Sunday, June 07, 2009

Stop DNS Site Hijacking With Apache Redirect

There have been several instances of DNS hijacking reported lately so I thought it might be useful to briefly address this problem and it's easy resolution.

DNS hijacking occurs when someone using a different domain name aims their domain name at your server and it hijacks a domain on your server. Both domains, the hijackers and yours, now serve up the same exact content. The search engines aren't sure which one to believe so the hijackers domain, if it gets crawled, may suddenly inherit all your site pages and your domain goes away completely in the search engine index.

This has actually happened a couple of times to various people I know or I wouldn't bother sounding the alarm that this could also happen to you.
Some cases appear to be accidental leftovers from people using 3rd party DNS services that still point to servers they no longer use. Others appear to possibly be deliberate, trying to hijack someone's site in Google or other search engines, and sometimes it works too!

If all your sites are using virtual hosting and share a single IP then it's a crap shoot which domain they'll hijack.

However, if you have a dedicated IP for a site that uses a dedicated SSL server then they can aim their DNS entry directly at your site and potentially take it for a search engine joy ride.

The easiest way to stop this is to add the following lines into your .htaccess file on every site in your server and replace with your own domain name.

RewriteCond %{HTTP_HOST} !^(example\.com)?$
RewriteRule ^(.*)$$1 [R=301,L]
This also canonicalizes your domain to the non-www form of the domain name.

If you want your canonical domain to start with www. then you'll need to add that to the script.

Remember, an ounce of prevention is worth a pound of cure.


Mike said...

Great tip thanks.

Anonymous said...

So is there any way to tell if you have been hijacked?

Saugar said...

I was aware of hijacking activity only after scanning the syslog files at /var/log/syslog in Debian Lenny. Is there an automated way to track hijacking?