Improve Your Security: Check Your Router Hasn't Been Hijacked

toggle-button

DNS, or the Domain Name System, is the part of the internet that converts www.techsupportalert.com (which you can understand but which your browser can't), into an IP address of 72.52.134.16 (which your browser can understand, but which you probably don't want to).

When you type techsupportalert.com into your browser, the first thing your computer does is to summon the DNS system to look up the correct IP address, so that it can contact the correct server and request the page you asked for. Surfing to http://72.52.134.16 would work just as well (click the link if you don't believe me) but it's not a feasible way to use the internet.

Your PC, or rather your router, knows how to contact the DNS system because the router is programmed with the IP address of a DNS server. There are lots of DNS servers available. Your internet service provider probably runs one, and your router is probably configured to use it. There are also some additional public ones, such as the well-known one run by Google.

Because DNS is so important to the correct functioning of the internet, hackers often try to intercept it. For example, some malware or viruses will try to change the setting in your router so that you are now using the DNS server belonging to the hackers. Once they have control of your DNS server, they can control all of your internet usage. For example, they could direct all of your surfing to their own malware-ridden web site. Or they could create fake sites which look like legitimate ones, but which also contain malware. And because your internet connection is now running through a hacked DNS server, directing you to that fake site is easy.

Router checker tool windowSecurity company F-Secure has put together a tool called Router Checker. It simply checks the DNS settings in your router, and warns you if the settings appear to indicate that you're connecting to a known rogue DNS server. If that's the case, you can then log into your router and fix the problem.

You'll find the Router Checker at https://campaigns.f-secure.com/router-checker and it's entirely web-based, so there's nothing to install. Just click the Start button and wait for the results.

My thanks, as ever, to Lex Davidson for this handy tip.

Please rate this article: 

Your rating: None
4.208335
Average: 4.2 (24 votes)
toggle-button

Comments

I tried the f-secure site, and i'm confused. I have my dns set, in order, both on my PC and on my router, to:

208.67.222.222 ; OpenDNS
8.8.8.8 ; Google DNS
75.75.75.75 ; Comcast Xfinity

But the f-secure site reports all comcast servers, eg 69.252.250.28

That site does have a note:

Note: The DNS server IP address(es) listed may not be the IP address set for your device; it is the IP address your DNS server is using for recursively resolving different DNS queries.

I wonder what's going on here?

I notice that for IPv6 I only have comcast xfinity servers. So maybe that's what f-secure is seeing.

What's the easiest way to find out the IP address of your important sites, such as bank URLs?

I've just downloaded ip-check from the Firefox addons but not yet tested it.

IP Address and Domain Information is another Firefox addon the seems to do the same job but with a lot more information. The author requests a $5 donation. Not tested.

Edit: The ip-check puts another button in your Firefox toolbar, no reboot needed. When pressed it shows you the IP address of your current website. If you click on the IP address shown it redirects to domaintools.com which gives you the whois look-up information for that IP address. ip-check seems simple and adequate.

If you enter the IP address directly, does that bypass the DNS server lookup?

@godel i use command prompt in windows with the nslookup command:

nslookup google.com

Then i save them so that i can compare when i think i might be under attack.

Entering the IP address directly in the browser address bar does bypass DNS, however i've tried it and found it not practical. For example, many sites i tried, when they detect they've been accessed via ip, immediately redirect to their name. And often links on that site--even to the same site--go thru the name.

However google works. nslookup google.com is giving me right now 173.194.123.1 among other IP addresses, and that works fine via just IP. I often try this when things aren't working right to help diagnose the problem.

You would think that security suites would be configured by default to detect DNS hijacks and provide an alert but apparently that is not the case. I normally use http://www.whatsmyip.org/ if I have questions about my server but the F-Secure Router Checker is a quick and useful tool worth adding to my bookmarks.