Domain Name System (DNS) redirection, sometimes known as DNS hijacking, is the practice of diverting results from a DNS server. DNS redirection is used by some Internet Service Providers (ISPs) to bring up a search or help page instead of an error message when a website cannot be found. It can also be used to block websites that contain dangerous or illegal content or as part of a “phishing” attack designed to steal personal information.
The DNS is a critical component of the Internet. DNS translates a domain name, such as wiseGEEK.com, into a series of numbers called an Internet Protocol (IP) Address. A web browser or other software will then contact a server at that IP Address. If a domain name has no corresponding IP Address in DNS, the system returns a “Non-Existent Domain” or “NXDOMAIN” result. This response, often the result of a misspelled domain name, normally causes user’s web browser to display an error message.
DNS redirection eliminates the NXDOMAIN error result in favor of a search or help page operated by an ISP. These pages often contain suggestions that are close to what a user typed. This practice can be helpful for some users who are confused by cryptic error messages, but it can also be a source of extra income for ISPs as advertising is frequently found on these help pages. It can also cause problems for some applications that rely on the NXDOMAIN result, so it’s common for ISPs using DNS redirection to give users a “opt-out” preference.
In addition to being used on non-existent pages, DNS redirection can be used to block access to websites known to contain malware, viruses, or illegal content. Rather than return the IP address of the illicit site, a DNS server will return a page informing the user that the content has been blocked. This technique is used by some ISPs, but can more frequently be seen on public networks like schools, libraries, and Internet cafes.
Hackers or identity thieves can make use of DNS redirection for more insidious purposes. A type of attack known as “pharming” injects illegitimate DNS settings onto vulnerable servers and allows a hacker to redirect traffic to a fraudulent site. A “pharmed” DNS server might, for example, contain a false listing for an online banking site that leads to a carefully crafted fake designed to trick the user into revealing their personal information, a practice known as “phishing.”