A DNS redirect is a technique where a client computer is directed to contact a different server than the one it initially requested. The result is that the client may end up on a different domain than they originally intended.
There are several common scenarios where you can use DNS redirects to do good:
Therefore, a thorough understanding of DNS redirects is very valuable for you as a site engineer. This post answers the question "what are DNS redirects?" and then goes through some of the most common types of redirection.
DNS redirects can be used for both beneficial and detrimental purposes. But on the other hand, DNS redirects are often exploited by attackers. For example, a hacker might maliciously direct an infected computer to download malware or phish a user to reveal sensitive information. Understanding how DNS works can help you protect your computer and data from scammers and hackers.
DNS redirection is a feature many hosting companies and domain name registrars offer. You can use various methods to accomplish redirects, but DNS redirection is the simplest. A DNS redirect allows you to point one domain name to another, achieving the same result as if you had changed your original domain's name servers.
DNS redirection is also referred to as domain name hijacking. As the name implies, hackers can use it for malicious purposes such as phishing or directing an infected computer to download malware. For example, an attacker may redirect traffic away from its intended destination and toward a server that hosts malware or other harmful content. The attacker would execute this by intercepting internet traffic, sending fake replies to DNS requests, and sometimes taking over control of the victim's network.
You can think of a DNS redirect as similar to looking up a book in a library card catalog. You find the right section, go there, and then look up the number corresponding to your desired book's location on one of the shelves. The librarian then brings you over to the correct shelf and finds your book. It's similar to what happens when you're searching for a website over the internet.
For example, when you type www.google.com into your browser, it's because you think Google should be located at that address. But the domain name isn't enough information to figure out where Google actually is. Luckily, your browser contacts a DNS server and asks it where Google is located on the web—just like looking up a book in the library's card catalog. The DNS server knows the exact address, so it makes your browser send requests to that location.
Now that you know what DNS redirection is and how it works, let's learn about the various types of DNS redirects.
CNAME redirection is a type of DNS redirection where one domain name is mapped to another. For example, if you want to map the domain name www.example.com to the domain name www.otherdomain.com, you would create a CNAME record with the name "www" and the value "otherdomain.com".
You can use URL redirection, or URL forwarding, to send web traffic to a different URL than initially requested. To set up URL forwarding, you can modify the DNS record for a domain name to point to a different web address. When users visit the original URL, the DNS redirects to the new URL. There are two types of URL redirection: permanent and temporary.
If you permanently moved a web address or URL traffic to another address, you would set up a permanent redirect. Also called a 301 redirect, it's the most common type of URL redirect. For example, when a user types gmail.com in their browser but gets redirected to mail.google.com, that's an HTTP 301 redirect. Here, the web server sends a message to the browser that the page has permanently moved to a new location. The browser then updates its cache with the latest information and continues to use the new site in the future.
You would use temporary (or 302) redirection when you have moved the original page temporarily but plan to restore the original location sometime in the future. 302 redirection directs traffic from the original web address to a new one, but only temporarily. Users could come back later, and the redirect will have disappeared, essentially allowing users to reaccess the original site. Temporary redirects have a negative impact on search engine optimizations (SEOs), as search engines might treat the content of these webpages as duplicates.
Hackers use the URL frame technique to inject malicious code into a website. They insert the code into the website's URL. When the victim visits the site, the code is executed. Hackers can use this technique to steal information or install malware on the victim's computer.
Commonly, an IP address redirect masks the IP address of a server or device. IP address redirection allows many domains to exist on one IP address. This makes it more difficult for hackers to know where all your websites are on the internet. Often, website owners use IP address redirection so they can use one IP address for multiple domain names. Web admins welcome these redirects because it saves them money and takes some pressure off their servers.
Finally, the last type of DNS redirection is a meta refresh redirect. This type of redirect sends traffic from one address to another using an HTML tag. A developer inserts meta refresh code into the HTML header of the website. The code then tells the web browser to refresh the page after a set amount of time. Meta refresh redirects send users to a new page without having to type the new URL into their web browser. It can be helpful if you change your website's design or layout and you want your users to see the latest changes as soon as possible.
Below is an example of the HTML code snippet you would use to achieve a meta refresh redirect:
<meta http-equiv="refresh" content="5; url=https://www.anotherdomain.com">
Here, the browser will be redirected to https://www.anotherdomain.com after five seconds. It's useful for certain types of navigation menus and other time-sensitive tasks.
Below are some security threats related to DNS redirection that you must be aware of.
Domain name registration can be easy to obtain; hackers can use automated scripts to search for unregistered domains that may be similar to well-known sites. Once they find an unregistered domain with a common typo, they can purchase it and set up their site for phishing purposes. For example, if you typed "fakebook" instead of "facebook" in your web browser address bar, you would end up at a compromised website that looks like the actual website and asks you to enter your login credentials.
In DNS cache poisoning, an attacker injects illegitimate data into the DNS cache. This causes the server to return the wrong information for a specific domain name. Hackers can use it to redirect users to a malicious website or steal data.
An attacker can change the client's configuration to point to an alternative nameserver or IP address. For example, routers have a built-in nameserver that clients query before going to their default ISP's nameservers. By exploiting a vulnerability on a router, attackers can then change the configuration that the client queries first.
In DNS spoofing, an attacker sends a fake DNS response to a victim's computer. This causes the victim's computer to believe that the malicious website is a legitimate one.
A man-in-the-middle attack is when an attacker intercepts and manipulates traffic between the victim's computer and the DNS server.
An attacker may delete legitimate DNS records, preventing a computer from receiving the proper IP address for a specific domain name.
The best way to protect yourself against DNS hijacking is by using Domain Name System Security Extensions (DNSSEC). This suite provides authentication for DNS responses, meaning that the authenticity of every response packet is cryptographically signed by the authority that sent it. DNSSEC ensures that clients receive a correct response from the queried domain and not a spoofed one. However, DNSSEC has been around since 2008, and many ISPs are yet to implement it into their DNS servers despite its availability.
ISP DNS servers currently don't have a feature that warns users when they have been redirected to a malicious IP. To protect yourself from DNS hijacking, it's also essential to check the authenticity of your DNS server's responses. The simplest way is by comparing what you expect a domain to be with your ISP's DNS response for that same domain. If these two values don't match, the DNS server's response has been spoofed.
For example, look up for the domain site24x7.com on your ISP's DNS server by using the command:
$ dig site24x7.com
And then look up site24x7.com on Google's DNS server, by using the command:
$ dig google.com @22.214.171.124
The results of these two commands should be the same. If they're not, then your ISP's DNS server has been spoofed.
Note: While DNSSEC is a handy security measure to protect your computer from attacks, it is not foolproof. There are still ways that an attacker could redirect your queries and make you think everything was fine. For example, they could redirect non-critical domains like bing.com and then have their malicious servers respond to critical requests like passwordreset.microsoftonline.com.
DNS redirects are a way of altering the DNS information associated with a domain name. You can use it for various purposes, including security, load balancing, and marketing, as it can direct users to different webpages. Understanding how DNS redirects work can help you protect your computer and data from malicious users, as well as preventing malware attacks and frauds.
Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 “Learn” portal. Get paid for your writing.Apply Now