The Domain Name System
When we want to visit a website, such as Google, we type google.com into the address box of a web browser. Browsers and computers do not use domain names like google.com and instead, they use IP addresses.
An IP address consists of four numbers between 0 and 255 like this: 184.108.40.206. In order to go to the Google website when you type google.com into the address box of a browser, it communicates with a DNS (Domain Name System) server, which supplies the IP address. The browser can then access the web server using this IP number and get the Google home page.
The computer needs to know the address of a DNS server in order to query it when it needs to know the IP address of a website. It can get this information from the router. If you do not manually specify which DNS servers to use, and most people don't, the ones stored in the router are used.
Changing DNS servers
Now imagine malware or a hacker got into the router or computer settings and changed the DNS server addresses to its own. These will be used by the computer and web browser and then all internet traffic will be directed through the servers provided by the malware or hacker.
This would mean instead of going to websites you think are safe, such as your online bank, eBay, PayPal, and other places, you are redirected without you knowing to a site operated by the malware or hacker. Login details could then be stolen.
DNS hijacking could also be used to change the content in web pages, such as adverts. This would then earn money for the perpetrators.
This is a serious security problem called DNS poisoning or DNS hijacking and it has been known to happen. It isn't just theoretical.
We looked at manually changing DNS servers in a previous article, and malware can do this too, although not for speed and performance. Quite the opposite.
Check your router
You can easily check that your router is OK and that safe DNS servers are being used using Router Checker from the security company, F-Secure.
Open a web browser and go to the site: campaigns.f-secure.com/router-checker/en_global/
Click the Check your router button. The result is displayed after a few seconds and it should not report any problems.
Click See technical details of the results to get information about your DNS servers and internet connection.
What if your DNS has been hijacked?
Suppose your DNS servers have been altered to something malicious. What do you do?
- Stop using the internet
- Change your DNS servers
You can manually enter the DNS servers to use and this overrides whatever is supplied by the router or your ISP. Here’s how to do it in Windows 10. Older versions of Windows are very similar.
Router hijacking affects not only your PC, but also every computer, phone, tablet and device that connects to the router.
Change DNS servers
1. Right click the network/Wi-Fi icon at the right side of the taskbar and select Open Network and Sharing Centre.
2. Click the link next to Connections (it probably says your router name).
3. Click Properties in the Wi-Fi status window.
4. Double click Internet Protocol Version 4 (TCP/IPv4) in the list.
5. In the lower part of the next window, select Use the following DNS server addresses. Enter 220.127.116.11 and 18.104.22.168 then click OK, OK, Close
Those IP addresses are Google’s DNS servers. Not everyone likes Google, but at least you’re not going to get malware.
An alternative to these is OpenDNS. Use 22.214.171.124 and 126.96.36.199.
If you are concerned about the security of your PC, here's how to speed up scanning with Malwarebytes Anti-Malware.