A Domain Name System (DNS) sinkhole is simply a DNS server that gives users false domain names. It is also known as a “sinkhole server,” an “Internet sinkhole,” or a “blackhole DNS.”
The DNS was set up to point users to the correct IP address every time they type a specific domain name into their browsers in hopes of visiting a particular website. When a sinkhole appears after an earthquake, for instance, all of the structures on the ground in it sink. In the same vein, a DNS sinkhole disrupts the intended flow of Internet traffic from a domain name to its correct IP address. As a result, anyone who accesses one gets sent to a different IP address.
Other interesting terms…
Read More about “DNS Sinkhole”
DNS sinkholes can be both good and bad. Cyber attackers can, for instance, use them to point users to their specially crafted malicious sites via DNS-based attacks like DNS hijacking. But law enforcement agents and cybersecurity experts also use DNS sinkholes to point the would-be victims of cyber attacks to web properties that are safe to access instead.
To understand DNS sinkholing better, watch this short video:
DNS Sinkholing: The Bad
It’s typical for threat actors to use DNS sinkholes in attacks. It is, after all, one of the most popular ways to redirect potential victims to malicious websites under their control. A sophisticated phishing campaign could, for instance, begin with DNS sinkholing.
Cyber attackers can modify the DNS record of a target company to point to a malicious IP address instead of the one the domain owner controls. If you want to access amazon[.]com, for example, but threat actors somehow managed to change the IP address in Amazon’s DNS record for the domain from 205[.]251[.]242[.]103 to 185[.]141[.]134[.]48, then all potential shoppers could end up on the malicious website alijahani[.]ir instead.
Here’s a simple diagram of how threat actors use DNS sinkholes:
DNS Sinkholing: The Good
Remember the WannaCry back in 2017? The ransomware attack affected tons of companies worldwide. To address the threat and prevent other companies from getting locked out of their systems, security researcher Marcus Hutchins used the sinkholing technique to curb WannaCry’s further spread.
Here’s a simple diagram showing how DNS sinkholes aid cybersecurity:
Who Can Create a DNS Sinkhole?
DNS sinkholing can be applied by different people.
Internet service providers (ISPs) and domain registrars use sinkholes to protect their clients. They divert requests to access malicious domains to IP addresses they control.
System and network administrators, meanwhile, set up internal DNS sinkhole servers to achieve the same result. They prevent employees from accessing malicious sites by redirecting them to safe ones instead.
Users with administrative privileges can also configure their computers to redirect from malicious to safe sites.
To create a DNS sinkhole server, they can use an open-source or commercial list of known malicious domains to feed the server. The server will use the blocklist, so any time users key a malicious domain into their browser, they won’t end up on a malware- or exploit-laden site that could compromise their systems or network.
Did you know that sinkholing is typically done by security companies, law enforcement agents, and ISPs, either on their own or banded together, to take down botnets or widespread criminal infrastructures? WannaCry was stopped that way, as mentioned earlier. In the case of the Dridex botnet, the U.K. National Cyber Crime Unit (part of the National Crime Agency), the Federal Bureau of Investigation (FBI), the U.S. Department of Justice, and the ShadowServer Foundation worked hand-in-hand to take the operation down on 13 October 2015.
As you’ve seen, like any other technology, a DNS sinkhole can be both a good and a bad thing. It all depends on who’s using it and for what purpose.