Today, the internet is a tool for navigating the world more easily. It’s also an inseparable part of most people’s jobs. The internet helps us find and share information, relax, and understand many topics. But as with many good things, the internet has a dark side.

Bad actors exploit the benefits the online world gives society, and thus, we must protect against such risks. Businesses need to be aware of the threats that lurk on the internet and find ways to battle them.

Domain Name System (DNS) filtering is one of the most effective ways to prevent unwanted content. Companies employ this feature to minimize the potential of online risks. As a side-effect, this even helps improve employee productivity.

NordLayer has researched how their client companies use DNS filtering functionality. For example, organizations tend to block access to manga or underwear websites more than social networks. This report will reveal exciting findings that suggest best practices your company could try out, too. So, let’s go!

About the research

The statistics mentioned below were acquired by analyzing aggregated data gathered by NordLayer’s DNS filtering service in February of 2024. No identifiable business or user information was collected, reviewed, or otherwise involved when the research and compiled results were conducted.

Category statistics in the research contain 54 varieties. The report overviews data from the main markets by country and continent.

What is DNS filtering

DNS filtering is like having a selective gatekeeper for your internet browsing.

Imagine you’re trying to get to a party (a website) in a big city (the internet). Instead of navigating through complex streets (IP addresses), you tell your driver (the DNS) the party’s name (domain name), like NordLayer.com.

Now, imagine some parties aren’t safe to attend for various reasons. They might be hosting shady characters (malicious websites) or engaging in activities you’d rather avoid (harmful/inappropriate content).

DNS filtering steps in as a responsible friend who advises you on which parties are safe and match your preferences, blocking the risky ones and guiding you to secure enjoyable destinations.

Or, put it shortly:

For businesses, DNS filtering becomes a powerful tool. Managers can set rules on what types of websites employees can visit during work hours on company-managed networks.

By doing so, they enhance the security of company data and protect employees from stumbling into digital pitfalls like phishing websites. It’s a smart way to ensure the online environment is not only productive but also safe from threats lurking around the internet’s corners.

Most common online threats DNS filtering prevents

DNS filtering helps mitigate the exposure to risks users face while browsing the internet. It includes viruses, spyware and malware, various types of phishing attacks, botnet-escalated threats, and more.

• Malware. Malicious software, including viruses, worms, Trojans, and ransomware, can cause significant damage to systems or networks. DNS filtering stops these threats by preventing access to websites that distribute malware.

• Botnets. Networks of infected devices can be remotely controlled to launch attacks. DNS filtering can disrupt the communication between these devices and command-and-control servers, mitigating the threat.

• Adware. Often annoying and potentially harmful software that displays unwanted ads. DNS filtering can prevent access to adware-distributing sites, enhancing user experience and security.

• Viruses. They are malicious programs designed to infect and damage computers and networks. DNS filtering prevents access to websites known for distributing viruses, thus reducing the risk of infections and safeguarding system integrity.

• Spyware. Software that secretly monitors and gathers information from individuals or organizations. By blocking sites known to distribute spyware, DNS filtering helps protect privacy and sensitive data.

Overview of DNS categories

First, let’s overview DNS categories. Grouping these categories will help us better see the tendencies of what types of sites are considered to be malicious or at least avoidable. The goal here is to create clusters that share a common theme or purpose, making it easier to manage preferences or restrictions based on user needs, security protocols, or compliance requirements.

By grouping these categories, we create a framework that aids in designing more nuanced and effective DNS filtering strategies, ensuring a balance between user freedom and network security, compliance, or productivity goals. This approach highlights the diversity of online content and the complexities involved in managing internet access responsibly.

Restricted websites: which categories get blocked the most?

Let’s uncover the digital no-go zones together. From shadowy corners harboring malware to tempting and time-sinking entertainment sites like 9GAG and BuzzFeed, we’ll explore the top categories that companies across the globe consistently consider too risky or distracting for open access.

Trends of blocking DNS categories

The top 10 DNS-blocked categories offer a revealing glimpse into the primary concerns that motivate organizations to filter internet content. Here’s a breakdown, highlighting what each category suggests about current priorities in network security and content management:

1. Malware (72%): reflects the universal concern for protecting networks and devices from malicious software designed to damage or exploit them.

2. Adult content (72%): indicates efforts to maintain a professional work environment, comply with workplace policies, and possibly avoid legal issues related to inappropriate content access.

3. Phishing (70%): underlines the emphasis on safeguarding sensitive information against deceitful attempts to obtain it through fraudulent websites.

4. Illegal or unethical (56%): shows the commitment to corporate ethics and legality, blocking access to content that could harm the company’s legal standing or moral integrity.

