Blog Layout

DNS Sinkholes: What is it and how to start using

Threat Intelligence • June 20, 2021

In our Internet-dominated world, the increasing prevalence of malicious URLs is a huge problem for enterprises everywhere. A malicious URL is an infected link that’s typically used to perpetrate a scam or fraud, or launch an attack on an enterprise network. When a user clicks on the infected link, he or she may end up downloading ransomware, viruses, Trojans, or other malware that could compromise, not just their individual system, but the entire corporate network. One way to prevent the access of malicious URLs at an enterprise level is to use DNS sinkholes.

What is a DNS Sinkhole?

Domain Name Service (or DNService) is a protocol for data exchange over the internet. Occasionally, outbound DNS requests attempt to access known malicious domains that contain such things as spyware, botnets, and fake antivirus software. When a DNS request attempts to connect to known malicious or unwanted destinations like botnets or Command-and-Control (C&C) servers, the sinkholing mechanism intercepts these requests, and returns a controlled IP address, which points to a sinkhole server that has been designed for just this purpose. This prevents the client from connecting to the target host, and thus protects users and networks. It’s similar to a “honeypot” – a fake network designed to catch cybercriminals. In essence, aA DNS sinkhole redirects Internet traffic to change the flow to malicious URLs, and prevents devices from connecting to these dodgy domains. Think of a DNS sinkhole as a black hole where bad URLs go to die! 


With a DNS sinkhole, organizations can restrict access to malicious websites, as well as non-malicious websites that violate corporate policies, like social media sites. So along with firewalls, web proxies, Network Intrusion Prevention Systems and other security gatekeepers, a DNS sinkhole can help strengthen the organization’s “defence-in-depth” strategy.



Sinkhole administrators can use open source or commercial DNS sinkhole lists of known malicious domains to populate the organization’s DNS sinkhole. They can also set up a customised webpage that can display which the corporate policy is being violated, should the user try to access a “sinkholed” URL.

Why Use a DNS Sinkhole

The primary reason for using a DNS sinkhole is to prevent users from accessing malicious domains or destinations, but as we’ve just seen, there are other uses for it. For example, it can block “drive-by downloads” (when a user accesses a legitimate website in which an attacker has secretly inserted malicious code, which the visitor’s computer unwittingly downloads). One other important thing that DNS sinkholes do in addition to protecting a network from an immediate threat, however, is help protect other networks from future threats. 

 

Sinkholes can help identify, isolate and fix compromised hosts trying to connect to known malicious domains by analyzing the sinkhole logs. If the logs show that a host is continuously attempting to connect to a botnet but the sinkhole is redirecting the request, it may indicate that this machine is infected and therefore needs further analysis, containment and remediation. This knowledge also helps threat researchers to craft defence strategies to counter attack tactics, techniques and procedures (TTP).

How to Start Using DNS Sinkholes

While a DNS sinkhole for single platforms can be constructed using a simple host file, this is only suitable for a small number of hosts. For it to be effective, a list of malicious domains must be maintained and regularly updated. Ongoing maintenance requires reviewing and processing the automated updates from either free DNS sinkhole open source lists, or paid commercial lists. Admins can use these lists to verify which hosts or domains should be blocked, even without performing active testing. Organizations can also integrate their own closed-source sinkhole entries for hosts or domains, creating custom lists.



One last note: a DNS sinkhole should be isolated from the external network. Otherwise attackers may be able to manipulate the entries and use them for malicious purposes. It wouldn’t do to have a domain on the block list, only to have the owner of that domain go in and remove it from the list.

Automated DNS Sinkhole Breach Detection with Evolve

The Automated DNS Sinkhole Breach Detection solution from Evolve provides the latest threat intelligence, allowing organizations to detect and prevent threats, attacks and security breaches. They can seamlessly orchestrate on-demand, high-availability DNS sinkholes that automatically ingest 350+ threat intelligence feeds. Thus they can prevent users from accessing malicious websites, proactively block malware from locating their C&C systems, and ensure that their business remains safe from bad actors.

Conclusion

DNS sinkholes are useful for day-to-day network management, threat analysis, and overall security, as well as a research tool to improve their ability to react to and prevent attacks. This makes them an important weapon in the cybersecurity war. It’s not only important, though, it just makes good sense.

remote work security

Securing Remote Workers

By Threat Intelligence January 31, 2022
There are many factors to take into consideration when staff work remotely. For any organisation, maintaining ongoing visibility over staff devices, the applications in your environment and network traffic is essential.

Security Within Agile Methodologies

By Threat Intelligence January 24, 2022
In this blog we will explore the benefits of embracing agile methodologies, whilst ensuring AppSec becomes an integral part of the SDLC.

Embracing Cloud Without Compromising Security

By Threat Intelligence January 17, 2022
In this blog, we will explore the benefits of cloud, some of the important security implications you need to consider before transitioning, and how expert guidance can help you avoid potentially devastating breaches.
Share by: