What is DNS?
The Domain Name System (DNS) is the internet's address book—it translates human-readable domain names like google.com into machine-readable IP addresses like 142.250.190.46. Without DNS, you'd need to memorize IP addresses for every website you visit.
Key DNS Record Types:
- A Record: Maps domain to IPv4 address
- AAAA Record: Maps domain to IPv6 address
- CNAME Record: Creates domain aliases
- MX Record: Specifies mail servers
- TXT Record: Stores text data (used for verification)
How DNS Resolution Works
When you type example.com in your browser, here's what happens:
The DNS Resolution Flow
- Browser Cache Check: Browser checks its local DNS cache
- OS Cache Check: Operating system checks its cache
- Recursive Resolver: Your ISP's DNS server (or public DNS like 8.8.8.8)
-
Root Server: Points to appropriate TLD server (
.com,.org, etc.) - TLD Server: Points to authoritative nameserver for the domain
- Authoritative Server: Returns the actual IP address
- Response Cached: Result stored with TTL (Time To Live)
DNS Server Types:
- Recursive Resolver: Does the heavy lifting, queries multiple servers
- Authoritative Server: Holds the actual DNS records for a domain
DNS Lookup in Node.js
// Using the native dns module with promises
import { promises as dns } from 'dns';
const lookupDomain = async (domain) => {
try {
// Resolve A records (IPv4)
const addresses = await dns.resolve4(domain);
console.log(`${domain} resolves to:`, addresses);
// Get all record types
const records = await dns.resolveAny(domain);
console.log('All records:', records);
return addresses[0];
} catch (error) {
console.error('DNS lookup failed:', error.message);
}
};
lookupDomain('google.com');
TTL (Time To Live): Determines how long DNS records are cached. Lower TTL = more frequent queries but faster updates.
What is DNS Hijacking?
DNS hijacking occurs when attackers redirect DNS queries to malicious servers, sending users to fake websites without their knowledge. It's like changing street signs to misdirect travelers.
Common DNS Hijacking Methods
1. Router Compromise
Attackers modify DNS settings in home/office routers to use rogue DNS servers. All devices on the network are affected.
2. DNS Cache Poisoning
Injecting false DNS data into a resolver's cache. When users query the poisoned domain, they receive the attacker's IP address.
3. Man-in-the-Middle (MITM) Attacks
Intercepting DNS queries between user and resolver, then providing false responses.
4. Malware
Trojan software modifies local DNS settings or hosts file to redirect traffic.
5. Registrar Compromise
Gaining access to domain registrar accounts to change authoritative nameservers.
Real-World Scenario
In 2019, attackers hijacked DNS records for several cryptocurrency exchanges:
- Users typed legitimate URLs (e.g.,
myexchange.com) - DNS returned attacker's IP address
- Users landed on identical-looking phishing sites
- Login credentials stolen and accounts drained
Detecting DNS Configuration Changes
import { promises as dns } from 'dns';
const monitorDNS = async (domain, expectedIP) => {
try {
const currentIPs = await dns.resolve4(domain);
if (!currentIPs.includes(expectedIP)) {
console.warn(`DNS HIJACKING ALERT!`);
console.warn(`Expected: ${expectedIP}`);
console.warn(`Received: ${currentIPs.join(', ')}`);
// Trigger security alert
return { hijacked: true, currentIPs };
}
console.log(`DNS verified for ${domain}`);
return { hijacked: false, currentIPs };
} catch (error) {
console.error('DNS check failed:', error.message);
}
};
// Monitor critical domains
setInterval(() => {
monitorDNS('yourdomain.com', '203.0.113.42');
}, 300000); // Check every 5 minutes
DNS Hijacking Prevention Checklist
For Users:
- Use secure DNS providers (Google DNS:
8.8.8.8, Cloudflare:1.1.1.1) - Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) in browsers
- Change default router admin credentials
- Keep router firmware updated
- Use antivirus with DNS protection
For Developers & DevOps:
- Implement DNSSEC (DNS Security Extensions) for cryptographic validation
- Enable Registry Lock at your domain registrar
- Use two-factor authentication on registrar accounts
- Monitor DNS records with automated checks (like the code above)
- Set up CAA records to prevent unauthorized SSL certificate issuance
- Implement SPF, DKIM, DMARC for email security
DNSSEC Validation in Node.js:
import { Resolver } from 'dns';
const resolver = new Resolver();
resolver.setServers(['8.8.8.8']); // Use DNSSEC-validating resolver
const checkDNSSEC = async (domain) => {
try {
const records = await resolver.resolve(domain, 'DNSKEY');
console.log(`DNSSEC enabled for ${domain}`);
return true;
} catch (error) {
console.warn(`DNSSEC not configured for ${domain}`);
return false;
}
};
checkDNSSEC('cloudflare.com');
Conclusion
DNS is a foundational internet protocol that developers often take for granted—until something goes wrong. Understanding how DNS resolution works helps you diagnose connectivity issues, optimize application performance, and recognize security threats.
DNS hijacking remains a serious threat because it's invisible to users and can bypass many security measures. By implementing DNSSEC, monitoring DNS records programmatically, and using encrypted DNS protocols, you significantly reduce your attack surface.
Key Takeaways:
- DNS translates domains to IPs through a hierarchical query process
- Caching at multiple levels improves performance but can be exploited
- DNS hijacking redirects traffic by manipulating DNS responses
- Modern defenses include DNSSEC, DoH/DoT, and registry locks
Top comments (0)