The Internet Protocol (IP) is the dominant network protocol used on the Internet. Two version of IP are currently in use, IPv4 (IP version 4) and its successor, IPv6 (IP version 6). Computing systems that use IP to communicate are assigned an IP address. An IPv4 address is a 32 bit value that is unique within the network. It is common to represent IPv4 addresses in a dotted notation having four 8 bit components. For example, an IPv4 address may be 192.168.0.1. An IPv6 address is a 128 bit integer that is unique within a network. IPv6 addresses are typically represented as eight groups of four hexadecimal digits with the groups being separated by colons, for example 2001:0db8:0000:0042:0000:8a2e:0370:7334. Clearly, such numeric addresses are hard for users to remember. Therefore, IP addresses can be mapped to more easily remembered names. For example, the IP address 46.4.67.14 may be associated with “avast.com.” The Doman Name System (DNS) is a decentralized system in which domain names are translated to their associated Internet Protocol address. Each domain has an authoritative name server that publishes information about the domain and lower level name servers in the domain.
“DNS hijacking” (also referred to as “DNS redirecting”) is a common form of cyber-attack targeting the networks of end users. It is often combined with phishing or identity theft and is relatively easy to perform. In a DNS hijack scenario, an attacker modifies the DNS server settings of a computer or a router such that DNS queries made by the affected computer (or devices in the affected network) are sent to a DNS server under the attacker's control instead of a legitimate DNS server. Having this control, the attacker chooses one or more domain names that are to be hijacked, and configures the attacking DNS server to return an IP address of the attacker's choice (typically a malicious one, presumably containing a phishing site or another cyber attack) when queried for the chosen domain name(s). Thus, a victim using a web browser to navigate to www.examplebank.com will not contact the server belonging to Example Bank Corp., but a server entirely controlled by the attacker.