5. Cryptojacking (54%): highlights the growing concern over unauthorized cryptocurrency mining, which can significantly drain network and device resources.

6. DDoS-as-a-Service (51%): reflects awareness of the threat posed by services offering to disrupt networks through Distributed Denial of Service (DDoS) attacks, emphasizing the need for preventive measures.

7-8. Repeatedly infected websites (44%) and Stalkerware (44%): these categories signal an understanding of the ongoing risks associated with websites known for recurrent malware issues and software that covertly monitors users, stressing continuous vigilance.

9. Hacking (43%) points to the necessity of blocking access to sites that could serve as gateways to hacking tools or knowledge, protecting against unauthorized access or data breaches.

10. Gambling (43%): suggests an effort to prevent potential legal and productivity issues related to gambling, which can also be a source of financial fraud and addiction among employees.

These insights highlight a strategic approach to DNS filtering, balancing between defense against security threats, compliance with legal and ethical standards, and the promotion of a focused and safe work environment.

The prevalence of security-related categories (like malware, phishing, and hacking) alongside those aimed at maintaining workplace standards (such as blocking adult content and gambling) shows a comprehensive effort to mitigate risks and support corporate values.

The landscape of DNS blocking reveals a clear prioritization among organizations, with the most blocked categories—malware, adult content, and phishing—highlighting a strong focus on security and maintaining a professional workplace environment.

Despite maintaining a professional environment, the biggest focus remains on blocking cyber-attack-affiliated content. 7 categories in the top 10 are related to malicious activities of a third party. Here’s why it’s so important:

• In 2022, the digital threat landscape continued to evolve at an alarming rate, with cybercriminals launching 5.5 billion malware attacks using emails and websites as their primary weapons. Fast forward to 2023, and the sophistication of these attacks has only intensified.

• Artificial intelligence (AI) now aids in crafting phishing emails so convincingly that 65% of users were tricked into disclosing personal information.

• The closing quarter of 2023 witnessed a surge in hacking activities, culminating in data breaches that exposed over 8 million records globally, underscoring the relentless efforts of cybercriminals.

• Meanwhile, in 2022, EMEA led with over 35% of spyware (stalkerware) detection, North America followed with 25%, and the Asia-Pacific region accounted for 20%.

• By the second quarter of 2023, the threat had diversified further, with around 1.28 million infected sites identified, showcasing the ever-expanding arsenal of cybercriminal tactics.

• The accessibility of DDoS attacks as a service was highlighted by the startlingly low cost of USD 750 for month-long assaults on unprotected websites, revealing a commercial or business-oriented aspect of cyber warfare.

• Cryptojacking attempts, nearly reaching 140 million in 2022, illustrated another aspect of this complex threat, with attackers secretly harnessing victims’ computing power for cryptocurrency mining.

The research suggests that blocking these categories of websites is a critical component of an organization’s cybersecurity strategy. It helps safeguard the network, protect sensitive data, and ensure the smooth operation of business processes by mitigating risks before they can manifest.

Minimizing distraction, increasing productivity

The percentages of companies blocking various categories provide a fascinating snapshot of the priorities and concerns of modern businesses regarding internet usage. Here’s a deeper dive into what these figures might reveal:

• Dating sites (30%): this is the most blocked category, indicating a widespread concern among companies about the personal use of company resources and potential distractions. It also highlights efforts to maintain professionalism and focus in the workplace.

• Bitcoin (22%): blocking cryptocurrency sites, particularly Bitcoin, reflects concerns over security risks associated with cryptocurrency transactions and the potential for these sites to be linked with illegal activities. Additionally, it suggests an effort to prevent employees from engaging in speculative, non-work-related activities.

• VPN (21%): companies restricting VPN services are likely to prevent employees from bypassing network security measures and accessing restricted content. This emphasizes the importance of controlling network traffic and maintaining security protocols.

• Games (19%): blocking gaming sites indicates recognition of the productivity drain these sites can cause. It’s a move to minimize distractions and ensure employees remain focused on their responsibilities.

• Astrology (15%): while it might seem surprising to see astrology websites blocked more frequently than social networks, this decision could stem from a desire to limit access to content considered unscientific or a distraction from work.

• Social networks (7%): interestingly, social networks are the least blocked category among those listed, suggesting a nuanced approach by companies towards these platforms. This lower percentage may reflect the recognition of social media’s role in professional networking, marketing, and communication strategies, balancing the potential for distraction against the benefits of connectivity.

These trends recognize the evolving role of technology and the internet in the professional landscape while safeguarding company assets and fostering a focused work environment.

