DNS hijacking

One of the functions of a DNS server is to translate a domain name into an IP address that applications need to connect to an Internet resource such as a website.

DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.)

These practices violate the RFC standard for DNS (NXDOMAIN) responses,[28] and can potentially open users to cross-site scripting attacks.

In a web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message.

However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.

In the UK, the Information Commissioner's Office has acknowledged that the practice of involuntary DNS hijacking contravenes PECR, and EC Directive 95/46 on Data Protection which require explicit consent for processing of communication traffic.

[13] In Germany, in 2019 it was revealed that the Deutsche Telekom AG not only manipulated their DNS servers, but also transmitted network traffic (such as non-secure cookies when users did not use HTTPS) to a third-party company because the web portal T-Online, at which users were redirected due to the DNS manipulation, was not (any more) owned by the Deutsche Telekom.

DNS software such as BIND and Dnsmasq offer options to filter results, and can be run from a gateway or router to protect an entire network.

Screenshot of a dig command , showing a false response from an Iranian DNS server for a request to resolve Persian Wikipedia