DNS对于解析您在浏览器地址栏中输入的URL很重要。(URLs)很多工作都涉及到域名解析(Domain Name Resolution)。这是一种递归操作,可帮助您的浏览器获取您尝试访问的网站的 IP 地址。如果有兴趣,您可以阅读有关DNS 查找和服务器(DNS Lookup and Servers)的更多信息。
术语DNS 缓存(DNS Cache)是指包含您经常访问的网站的已解析 IP 地址的本地缓存。DNS 缓存(DNS Cache)的想法是节省时间,否则将花费在联系DNS服务器上,这些服务器将启动一组递归操作以找出您需要访问的URL的实际 IP 地址。(URL)但是,只要将DNS(DNS)缓存中的条目更改为您使用的网站的虚假 IP 地址,网络犯罪分子就可以毒化此缓存。
什么是 DNS 劫持
顾名思义,DNS 劫持(DNS Hijacking)或重定向(Redirection)是网络犯罪分子用来劫持您的浏览器尝试解析您希望加载的网站的 IP 地址的一种方法。为了便于使用,我们使用的URL(URLs)是文本格式的。对于每个URL,都有一个 IP 地址,一组操作将文本URL转换为数字 IP 地址。由于解析 IP 地址涉及许多操作,网络犯罪分子可以利用延迟向您的计算机发送属于他们的虚假 IP 地址。
DNS 劫持最常见的方法(common method for DNS Hijacking)是在您的计算机上安装恶意软件来更改DNS,以便每当您的浏览器尝试解析URL时,它会联系其中一个假DNS服务器,而不是(DNS)ICANN使用的真实DNS服务器(授权Internet负责注册域、管理域、为其提供 IP 地址、维护联系地址等)。您的计算机联系的直接DNS服务器是您的(DNS)Internet 服务提供商(Internet Service Provider –)运营的DNS服务器 –(DNS)除非您将它们更改为其他内容。购买互联网连接时,使用的DNS服务器属于ISP - ICANN认可。
您计算机上的恶意软件将您计算机信任的默认DNS更改为指向其他 IP 地址。这样,当您的浏览器尝试解析 IP 地址时,您的计算机会联系一个虚假的DNS服务器,该服务器会为您提供错误的 IP 地址。这会导致您的浏览器加载恶意网站,该网站可能会危及您的计算机或窃取您的凭据等。
DNS 劫持(DNS Hijacking)与DNS 缓存(DNS Cache)中毒
尽管两者都发生在本地级别,但它们的来源来自假DNS服务器。虽然DNS 劫持涉及恶意软件(DNS hijacking involves malware),但DNS 缓存中毒涉及使用虚假值覆盖您的本地 DNS 缓存,(DNS Cache poisoning involves overwriting your local DNS cache with fake values)从而将您的浏览器重定向到恶意网站。DNS 缓存中毒或欺骗(DNS Cache Poisoning or Spoofing)涉及诸如轰炸您的计算机获取的虚假 IP 地址等技术,而真正的DNS服务器仍在忙于解析URL。也就是说,在真正的DNS服务器解析URL的时间里,网络犯罪分子会发送大量响应,将URL等同于假 IP 地址。
例如,您在浏览器中键入thewindowsclub.com 。当真正的DNS服务器查找地址时,您的计算机会收到不止一个解析,表明该站点位于XYZ IP地址。这将使您的计算机相信该站点位于XYZ,即使真正的DNS服务器发送了真正的 IP 地址,因为网络犯罪分子的DNS服务器发送了许多包含(DNS)thewindowsclub.com的虚假 IP 的响应。
网络犯罪分子有效地利用了这种时间差异,他们拥有许多假DNS服务器,将您的计算机记下错误和恶意 IP 地址到缓存中。因此,网络犯罪分子的 DNS(’ DNS)服务器发送的十个虚假DNS解析中的一个优先于真正DNS服务器发送的一个真实DNS解析。上面提供的链接中列出了其他DNS 缓存中毒和预防方法。(DNS Cache Poisoning)
尽管DNS Cache Poisoning和DNS Hijacking可以互换使用,但它们之间存在细微差别。DNS缓存中毒(DNS Cache Poisoning)的方法不涉及将恶意软件注入您的计算机系统,而是基于不同的方法,例如上面解释的一种方法,其中假DNS服务器比真正的DNS服务器更快地发送URL解析,因此缓存被中毒。一旦缓存中毒,当您使用受感染的网站时,您的计算机就会受到威胁。在DNS 劫持(DNS Hijacking)的情况下,您已经被感染了。恶意软件更改了您的默认DNS网络犯罪分子想要的东西的服务提供商。从那里,他们控制您的URL解析(DNS查找),然后他们继续毒害您的DNS缓存。
如何防止 DNS 劫持
我们已经讨论过如何防止 DNS 中毒(prevent DNS poisoning)。要停止或防止DNS 劫持(DNS Hijacking),建议您使用良好的安全软件(good security software)来阻止恶意软件(例如DNS更改程序)。使用好的防火墙(Firewall)。虽然基于硬件的防火墙是最好的,但如果您没有它,您至少可以打开路由器防火墙。
如果您认为自己已经被感染,最好删除HOSTS 文件(HOSTS file)的内容 并重置 Hosts 文件(reset the Hosts File)。完成此操作后,继续使用反恶意软件来帮助您摆脱DNS 更改程序。
检查是否有任何DNS更改器更改了您的DNS。如果有,您应该更改您的 DNS 设置(change your DNS settings)。您可以自动检查它。或者,您可以手动检查DNS 。首先检查路由器(Router)中提到的DNS,然后检查网络上的各个计算机。我建议您刷新您的 Windows DNS 缓存(flush your Windows DNS Cache)并将您的路由器DNS更改为其他一些DNS ,例如Comodo DNS、Open DNS、 Google Public DNS、Yandex Secure DNS、Angel DNS等。一个安全的DNS 在路由器上比配置每台电脑要好。
您可能会感兴趣的工具有(There are tools that may interest you):F-Secure Router Checker将检查DNS劫持,此在线工具检查 DNS 劫持,以及WhiteHat 安全工具监控 DNS 劫持。
现在阅读(Now read):什么是域劫持以及如何恢复被劫持的域。
What is a DNS Hijacking attack & how to prevent it
DNS is important in resolving the URLs you enter into the address bar of your browser. A lot of work goes into Domain Name Resolution. It is a sort of recursive operation that helps your browser get the IP address of the website you are trying to reach out. If interested, you can read more about DNS Lookup and Servers.