DNS filtering differences by regions

Despite various available DNS categories, companies block 10 different types of online content on average. In Asia, we see a more restrictive approach than in Europe and North America. Each region adapts its approach to DNS filtering to meet its unique challenges and objectives best.

The variance in DNS categories blocked between companies in Europe and North America versus Asia likely boils down to four main factors:

• Regulatory differences. Asian countries often have stricter internet regulations, requiring more categories to be blocked for compliance. In contrast, European and North American regulations may allow for more freedom online, resulting in fewer restrictions.

• Cultural norms. Asian companies might block more categories to align with conservative societal values. In contrast, Western regions may adopt a more liberal stance, focusing on blocking only for security, legal, or productivity reasons.

• Cybersecurity threats. A different cybersecurity threat landscape could influence the decision to block more categories in Asia, requiring broader preventive measures than the targeted strategies in Europe and North America.

• Work culture and business practices. Asian workplaces often emphasize a strict separation between work and personal life, leading to more extensive blocking to maintain productivity. Western companies might encourage a balance, needing fewer content restrictions.

Looking at North American, European, and Asian markets, we can see that Western regions equally consider malware as their top priority for blocking, while Eastern regions prioritize blocking illegal or unethical content. Adult content like pornography sites and explicit content is the overall second pick, with Europe leading the group.

The approach to blocking DNS categories varies across North America, Europe, and Asia, reflecting each region’s unique cybersecurity landscape and cultural nuances.

Malicious websites are a top concern worldwide, with North America leading slightly in terms of proactive blocking measures. This consensus underscores a global recognition of the threats posed by malicious sites, with regional adjustments based on specific cyber landscapes and regulations.

The handling of adult content varies, with Europe’s slightly higher blocking rate likely indicative of its stringent content regulations. North America and Asia also prioritize this category, revealing a common aim to maintain a secure online environment.

Phishing attacks are universally combated, showcasing the necessity of robust defenses against this widespread threat. North America’s marginally higher blocking rate highlights the persistent challenge phishing poses across regions.

Asia stands out for its markedly higher blocking of illegal/unethical content and services like DDoS-as-a-Service and gambling, reflecting its strict legal and cultural frameworks. The lack of emphasis on hacking in Europe suggests a different focus or reliance on alternative defensive tactics.

Stalkerware and repeatedly infected sites show varied attention, pointing to regional differences in perceived threat levels. Europe’s unique focus on drugs aligns with its specific policies, while Asia’s concern for cryptocurrencies and dating sites highlights regional security and social considerations.

Importance of proactive online security

DNS filtering serves three pivotal roles in managing online interactions: security, compliance, and productivity. Each role focuses on a distinct goal, but all link to the idea of controlling access to certain types of online content.

Security: preventing malicious or NSFW activity

At its core, DNS filtering is about keeping users safe from harmful content. This includes blocking access to websites known for phishing, malware distribution, or those hosting adult content unsuitable for all audiences.

The aim is straightforward: to protect users from threats that could compromise their personal information and device integrity or expose them to inappropriate content. DNS filtering acts as a first line of defense against numerous online security threats by preventing access to these sites.

Compliance: blocking content for device and network security

Compliance takes the security concept a step further by enforcing specific regulatory or policy requirements. This might involve blocking access to illegal download sites to comply with copyright laws or restricting gambling sites to adhere to corporate policies or legal frameworks.

DNS filtering for compliance ensures that the organization and its users operate within the bounds of legal and ethical standards, thereby protecting the organization from legal issues and maintaining its reputation.

Productivity: limiting personal matters

The third pillar focuses on enhancing productivity by limiting access to websites unrelated to work or the task at hand. This includes social media platforms, video streaming sites, and other distracting websites that can significantly reduce productivity to stay focused.

By restricting access to these sites during work hours, DNS filtering helps organizations ensure that their resources are utilized efficiently and that employees remain focused on their responsibilities.

Network performance: enhancing internet speed optimization

A critical yet often overlooked aspect of DNS filtering is its role in optimizing network performance and internet speed. This optimization process involves restricting access to high-bandwidth websites.

Video streaming services, file-sharing platforms, and large-scale download sites can significantly consume excessive amounts of internet bandwidth. When left unchecked, these activities can greatly degrade network speeds, impacting the individual’s productivity and overall organizational efficiency.

Each direction serves a specific purpose, yet they all share the common goal of optimizing the online environment according to the organization’s needs.

Why choose NordLayer DNS filtering service?

Choosing NordLayer’s DNS filtering service offers organizations a suite of powerful benefits designed to enhance their network security, improve productivity, and ensure a safer online environment for all users.

