitive information.

While being prepared to deal with a DNS attack is a best practice, ideally organizations should have tools to build countermeasures and prevent them in the first place. Therefore, we’ve decided to invest in a project to better understand DNS hijacking at scale and prevent future attacks.

What if there was a way to automatically detect DNS hijacking in real-time?

As the world's leading provider of digital trust, we're always looking to improve web security and protect users. We’re working with researchers at UC San Diego and Stanford to prevent future attacks by understanding DNS hijacks, identifying maliciously obtained certs and building countermeasures. This will be beneficial to our customers and to the entire industry, as real-time DNS and registrar hijacking detection would prevent CAs issuing trusted certs to attackers. The goal is to understand where and how domains have been hijacked by looking at real-world logs, DNS, CT and internet scan data. In the end, the research team will design a system to detect domain hijacks in real-time, and thus prevent issuing certs to attackers.

“Once considered a theoretical attack, DNS hijacking has become a real threat for governments and high-value organizations,” explained Zakir Durumeric, an assistant professor of computer science at Stanford. “Our recent research has shown that domains are hijacked more commonly than previously believed. We are excited to work on building solutions that detect DNS hijacking attacks in real time using data from global data collection and public data sources like Certificate Transparency Logs, passive DNS and internet-wide scanning.”

Meanwhile, companies should select domain registrars with stringent authentication standards, closely monitor for vulnerabilities and educate employees about the dangers of phishing to prevent loss of credentials on the registrant side.

For more updates on this DNS research, stay tuned to the DigiCert blog. As the world leader in digital trust, we believe that DNS attacks deserve more attention and will continue to evolve if we do not proactively take steps, such as this project, to combat them.