Man-in-the-Middle (MITM): DNS Hijacking

The adversary is trying to perform a Man in the Middle (MITM) attack using Domain Name Server (DNS) hijacking. DNS hijacking, also referred to as DNS redirection, is when DNS queries are incorrectly resolved in order to unexpectedly redirect the client to an attacker-controlled server. To enable this attack, the adversary must compromise the target client or router or intercept DNS communication by using other Man in the Middle (MITM) techniques.[1]

DNS can be hijacked in the following ways:

  • Local DNS hijack — the adversary compromises the client and changes the local DNS settings to redirect the user to attacker-controlled server.
  • Router DNS hijack — the adversary exploits and takes over vulnerable routers to overwrite DNS settings, affecting all users connected to that router.
  • MITM DNS attacks — the adversary intercepts communication between a user and a DNS server, providing different destination IP addresses pointing to attacker-controlled server.
  • Rogue DNS Server — the adversary compromises a DNS server, and changes DNS records to redirect DNS requests to attacker-controlled server.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

References

Attachments

ID
VT0022.002
Sub-techniques
Tactics
Credential Access
Collection
Platforms
Cloud
Linux
MacOS
Unix-like
Windows

Created: 30 December 2020

Last Modified: 04 January 2021