Here’s why NordLayer stands out as a preferred option for DNS filtering:

NordLayer’s DNS filtering service offers a comprehensive solution that addresses key organizational needs—from security and productivity to compliance and ease of management.

Its blend of advanced features, customization options, and reliable performance makes it an ideal choice for businesses looking to strengthen their network security and operational efficiency.

How to block employees from accessing websites

Already have NordLayer but didn’t enable the content filtering feature? Here’s how to do it:

1. Go to Control Panel → Network → Servers or Gateways. Choose the dedicated server, click Configure next to it, and select DNS Filtering by Category (Beta) from the dropdown menu.

2. In the request form, select which categories you want to filter. With NordLayer, you can currently choose from 53 DNS categories to block (find the list below).

3. Once you’re done, click on Request DNS Filtering by Category. Please allow up to 24 hours for the feature to be enabled. You will get an email with the confirmation once it’s ready.

Navigating the world of IT support and cybersecurity services can feel like exploring a maze. Two terms that often come up are MSP and MSSP. Though they sound similar, their roles in the IT ecosystem are distinct.

Let’s dive in to clarify these differences, helping you identify which service aligns best with your IT and cybersecurity needs.

What is an MSP?

An MSP, or Managed Service Provider, acts as your IT department’s extension or sometimes its entirety.

They manage a spectrum of IT services, from network and infrastructure to software management and support. MSPs aim to ensure your IT operations run smoothly, efficiently, and without interruption, focusing on maintenance and optimization.

What is an MSSP?

MSSP stands for Managed Security Service Provider. While MSPs cover the broader IT landscape, MSSPs focus on cybersecurity.

They monitor and manage your security devices and systems and offer threat intelligence, incident response, and more. Essentially, they’re your cybersecurity guardians, proactively defending your digital assets against threats.

Key differences between MSP and MSSP

MSPs serve as a full IT department, offering various services like network management and software updates. Their primary goal is to ensure the seamless operation and reliability of your IT infrastructure. MSPs are the technology stewards, ensuring your systems are efficient, up-to-date, and scalable to support your business objectives.

MSSPs focus narrowly yet deeply on cybersecurity, acting as vigilant protectors against cyber threats. They specialize in monitoring, managing, and responding to security risks, employing a suite of services designed to protect businesses from digital dangers. Their services range from real-time threat monitoring to incident response and compliance management, all aimed at fortifying your organization’s cybersecurity posture.

To neatly summarize the distinctions, let’s lay MSP vs. MSSP out in a table:

Here’s a breakdown of their primary differences:

MSPs focus on the broader spectrum of managing and optimizing IT infrastructure and operations. They offer a wide range of services, including:

• Managing networks, servers, and cloud services

• Providing software management and updates

• Help desk support and IT consulting.

The core objective of MSPs is to enhance operational efficiency and support business growth, acting essentially as an outsourced IT department.

MSSPs, on the other hand, specialize in protecting businesses from cyber threats and ensuring data security. Their services are centered around:

• Incident response

• Compliance management

• Security assessments.

They use advanced methods to detect and prevent cyber threats, acting as a dedicated cybersecurity team for their clients.

While MSPs are all about ensuring that the IT infrastructure is running smoothly to support and enhance business operations. MSSPs, on the other hand, dive deeper into the cybersecurity aspect, ensuring that businesses are safeguarded against the increasing number of cyber threats.

In many cases, businesses benefit from the combined strengths of both types of providers to ensure both operational excellence and robust security.

What is the difference between MSSP and MDR?

While MSSPs focus on managing and monitoring security services, MDR (Managed Detection and Response) providers take a more hands-on approach to actively hunting, detecting, and responding to threats. Think of MSSPs as your cybersecurity watchdogs, while MDR services are the special forces that detect and neutralize threats.

MSP and MSSP: the market growth

The global managed services market has seen consistent growth, driven by businesses’ increasing reliance on IT infrastructure and the need for efficient, scalable solutions.

According to projections, this market could grow significantly, reaching a substantial valuation by 2028. This growth is fueled by the ongoing digital transformation in various sectors, necessitating managed IT services to support operations, data management, cloud services, and customer relations.

The managed security services market is also on a robust growth trajectory, with a specific focus on cybersecurity services.

The escalating threat landscape propels this market’s expansion, regulatory compliance requirements, and the complexity of cybersecurity solutions. Businesses are increasingly outsourcing their cybersecurity needs to MSSPs to protect against data breaches and cyber-attacks and to ensure data privacy and compliance with regulations.

Factors defining MSP market growth

• Digital transformation: as businesses continue to digitize operations, the demand for comprehensive IT services, including cloud management, data analytics, and network infrastructure, grows.

