The Internet uses the Domain Name System (DNS) to associate the names of computers with their numeric internet protocol addresses (IP addresses). The top level of the domain name hierarchy, known as the root-level DNS, contains the highest level domains that appear as the suffixes of all Internet domain names, for example “.com”, “.net” and “.uk”. The official root-level DNS is administered by the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is responsible for managing these top level domains (“TLDs”). ICANN cooperates with national registries that are responsible for allocating and administering country level domain names. There are also a number of other organisations that operate unofficial DNS root servers, which administer alternative custom (i.e. non-ICANN sanctioned) top-level domains, e.g. “.wj” or “.dh”. A DNS root is an entity that has one or more servers that administer the same domain information. Therefore, when the term “DNS root server” is used throughout the present application, it is to be understood that this can mean a single server, a cluster of servers behind one IP address, or a cluster of servers in which each server has its own IP address.
Having an official DNS run by ICANN and the national authorities enables the easy removal, or “take down”, of web sites that may be engaged in illegal activity, such as hosting malicious software (“malware”) or illegal material. For example, computer viruses or other malware will often, once installed on a computer, download additional components from some web page in order to perform a malicious activity, and domain take downs provide one of the chief weapons against such activity. By taking down the domain on which the components are hosted, the malware cannot obtain the components that it requires to function.
Unfortunately, domains that are administered by alternative DNS root servers cannot be taken down as easily as domains administered by official ICANN DNS root servers. This has lead to TLDs administered by alternative DNS root servers being used to host illegal and non-mainstream material. Unfortunately, as a consequence of high profile domain takedowns, there is a significant move to create more alternative DNS root servers.
FIG. 1 shows an example of a typical process that is carried out when a website is accessed from a client computer using a domain name. In this example, the website being accessed is example.com. The client computer makes a connection to the DNS server at the client computer's internet service provider (ISP), and asks for the IP address for the domain name. The ISP DNS Server then connects with the root-level DNS servers and requests the IP address of the top level domain (TLD) name server that handles .com queries. The root servers return the requested IP address back to the ISP DNS Server, which then makes a connection with the TLD name server and requests where it can find information regarding example.com. The TLD name server will then respond with the IP address of a host name server. The host name server will be maintained by the webhost for the domain name and will hold the details that map the domain name with an IP address. The ISP DNS server makes a connection to the host name server and requests where it can find example.com. The host name server will respond with the IP address for example.com and the ISP DNS server will relay this IP address back to the client computer.
Caching can reduce the workload of the name servers. For example, when the IP address for a domain name has been provided to the ISP DNS server, it can store that IP address in a temporary cache. Then when another request to access the same domain name arrives at the ISP DNS server, that server can return the IP address to the client computer immediately without having to communicate with the name servers again. In addition to caching at the ISP DNS server, client computers themselves can also contain a temporary cache of recently viewed websites, meaning that the client computer does not even have to send the repeat request to the ISP DNS server. All information stored in these temporary caches, both at the ISP and on the client computer, will however have originated from the name servers.
The client computer is not restricted to only sending DNS requests to the ISP DNS server. It can alternatively be configured to use any other DNS server, for example the DynDNS.org DNS server or Google Public DNS server.
DNS hijacking is the practice of redirecting DNS requests to other DNS root servers. If a computer is infected by malware, the malware may change the DNS root server assignment without the user's consent such that all DNS requests are sent to an alternative DNS root server. The alternative DNS root server may simply be used to resolve DNS requests to domains that are hosted at an alternative TLD which would not be resolved by an official DNS root server. Additionally, the alternative DNS root server may act as a “rogue” DNS root server, and when the user tries to visit legitimate websites, they are instead redirected to a “bogus” website. This type of attack is termed “pharming”. If the bogus site that the user is redirected to is a malicious website that masquerades as the legitimate website in order to fraudulently obtain sensitive information, it is termed phishing.