The wireless router can be the easiest target for hackers to compromise your network, if configured improperly. Hackers will employ many different methods to attempt to hack your router. Some of these methods that I will be talking about include Wi-Fi hacking and DNS hijacking. There are many different preventative measures than can be taken to ensure that you have a secure router. Setting up a secure router is very important because not only can your network and personal information be compromised, but you may be held legally responsible for all of the potentially illegal traffic that goes through your network.
Validate that your router is secure
A popular method for hackers to compromise all devices in DNS hijacking; DNS hijacking is when a hacker subverts the resolution of DNS queries. In other words, they can direct you to malicious websites even when you try to visit a known secure website such as your online banking website. This can be done to a personal computer within a network, or even the router if a router has vulnerabilities within its firmware. There are tools that exist to test if you are a victim of DNS hijacking. One such tool is F-Secure, you can check your security with this tool by visiting f-secure.com/router-checker/. What this tool does is analyze your own router’s DNS requests to see if they are being redirected to a third-party rogue DNS, or if the DNS requests are acting as they should.
Hackers may also try to gain access to your router by cracking your Wi-Fi password or simply joining your network if it is left unsecured and open.
In order to prevent DNS hijacking, there are a few preventative actions that you can take. If your router supports it, you can set up a DNS resolver, this means that all DNS resolutions take place on the router and not locally on a PC. This includes configuring your router to give out its own LAN IP address over DHCP. Of course, you need to configure DNS servers within the router itself, such as OpenDNS (126.96.36.199). However, that alone does not solve the problem; at this point, the DNS can still be manually changed on a PC inside of the LAN, which also means that PC’s on the LAN are still vulnerable to DNS hijacking. You will need to create a firewall rule on your router to block all access to DNS on your LAN, except to your router, as your router is now resolving DNS requests locally. A rule like this would require you to redirect all DNS requests from PC’s on the LAN to the router’s local DNS resolution. The router recognizes itself as 127.0.0.1, so that is what you must change the destination to for whenever PC’s on the LAN try to access port 53 (DNS). This makes it so that whenever the router sees a DNS request, it redirects it to itself without regard for what a PC on LAN has it’s local setting set to. This results in all PC’s on the LAN network insusceptible to DNS hijacking so long as they are behind the router. I will post an image of what a firewall rule like this would look like below:
This leaves the only target left for DNS hijacking to be the router itself. If a hacker can change compromise the router itself and change the DNS resolution, it would compromise the entire network. To prevent this, you must make sure that you keep your router up to date with the latest security patches and firmware. A strong administrator password for the router should also be implemented so a hacker cannot simply type a common password to change your router settings.
To prevent hackers from joining your network without permission, it’s important to use WPA2 encryption with a strong password. If a simple password is used it’s possible for a hacker to gain access within seconds or days of cracking. Which is why you should make a password of at least 8 characters (the longer the better) using a combination of numbers, upper/lowercase letters and symbols. A password like this would take very long to crack (perhaps longer than a lifetime). On your router you should be able to see all connected clients and be able to identify all of the devices.