• Cost efficiency: MSPs offer a cost-effective solution for businesses to manage their IT needs without the overhead of an in-house IT department.

• Scalability and flexibility: the ability of MSPs to scale services according to business needs is a key driver, allowing companies to adjust their IT services based on growth and seasonal demands.

Factors responsible for MSSP market growth

• Cybersecurity challenges: the increasing sophistication of cyber threats drives demand for MSSPs as businesses seek specialized expertise to navigate the complex cybersecurity landscape.

• Regulatory compliance: With growing regulatory pressures around data protection, businesses turn to MSSPs for compliance assurance and to avoid potential fines.

• Advanced threat detection and response: the need for 24/7 monitoring and quick response to security incidents has become critical, making MSSPs an essential partner for businesses.

Market differences

While both MSPs and MSSPs are integral to the IT and cybersecurity ecosystem, their markets differ primarily in focus and expertise.

MSPs are broad, covering all aspects of IT management and support, catering to businesses’ operational and efficiency needs. In contrast, MSSPs are specialized, focusing solely on cybersecurity services to protect businesses from digital threats and ensure compliance with data protection laws.

The MSP market is defined by its operational support and infrastructure management role, appealing to businesses looking for end-to-end IT services. The MSSP market, however, is driven by the need for specialized cybersecurity services, attracting businesses focused on enhancing their security posture in the face of increasing cyber threats.

Can an MSP be an MSSP?

Yes, the line between MSPs and MSSPs can blur. Some MSPs evolve to include MSSP functions, offering a hybrid model that covers both IT management and security services. This evolution reflects the growing importance of cybersecurity across all IT operations.

The managed service provider can indeed evolve into a Managed Security Service Provider. Still, this transformation requires a strategic approach, significant investment in skills and technology, and a commitment to adopting a security-first mindset.

Why make the transition?

The move from MSP to MSSP is often motivated by the growing demand for cybersecurity services. Businesses are increasingly aware of the risks posed by cyber threats and are seeking providers that can offer both IT management and robust security measures. By transitioning to an MSSP, providers can meet this demand, offering a one-stop shop for IT and security needs.

Moreover, this evolution allows providers to differentiate themselves in a crowded market, offering added value to clients through specialized security solutions. It also opens up new revenue streams, as businesses are willing to invest significantly in cybersecurity to protect their assets and reputation.

What are the deciding factors when choosing between an MSP and an MSSP for your business?

Comparing MSP vs. MSSP for your business comes down to understanding your core IT infrastructure management and cybersecurity needs. Here’s a streamlined approach to making that decision:

• Assess business IT capabilities: if a business lacks a dedicated IT department or needs to augment its existing IT capabilities, an MSP might be the right fit. MSPs provide comprehensive IT services, ensuring your infrastructure is robust and up-to-date, with increased efficiency supporting your business operations.

• Evaluate security requirements: if you’re particularly concerned about cybersecurity, face stringent regulatory compliance requirements, or handle sensitive data, leaning towards an MSSP makes sense. MSSPs specialize in protecting businesses from cyber threats with services like real-time monitoring, incident response, and compliance management.

• Consider business size and sector: small to medium-sized businesses often find MSPs suitable for their broader IT needs, while larger organizations or those in high-risk sectors (e.g., finance, healthcare) may prioritize the specialized security services of an MSSP.

• Budget and investment: determine the budget for IT and cybersecurity services. MSPs can offer more predictable costs for a range of IT services, while MSSPs might represent a higher investment focused on advanced security measures.

• Future growth and scalability: think about business future needs. An MSP can help scale the IT infrastructure as your business grows, whereas an MSSP will ensure your cybersecurity posture scales in tandem with your risk exposure.

Selecting either an MSP or an MSSP boils down to understanding your specific needs:

How NordLayer boosts MSP capabilities

Third-party providers like NordLayer step in as a powerful solution for MSPs, enhancing their capabilities to manage and secure networks with comprehensive security solutions. It offers features like Secure Remote Access, Zero Trust network architecture, and advanced threat protection.

• Security monitoring. NordLayer amplifies MSPs’ ability to offer continuous security monitoring, which is crucial for early threat detection and maintaining a vigilant cybersecurity posture. This ensures clients are protected around the clock from a broad spectrum of cyber threats.

• Security operations. With NordLayer’s security solutions, MSPs can enhance their security operations through automation and advanced analytics, speeding up incident response and bolstering defenses against evolving cyber threats, thereby elevating the level of service to clients.

• Endpoint protection. NordLayer supports MSPs in implementing robust endpoint protection and safeguarding client devices against malware and other attacks, which is essential for the integrity and security of client networks.

