DNS Hijacking also called DNS Poisoning or DNS spoofing, is a tactic commonly used by authoritarian regimes to restrict access, block, and censor content on the Internet.
This censorship can be achieved by forcing local Internet Service Providers (ISPs) to implement the hijacking, or by monitoring and inspecting traffic directly at strategic routing points. The biggest example of DNS hijacking is the Great Firewall.
What is DNS?
Every website has an IP address which is linked to its URL by a Domain Name Server (DNS). When you type a URL, like expressvpn.com, into the address bar of your browser, the address is sent to a DNS server.
A DNS server keeps a record of the IP address of every website and its corresponding URL, which your computer will lookup and connect to the URL you entered. It is very similar to a phone book, in which the names of people are listed with their physical address. On the DNS server, The URL acts as the name and the IP is the address.
Several companies publish the DNS addresses of websites, and an algorithm allows them to stay up to date at the same time. Unless the DNS server is malicious or poorly configured, it does not matter much which one you use.
The Domain Name System is generally operated by your Internet Service Provider, but you can change it in your settings (see more on this below).
Watch the following video for a more graphic explanation of what a DNS is.
When a computer reaches out to a DNS server to resolve an IP address, it often does not make adequate checks to make sure it’s connecting to the right DNS server. Instead, it might have been hijacked and served an incorrect response by an attacker in between the computer and the DNS server, perhaps from a compromised or rogue router.
It is also possible for a DNS server to poison its records, which means replacing the IP address of the site you want to visit with the IP address of another site, or simply removing the IP address altogether. This is similar to a phone book removing certain names or companies from their records, or swapping a listing’s address to that of another company.
DNS redirecting like this make it possible for a sophisticated attacker to impersonate websites, gathering personal information such as passwords and IP addresses.
DNS Spoofing to Censor the Internet
Many countries implement Internet censorship by requiring Internet Service Providers to drop certain domains from their DNS servers, though this is a relatively easily circumvented form of censorship.
But when the entire network is controlled by an authoritarian regime they could block non-complicit DNS servers entirely or employ Deep Packet Inspection to selectively block or misdirect requests.
How to Prevent DNS Hijacking
DNSSEC (Domain Name System Security Extensions) is a bit like a DNS hijacking test, or rather protection, that allows a computer to verify the integrity of the DNS server it is connecting to by using encryption. It greatly reduces the risk of an attacker impersonating a DNS, though unlike HTTPS in web servers, it is not easy for the user to set up, verify and monitor.
How to Change DNS Server Tutorials
You can protect yourself from censorship by your local Internet Service Provider by changing the DNS server.
For instructions on how to change your DNS server, click the link for your device or OS:
You can also change your DNS server to an independently-run DNS service, such as Google DNS or OpenDNS. There are strong privacy concerns to choosing the right DNS server. After all, they will see every domain you try to connect to. But this is also a great reason for taking this power out of the hands of your Internet Service Provider.
ExpressVPN – DNS Hijacking Fix and Prevention
ExpressVPN runs its own DNS servers and when you are connected to ExpressVPN you automatically use these servers — so no one else can get hold of your information or hijack your connection. This ensures that all sites you visit resolve properly and cannot be censored by a government or Internet Service Provider.