U.S. Government Warns of DNS Hijacking Risk | eWeek

U.S. Government Warns of DNS Hijacking Risk

DHS CISA DNS
Jan 25, 2019
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

The U.S. government is warning of a potentially disastrous cyber-security attack targeting DNS infrastructure.

Domain Name System (DNS) is the technology that translates numerical Internet Protocol (IP) addresses into web domains, such as eWEEK.com. DNS servers direct traffic to the correct location for a given domain; the risk is that if DNS is tampered with, traffic can be misdirected, intercepted or blocked.

“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering,” DHS CISA warned. “CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.”


DHS has not publicly disclosed which agencies have been impacted by the DNS hijacking campaign. Several cyber-security firms including FireEye and Cisco Talos have been warning about the risks of a global DNS hijacking campaign. On Jan. 9, FireEye stated in a report that the campaign might have the backing of organizations in Iran.

The government isn’t standing idly by while the attacks are happening. DHS CISA issued Emergency Directive 19-01 on Jan. 22, providing direction to U.S. government agencies on how to mitigate DNS infrastructure tampering. In a blog post on Jan. 24, Christopher Krebs, director of DHS CISA, explained the severity of the DHS hijacking campaign and why it triggered the emergency directive.

“This is the first Emergency Directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) under authorities granted by Congress in the Cybersecurity Act of 2015, and we took this action after carefully considering the current and potential risk posed to Federal agencies,” Krebs wrote. “Using techniques that aren’t especially innovative, we know they can intercept and manipulate legitimate traffic, make services unavailable or cause delay, harvest information like credentials or emails, or cause a range of other malicious activities.”

How the Attack Works

According to the AA19-024A alert issued by US CERT on Jan. 24, the attackers behind the DNS hijacking campaign are using a basic attack method to get access to DNS infrastructure.

“The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records,” US CERT warned.

Once the attacker has access to the DNS server, changes to the records for where websites and email servers are resolved are being made. There are multiple things that organizations can do to mitigate the risks of DNS server attacks. US-CERT is suggesting that as a first step in mitigating DNS highjacking attacks that organizations update the passwords for all accounts that are authorized to change DNS records. Additionally, it is recommended that all accounts that have access to DNS records have multifactor authentication enabled. With multifactor authentication, a second password or token is needed to gain access to a service.

DHS CISA has directed government agencies to take a series of steps over a 10-day period beginning on Jan. 22 to protect DNS. The first action that DHS requires is that organizations audit their DNS records to look for any abnormalities. Like US-CERT, DHS CISA also recommends that agencies change passwords and implement multifactor authentication. 

Finally, agencies are being advised to monitor certificate transparency (CT) logs. CT logging is an effort to help limit the risk of mis-issuance of SSL/TLS certificates that was originally launched by Google. With CT logs, all newly issued SSL/TLS certificates are posted to a CT logging server, such that organizations can check to see if a certificate was issued without proper authorization.

“Agencies shall immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA,” DHS CISA stated.

DHS CISA has directed agencies to submit a status report on their compliance with implementing the actions required to help secure DNS by Jan. 25. Agencies are expected to submit a completion report on all the required actions by Feb. 5.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.