The term DNS Cache refers to the local cache that contains the resolved IP addresses of websites that you frequent. The idea of DNS Cache is to save time that would otherwise be spent on contacting DNS servers that would start a set of recursive operations to find out the actual IP address of the URL you need to reach. But this cache can be poisoned by cybercriminals simply by changing the entries in your DNS cache to fake IP addresses for the websites you use.
What is DNS Hijacking
As the name suggests, DNS Hijacking or Redirection is a method used by cybercriminals to hijack your browser’s attempt to resolve the IP address of the website you wish to load. For ease of use, the URLs we use are in text format. For each URL, there is an IP address, and a set of operations go into converting the text URL into a numerical IP address. Since there are many operations involved in resolving the IP address, cybercriminals can take advantage of the delay and send to your computer, a fake IP address that belongs to them.
The most common method for DNS Hijacking is to install malware on your computer that changes the DNS so that whenever your browser tries to resolve a URL, it contacts one of the fake DNS servers instead of real DNS servers that are used by ICANN (authority of Internet that is responsible for registering domains, managing them, providing them with IP addresses, maintaining the contact addresses and more). The direct DNS servers that your computer contacts are the DNS servers being operated by your Internet Service Provider – unless you’ve changed them to something else. When an internet connection is bought, the DNS servers in use are of the ISP – recognized by ICANN.
The malware on your computer changes the default DNS trusted by your computer to point to some other IP address. That way, when your browser tries to resolve an IP address, your computer contacts a fake DNS server that gives you the wrong IP address. This results in your browser loading a malicious website that may compromise your computer or steal your credentials etc.
DNS Hijacking vs. DNS Cache Poisoning
Though both happen at the local level, their origins are from fake DNS servers. While DNS hijacking involves malware, DNS Cache poisoning involves overwriting your local DNS cache with fake values that redirect your browser to malicious websites. DNS Cache Poisoning or Spoofing involves techniques such as the bombardment of fake IP addresses that your computer picks up while the genuine DNS servers are still busy resolving the URL. That is, in the time that takes by genuine DNS servers to resolve a URL, the cybercriminals send plenty of responses that equate the URL with fake IP addresses.
For example, you type thewindowsclub.com in your browser. By the time a genuine DNS server looks up the addresses, your computer receives more than one resolution that the site is at XYZ IP address. This will make your computer believe that the site is at XYZ even though the genuine DNS server sends the genuine IP address because the cybercriminals’ DNS servers sent many responses containing a fake IP for thewindowsclub.com.
This difference in time is used effectively by cybercriminals who have many fake DNS servers to get your computer note down wrong and malicious IP addresses to the cache. So one out of the ten fake DNS resolutions sent by cybercriminals’ DNS servers takes precedence over one genuine DNS resolution sent by the genuine DNS servers. Other methods of DNS Cache Poisoning and prevention are listed in the link provided above.
Though DNS Cache Poisoning and DNS Hijacking are used interchangeably, there is a small difference between them. The method of DNS Cache Poisoning does not involve injecting malware into your computer system but is based on different methods like the one explained above where fake DNS servers send a URL resolution faster than the genuine DNS server and thus the cache is poisoned. Once the cache is poisoned, when you use an infected website, your computer is compromised. In the case of DNS Hijacking, you are already infected. A malware changes your default DNS service provider to something that the cybercriminals want. And from there, they control your URL resolutions (DNS lookups), and then they keep on poisoning your DNS cache.
How to prevent DNS Hijacking
We have discussed how to prevent DNS poisoning already. To stop or prevent DNS Hijacking, it is recommended that you use good security software that keeps malware such as DNS changers away. Using a good Firewall. While a hardware-based firewall is best, if you do not have it, you could turn on your router firewall at the least.
If you think you are already infected, it is better to delete the contents of the HOSTS file and reset the Hosts File. After doing this, go ahead and use antimalware that helps you get rid of DNS Changers.
Check if any DNS changer has changed your DNS. If it has, you should change your DNS settings. You can check it automatically. Alternatively, you can check for the DNS manually. Start by checking the DNS mentioned in Router and then in individual computers on your network. I would recommend that you flush your Windows DNS Cache and change your router DNS to some other DNS like Comodo DNS, Open DNS, Google Public DNS, Yandex Secure DNS, Angel DNS, etc. A secure DNS in the router is better than configuring each computer.
There are tools that may interest you: F-Secure Router Checker will check for DNS hijacking, this online tool checks for DNS Hijackings, and WhiteHat Security Tool monitors DNS hijackings.
Now read: What is Domain Hijacking and how to recover a hijacked domain.