• Data protection. By offering encryption and secure access controls, NordLayer assists MSPs in protecting clients’ sensitive data against unauthorized access, aligning with information security regulations, and enhancing clients’ trust.

• Cloud services. NordLayer enables secure access to cloud services, protecting data in transit to and from the cloud, an essential feature for businesses leveraging cloud-based solutions and security operations in today’s digital environment.

• Providing cybersecurity services. Integrating NordLayer allows MSPs to expand their cybersecurity services, covering everything from security monitoring to data protection, meeting the increasing demand for comprehensive cybersecurity solutions.

These tools bolster an MSP’s service offering and ensure clients’ networks are both accessible and secure. By performing risk assessment and integrating NordLayer, MSPs can provide a more robust IT and security infrastructure, reflecting the synergy between comprehensive IT support and dedicated cybersecurity measures.

Imagine trying to access a news website to catch up on the latest headlines. Still, instead of finding the articles you were looking for, you’re secretly redirected to a clone site designed to spread misinformation or to gather your personal data.

This scenario has become a reality for some, thanks to the Sea Turtle cyber espionage campaign. Linked to Turkey, this group has engaged in DNS hijacking, targeting not just any websites but those connected to telecommunications, media, ISPs, IT services, and Kurdish platforms in the Netherlands.

Their goal was to collect sensitive data on political dissidents and minority groups. DNS hijacking is often state-sponsored and used by governments to surveil and collect data on political adversaries and minority groups. These actors exploit the DNS system—essentially the internet’s phonebook—to manipulate how and where we access information online.

Businesses, too, face big risks from DNS hijacking. This threat can result in large financial losses, data breaches, and a decrease in customer trust. 

The cryptocurrency sector is especially at risk. Threat actors frequently hijack DNS to send users to fake websites and steal cryptocurrency assets. Because you can’t reverse cryptocurrency transactions, this approach is particularly dangerous. 

In this article, we’ll explore how to detect DNS hijacking in simple steps.

Key takeaways

• DNS hijacking is an attack where someone redirects you to a different site that they control, which might look like the one you wanted but can steal your information or harm your computer.

• The attack uses the DNS system, which normally helps your browser find websites, to send you to a fake website instead of the real one you wanted to visit.

• Look out for being sent to unexpected websites, your internet running slowly, or warnings about a website’s security certificate to catch DNS hijacking early.

• Protect yourself by using strong passwords for your router, updating its firmware, enabling DNSSEC validation, and using a VPN to encrypt your online activity.

• Incidents like the Sea Turtle campaign and the attack on a Brazilian bank show how serious DNS hijacking can be and why strong security measures are important.

• NordLayer helps protect against these threats with its DNS filtering service, which blocks harmful websites.

What is DNS hijacking?

Domain Name System (DNS) hijacking is a form of cyber-attack in which an attacker intercepts and redirects the DNS queries made by a user. Instead of reaching the intended website, the user is sent to a fraudulent site, often without realizing it. This technique can be used to steal personal information, distribute malware, or censor information.

Related articles

 

In Depth

What is content filtering?

13 Sep 202210 min read

 

Product Updates

NordLayer features in review: DPI & DNS filtering

27 Sep 20229 min read

 

How does DNS hijacking work?

DNS hijacking operates by using the DNS, which acts as the internet’s phonebook. Normally, when you enter a website address into your browser, your computer sends a DNS query to a DNS server to translate the domain name into an IP address. This IP address is what allows your browser to connect to the website’s server.

However, in a DNS hijacking scenario, an attacker intercepts or alters this query process. Instead of directing you to the correct IP address, the attacker redirects you to a fraudulent website or server that they control. This manipulated redirection can occur without any visible signs, making the user believe they are visiting a legitimate site.

For example, imagine you’re trying to log into your online banking account. You type the bank’s URL into your browser, expecting to be taken to your bank’s login page. If you’re a victim of DNS hijacking, you are sent to a counterfeit version of the bank’s website instead of reaching the real banking site. This site looks identical to the real one, but when you enter your login credentials, they are captured by the attacker.

Types of DNS hijacking

Understanding the various types of DNS hijacking is crucial for maintaining our online safety. Let’s explore the most popular ones.

Local DNS hijacking

This happens when malware changes the DNS settings on your device. If this occurs, your device might take you to places on the internet that you didn’t intend to visit, risking your personal information. It’s essential to keep your antivirus software up to date to catch and remove such malware.

Router DNS hijacking

Attackers target your internet router and change its DNS settings. This action affects all devices using that router. It’s like someone redirecting all the mail from your house to somewhere else. 

Ensuring your router’s firmware is regularly updated and its password is strong is a good practice to prevent DNS hijacking.

Man-in-the-middle DNS hijacking

In this scenario, attackers intercept your DNS requests. It’s as if someone catches a letter you’re sending out, opens it, and sends it somewhere else without you knowing. 

Using secure networks and VPN services can help safeguard against such interceptions.

DNS server hijacking

Here, the attackers take control of a DNS server and change its DNS records. This means they can redirect traffic from many users to malicious websites. It’s a broad DNS attack, affecting many at once. 

Internet Service Providers and organizations managing DNS servers need to monitor and secure their servers diligently.

ISP DNS hijacking

Sometimes, your Internet Service Provider might redirect your DNS queries. Although these redirects aren’t always malicious, they can still introduce security risks. Using a custom DNS service can give you more control over where your queries go, enhancing your privacy and security.

Cache poisoning (DNS spoofing)

Cache poisoning, also known as DNS spoofing, is a technique where attackers insert false information into a DNS server’s cache. When this happens, your computer, which relies on the DNS server to translate website names into IP addresses, gets misled. It takes you to a different website controlled by the attacker.

A DNS resolver is a crucial part of this process. It’s the tool that your computer uses to ask the DNS server, ‘What is the IP address for this website?’ When the resolver receives incorrect information from a poisoned DNS cache, it unknowingly directs you to the wrong place.

The DNS cache is where the resolver stores IP addresses it has recently looked up. If the cache gets poisoned, even future DNS requests can lead to the wrong sites until the DNS cache is cleared or the false entries expire.

Preventing cache poisoning involves ensuring your DNS resolver uses DNSSEC (DNS Security Extensions). DNSSEC is a security measure that ensures the information your resolver receives is authentic.

Rogue DNS server

If you’re tricked into using a rogue DNS server, it will intentionally mislead you by taking you to the wrong websites. This often leads to malicious websites. Being cautious about which DNS server you use and opting for reputable DNS providers can protect you.

Pharming

Pharming redirects you to fake websites without your click or consent, exploiting vulnerabilities either in your device or in DNS servers. It’s more sneaky than phishing. 

Employing robust security measures and staying vigilant about unusual browser behavior can help you stay clear of these traps.

DNS redirection by malware

When malware on your device redirects your DNS queries, it can make you think you’re visiting safe websites when you’re not. Regular scans with updated antivirus software can help detect and remove such malware.

DNS hijacking via trojan

A trojan can change your DNS settings or point you to a malicious DNS server. It often masquerades as legitimate software, tricking you into downloading it. Being cautious about what you download and keeping your security software up to date are good ways to avoid such threats.

Each type of DNS hijacking exploits our trust in the internet’s infrastructure. Remember, detecting DNS hijacking early and taking steps to prevent it are key to keeping your internet experience safe and secure.

Examples of DNS hijacking

Brazilian bank attack

Back in 2016, a big bank in Brazil was hit by a DNS hijacking attack. The threat actors changed the bank’s DNS settings, redirecting customers to fake websites instead of the bank’s real ones. These sites mimicked the bank’s authentic ones, tricking people into giving away their personal and banking info.

This incident showed how big of an impact DNS hijacking can have, especially on financial institutions, and showed the need to prevent DNS hijacking attacks. 

Sea Turtle campaign

The Sea Turtle campaign is a cyber espionage operation that started in 2019. It targets organizations across the globe to gather sensitive information. 

This group uses DNS hijacking because after redirecting internet traffic to malicious websites and stealing login credentials, they can spy on the data traffic of targeted entities. They opt for DNS hijacking because of its sneakiness; victims often don’t realize they’re visiting fake websites.

In 2024, Sea Turtle expanded its reach to include targets in the Netherlands, focusing on telecommunications, media, ISPs, IT services, and Kurdish websites. 

Iranian attack incidents

Iranian threat actors, known under the alias Lyceum, target the Middle East with DNS hijacking. They’ve introduced a new NET-based backdoor, evolving their tactics to manipulate DNS queries. 

The essence of this DNS hijacking lies in its execution through a macro-laced Microsoft Document, seemingly reporting legitimate news but actually serving as a trojan horse for the malware. It’s designed not just for spying but also for full control over the compromised systems. 

Companies need robust measures to detect and prevent DNS spoofing and similar DNS hijacking attacks.

How to detect DNS hijacking?

Here’s a guide on how to spot DNS hijacking, which includes simple steps that can help you figure out if a DNS attack has hit you.

Spot unexpected website redirects. Imagine you’re trying to visit your favorite news site but end up on a completely different page that asks for personal details. This could be a sign of DNS hijacking, where attackers redirect you to fake sites to steal your info.

