(also sinkhole server, blackhole DNS, internet sinkhole)
DNS sinkhole definition
A DNS (domain name system) sinkhole redirects malicious internet traffic so that security experts can register and analyze it.
DNS sinkholing aims to protect users by blocking DNS requests that are trying to connect to known unwanted or malicious domains and returning a controlled IP address. This IP address points to a DNS sinkhole defined by the administrator.
How DNS sinkholes work
- When a user attempts to access a URL, the query is intercepted and compared to a list of known malicious or unwanted domains.
- If the system recognizes the domain as malicious or unwanted, traffic will not be able to get there, and the user will not be able to access it.
- Instead, the sinkhole will supply a false domain name in response to the DNS query.
- The user will be taken to a URL with a customizable web page. For example, it may include the corporate policy restriction.
- The DNS server can also be programmed to point such requests to the IP address of a logging server, allowing administrators to track systems that attempt to access malicious domains and investigate further.
What DNS sinkholes can be used for
- Controlling malicious traffic across the enterprise level to prevent C&C (command and control) attacks. A C&C attack involves a hacker using a malicious server to control already compromised devices over a network.
- Collecting event logs to enable security analysts to understand and prevent them.