Logo Threat Intelligence

DNS Sinkholes: What is it and how to start using

Threat Intelligence • Aug 10, 2022

In our Internet-dominated world, the increasing prevalence of malicious URLs is a huge problem for enterprises everywhere. A malicious URL is an infected link that’s typically used to perpetrate a scam or fraud, or launch an attack on an enterprise network. When a user clicks on the infected link, he or she may end up downloading ransomware, viruses, Trojans, or other malware that could compromise, not just their individual system, but the entire corporate network. One way to prevent the access of malicious URLs at an enterprise level is to use DNS sinkholes.

What is DNS?

DNS or Domain Name System is the part of the Internet that is responsible for translating the domain names that users type into the address bar of a web browser into the IP address of the website that they are trying to reach. A DNS server is a computer that hosts a database that contains the public IP addresses that are connected with the names of the websites that a user can access using their IP address. For example, if you are trying to access the website www.abcexample.com, you will need to type the domain name in the address bar of your web browser. The DNS server will then translate the domain name into the corresponding IP address. It is a vital part of the internet because it allows users to connect to websites from computers all around the world.

DNS ARCHITECTURE

The DNS is organized in a hierarchical structure with its members ranked according to their relative importance.


The following components make up the DNS hierarchy:

 

ROOT LEVEL  

 

The DNS root zone is at the top of the DNS hierarchy tree. The root name servers are critical because they are the first step in resolving a domain name. Root servers are the DNS nameservers that operate in the root zone. These servers can respond directly to queries for records stored or cached within the root zone, as well as refer other requests to the appropriate Top Level Domain (TLD) server. 

 

TOP LEVEL DOMAINS (TLD)

 

TLD servers are the DNS server group one level below root servers in the DNS hierarchy, and they play an important role in DNS query resolution.

 

The following elements in a domain name are considered the top level domains (TLDs):

 

  • Organizational hierarchy - .com, .org, .net
  • Geographic hierarchy - .uk, .in, .fr, etc.

 

SECOND LEVEL DOMAINS


The second-level domain is the first part of the domain name and usually differs from buyer to buyer. As far as the tlds are concerned, there are no restrictions. Anyone can buy the domain once it becomes available. In case the domain is not available at the time of purchase, the same domain name can be used in combination with a different TLD. 


SUB-DOMAIN

 

Subdomain is a domain that is part of a bigger domain. They are a great way to make your website more memorable and easier to navigate. For example, blog.mywebsite.com is a subdomain of mywebsite.com.

 

HOST

 

A host name is a distinct name or label assigned to any device connected to a computer network. It makes distinguishing between different machines or devices connected to the Internet and/or network, easier.

 

Both the host name and the domain name must be part of a Fully Qualified Domain Name (FQDN). A FQDN helps to specify the domain’s exact location in the DNS hierarchy.

What is a DNS Sinkhole?

Domain Name Service (or DNService) is a protocol for data exchange over the internet. Occasionally, outbound DNS requests attempt to access known malicious domains that contain such things as spyware, botnets, and fake antivirus software. When a DNS request attempts to connect to known malicious or unwanted destinations like botnets or Command-and-Control (C&C) servers, the sinkholing mechanism intercepts these requests, and returns a controlled IP address, which points to a sinkhole server that has been designed for just this purpose. This prevents the client from connecting to the target host, and thus protects users and networks. It’s similar to a “honeypot” – a fake network designed to catch cybercriminals. In essence, aA DNS sinkhole redirects Internet traffic to change the flow to malicious URLs, and prevents devices from connecting to these dodgy domains. Think of a DNS sinkhole as a black hole where bad URLs go to die! 


With a DNS sinkhole, organizations can restrict access to malicious websites, as well as non-malicious websites that violate corporate policies, like social media sites. So along with firewalls, web proxies, Network Intrusion Prevention Systems and other security gatekeepers, a DNS sinkhole can help strengthen the organization’s “defence-in-depth” strategy.   Sinkhole administrators can use open source or commercial DNS sinkhole lists of known malicious domains to populate the organization’s DNS sinkhole. They can also set up a customised webpage that can display which the corporate policy is being violated, should the user try to access a “sinkholed” URL.

Why Use a DNS Sinkhole

The primary reason for using a DNS sinkhole is to prevent users from accessing malicious domains or destinations, but as we’ve just seen, there are other uses for it. For example, it can block “drive-by downloads” (when a user accesses a legitimate website in which an attacker has secretly inserted malicious code, which the visitor’s computer unwittingly downloads). One other important thing that DNS sinkholes do in addition to protecting a network from an immediate threat, however, is help protect other networks from future threats.


Sinkholes can help identify, isolate and fix compromised hosts trying to connect to known malicious domains by analyzing the sinkhole logs. If the logs show that a host is continuously attempting to connect to a botnet but the sinkhole is redirecting the request, it may indicate that this machine is infected and therefore needs further analysis, containment and remediation. This knowledge also helps threat researchers to craft defence strategies to counter attack tactics, techniques and procedures (TTP).

How to Start Using DNS Sinkholes

While a DNS sinkhole for single platforms can be constructed using a simple host file, this is only suitable for a small number of hosts. For it to be effective, a list of malicious domains must be maintained and regularly updated. Ongoing maintenance requires reviewing and processing the automated updates from either free DNS sinkhole open source lists, or paid commercial lists. Admins can use these lists to verify which hosts or domains should be blocked, even without performing active testing. Organizations can also integrate their own closed-source sinkhole entries for hosts or domains, creating custom lists.   One last note: a DNS sinkhole should be isolated from the external network. Otherwise attackers may be able to manipulate the entries and use them for malicious purposes. It wouldn’t do to have a domain on the block list, only to have the owner of that domain go in and remove it from the list.

LIMITATIONS OF DNS SINKHOLES

Although DNS sinkhole is effective at detecting indicators of malware presence, it cannot be considered a method for detecting or eradicating malware. Analysts need to investigate the indicator of compromise further to understand if it’s malware. The reason for this is that the DNS sinkhole is not designed to prevent malware from being installed on a compromised system. Rather, it is designed to detect when a system has been compromised, and then to alert the network administrator to take appropriate action. 

 

In order to block malware or its traffic using a DNS sinkhole, the malware needs to use the DNS server of the organization. In other words, malware that has its own hardcoded DNS server and IP address will not be blocked by the DNS sinkholing mechanism. However, this disadvantage can be countered by using perimeter firewalls to block all outbound DNS queries other than those of the organization’s DNS servers.


Moreover, DNS sinkholes cannot prevent the execution and spread of malware on the network. They cannot remove malware from the infected systems either. 

 
DNS sinkholes can sometimes restrict legitimate, non-malicious websites. This is due to the possibility of false positives in malicious IP information gathered from open sources and fed into the DNS sinkhole.

Automated DNS Sinkhole Breach Detection with Evolve

The Automated DNS Sinkhole Breach Detection solution from Evolve provides the latest threat intelligence, allowing organizations to detect and prevent threats, attacks and security breaches. They can seamlessly orchestrate on-demand, high-availability DNS sinkholes that automatically ingest 350+ threat intelligence feeds. Thus they can prevent users from accessing malicious websites, proactively block malware from locating their C&C systems, and ensure that their business remains safe from bad actors.

Conclusion

DNS sinkholes are useful for day-to-day network management, threat analysis, and overall security, as well as a research tool to improve their ability to react to and prevent attacks. This makes them an important weapon in the cybersecurity war. It’s not only important, though, it just makes good sense.

AI in Pen Testing
By Anupama Mukherjee 25 Mar, 2024
In this blog post, we will explore how AI can enhance cybersecurity through pen testing, and the risks of using AI in this way.
AI in Cybersecurity
By Anupama Mukherjee 13 Mar, 2024
In this article, we will discuss the role of AI in protecting digital assets from cybercrime.
IRAP Assessments
By Anupama Mukherjee 07 Mar, 2024
In this blog post, we're breaking down IRAP, who it applies to, and how to achieve it. This content has been created with the help of our Technical GRC Specialist, Sam Panicker.
2024 Cybersecurity Trends
By Anupama Mukherjee 04 Mar, 2024
And as the year draws to a close, the question that remains is: What will the new year hold for the cybersecurity industry? Find out in this blog post!
Share by: