DNS Sinkhole

Domain Name Service (DNS)

On the internet, computers communicate with each other by using numerical identifiers known as IP addresses. For example, the IP address of the ENISA web site is 212.146.105.104. However, human readable addresses are more intuitive and easier to remember, and this is where DNS comes into play.

DNS (Domain Name Service) is a protocol within the TCP/IP protocol suite, which is a set of standards for data exchange. This core service manages a database that maps human readable names (like www.enisa.europa.eu) to IP addresses (like 212.146.105.104). In the real life world one can think of DNS as being a phone book which is used to match human-readable names to numbers that can be understood by telephones.

In a standard home setup, a client usually uses the Internet service provider's (ISP) DNS server, which will be pre-configured on their CPE (Customer-premises equipment). Devices connected to the home router can point to the home router itself as a DNS server, in that case the router will handle the queries by forwarding the DNS requests to the ISP's DNS servers.

Computers cache DNS responses and the DNS request does not occur upon every connection. This approach improves connection speed by skipping the DNS request phase in future repeated connections.

What is a "DNS Sinkhole"?

DNS Sinkholing is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator.

This technique can be used to prevent hosts from connecting to or communicating with known malicious destinations such as a botnet C&C server (link to Infonote). The Sinkhole server can be used to collect event logs, but in such cases the Sinkhole administrator must ensure that all logging is done within their legal boundaries and that there is no breach of privacy.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses. System administrators can also set up an internal DNS sinkhole server within their organisations infrastructure. A user (with administrative privileges) can also modify the host file on their machine and obtain the same result. There are many lists (both open-source and commercial) of known malicious domains that a sinkhole administrator can use to populate the DNS Sinkhole.

Besides preventing malicious connections, Sinkholing can be used to identify compromised hosts by analysing the sinkhole logs and identifying hosts that are trying to connect to known malicious domains. For example if the logs show that one particular machine is continuously attempting to connect to a C&C server, but the request is being redirected because of the sinkhole, then there is a good chance that this particular machine is infected with a bot.

Because of its direct consequences, Sinkholing is usually done in special conditions by trusted third parties with the involvement of law enforcement.