Notice if your internet feels slow. If your web pages suddenly start taking longer to load, it might mean someone is messing with your DNS queries. This slowing down happens because the hijack adds extra steps to reach websites.

Use tools to check your DNS server. There are tools online that let you see if the DNS server your computer is using matches the one your Internet Service Provider (ISP) gave you. A mismatch might mean your DNS settings have been changed without you knowing.

Watch for SSL certificate warnings. When you visit a secure site, your browser checks its SSL certificate to ensure it’s safe. If you get a warning that something’s off, like the certificate doesn’t match the site’s name, it could mean you’ve been redirected to a harmful site by DNS hijacking.

Use network monitoring tools. These tools can spot odd behavior in your DNS traffic, like a sudden spike in DNS requests or visits to known bad sites. This can clue you in on possible DNS hijacking attempts.

Audit your DNS records. Check your domain’s DNS records with your registrar every so often. If you find changes you didn’t make, it might mean someone has hijacked your DNS.

Talk to your ISP. If you’re worried about DNS hijacking, a call to your ISP can be reassuring. They can check if the DNS servers you’re using are legit and offer tips on keeping your connection secure.

How to prevent DNS hijacking for businesses?

Keeping your online world safe from DNS hijacking is really important. Here’s a guide on how to prevent DNS hijacking attacks.

Pick secure DNS servers. DNSSEC stands for Domain Name System Security Extensions. It’s a set of protocols that add a layer of security to the DNS lookup process, ensuring the information your network receives hasn’t been tampered with. Opting for DNS servers that support DNSSEC minimizes the risk of your business being directed to fraudulent websites.

Update your router’s password. Routers often come with default passwords that are easily predictable. Changing these passwords to something strong and unique is crucial for keeping attackers out. 

Keep your router’s firmware fresh. Router makers often fix security holes with new firmware updates. Staying up-to-date helps block paths that threat actors could use for DNS hijacking.

Turn on DNSSEC validation. Enabling DNSSEC validation across your network means that DNS responses are checked for authenticity before being accepted. This prevents attackers from redirecting your internet traffic to malicious sites through spoofed DNS responses, a common tactic in DNS hijacking. 

Use a business VPN. A Virtual Private Network encrypts what you do online, shielding you from certain DNS hijacking methods. Choosing a trusted VPN service adds a solid layer of protection.

Install and update security software. Antivirus and anti-malware programs can catch and delete harmful software that might change your DNS settings. Keeping this software up to date is key to fighting off new threats. 

Update everything. Software updates often patch up security weaknesses. Regularly updating your system and applications protects you from being an easy target for DNS hijacking.

Watch your DNS settings. Keep an eye on the DNS settings on your company’s devices and router. If something looks off, dig deeper and fix it to ensure you’re not under attack.

Learn and share knowledge. Understanding this issue is key to keeping your network safe. Explain to your employees what DNS hijacking is, why it’s a problem, and how to spot if the network might be compromised. When people know what to look out for, they can help stop these attacks before they do harm.

Think about DNS filtering. These services stop your network from connecting to websites that are known to be harmful. They can also block attempts to contact servers that spread malware. Adding DNS filtering to your security plan is a good way to keep out threats that could lead to DNS hijacking. 

Beef up your network security. Using firewalls and following best practices for network security build a strong defense against unauthorized entries and various cyber threats, including DNS hijacking. These actions add extra layers of protection, which makes it harder for attackers to break into your network or carry out harmful activities.

Customize your DNS settings. Instead of sticking with your Internet Service Provider’s DNS, switch to custom DNS servers known for being secure. This gives you more control and reduces hijacking risks. 

How NordLayer can help

NordLayer steps in to help your company stay safe online with its DNS filtering service. This tool stops access to malicious websites and screens out content that might be harmful or distracting for your team.

Managers can set rules on what’s not allowed on the company’s networks. It acts like a shield, keeping team members safe from phishing and other harmful online stuff. This way, everyone can focus on their work without worrying about online threats.

Using NordLayer’s DNS filtering is easy and effective. Whenever someone tries to visit a website, NordLayer checks it against a list of safe and approved sites. If it finds a website that’s unsafe or on a blocklist, it won’t let the site load.

This step is great for stopping online threats before they can do any harm. Plus, NordLayer has a feature called ThreatBlock, which finds and blocks dangerous domains by pulling information from many places. Along with keeping your internet traffic safe with strong encryption and the ability to filter out more than 50 types of not-so-great content, NordLayer gives you a powerful way to keep your organization’s online space secure and productive. No matter the size of your team, NordLayer is ready to help you manage and protect your remote workers in a simple and effective way.