DNS Hijacking Countermeasures (Unix)

Tutorials on PHP, databases and other aspects of web development. Before posting a question, check in here to see whether there's a tutorial that covers your problem.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

DNS Hijacking Countermeasures (Unix)

Post by Benjamin »

DNS Hijacking Countermeasures

What is DNS?

DNS is an acronym for Domain Name Server. DNS servers can be compared to digital phone books. When you type in a domain name, a DNS server will lookup the corresponding IP address for that domain.

What is DNS Hijacking?

DNS hijacking (AKA DNS redirection) occurs when a DNS server returns an invalid IP. Your browser will connect to the IP address returned by the DNS server. If a rogue DNS server is returning an invalid IP address, your web page request will be processed by an impostor.

How does this affect me?

You may notice that you are redirected to a landing page filled with advertisements when you mistype a domain name into your browser. A few ISPs (Internet Service Providers) have begun to redirect traffic on invalid domains for the purpose of generating revenue.

What can I do about it?

I found this to be very annoying. The landing page didn't display any useful information and I would have much rather seen an error page displayed. The following steps detail how I was able to regain control of the hijacked DNS responses and turn them into something useful.

The end result is that invalid domain name requests are now automatically redirected to Google, where I can now view a nice set of search results. An added benefit is that I am now able to use the web address bar in my browser as a search bar.

This was done on Unbuntu 9.10; exact changes on your system may vary. This can be done on Windows systems as well, however you will need to lookup the exact locations for your hosts and apache configuration files.

Step 1:

The first thing I did was add an entry to my /etc/hosts file. The domain name you are redirected to when a DNS query is hijacked will be displayed in your browser. Assign this domain name a local IP address on your system. In my case, I added the following line:

Code: Select all

127.0.0.3       assist.mediacomcable.com
Step 2:

Next, view the contents of /etc/apache2/mods-enabled/. You'll want to ensure that rewrite.load is present. If not, execute the following command from within that directory.

Code: Select all

sudo ln -s ../mods-available/rewrite.load rewrite.load
Step 3:

Next we will add a virtual host to apache. This will accept connections on the IP address specified in the /etc/hosts file. In my case this was 127.0.0.3. Working in the directory /etc/apache2/sites-available/ create a file named auto_redirect.

Code: Select all

<virtualHost 127.0.0.3>
  ServerName assist.mediacomcable.com
  DocumentRoot "/var/www/autosearch"
 
  DirectoryIndex index.php
  <Directory />
    Options Indexes MultiViews FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from all
    Allow from 127.0.0.3
  </Directory>
</VirtualHost>
 
In my case, I will only allow connections to this host from my own host. Any other host attempting to access this will receive a 403 error. You'll need to set the document root to the location of the folder we will be creating in step 5. Both IP addresses must be the same as what was set in /etc/hosts.

Now that the file is created we must place a symbolic link into the sites-enabled folder.

Code: Select all

cd ../sites-enabled/
sudo ln -s ../sites-available/auto_redirect auto_redirect
Step 4:

Restart Apache

Code: Select all

sudo /etc/init.d/apache2 restart
Step 5:

In your web root, create a folder named autosearch. On my system this is located at /var/www/autosearch/.

Create an .htaccess file. This will reroute all requests to index.php.

Code: Select all

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [L,QSA]
Create index.php with the following code:

Code: Select all

<?php
$query = urlencode(isset($_GET['domain']) ? $_GET['domain'] : 'invalid request');
header("LOCATION: http://google.com/search?hl=en&q=$query");
All done!

If everything was done correctly you will have solved the DNS hijacking issue and will now be redirected to useful results if you mistype a domain name.
Post Reply