For many of us it is very important to be protected against threats from the Web since as we always say, all security is low in this environment and today we come to talk about DNS sinkhole, which It is used to spoof DNS servers and prevent hostname resolution from specified URLs. This can be achieved by configuring the DNS forwarder to return a fake IP address to a specific URL. The DNS sinkhole can be used to prevent access to malicious URLs at the enterprise level. Malicious URLs can be blocked by adding a bogus DNS entry and thus there will be a second level of protection.
By using the DNS sinkhole technique, it is also possible to deny access to any of the websites. This can be used to restrict access to specific sites that violate corporate policies, including social media, abusive content, and more. When a user tries to access a sinkhole URL, a custom web page can be displayed. This web page can be created with information detailing the corporate policy restriction and can be hosted on a local server.
Something that we cannot let go of are the important uses that the DNS sink has such as:
▸Block unauthorized downloads
The DNS sinkhole redirects user access to a legitimate website that an attacker has secretly inserted with a malicious hidden link, forcing the client to download and run malicious code without their knowledge.
▸C&C channel lock
When a user tries to connect to a C&C server, a reference may appear, indicating a direct connection to the domain. This is a good indicator that tells the user that they are being compromised and that the bot is trying to contact the controller to receive more malicious commands.
It is very important that a DNS sink should be isolated from the external network so that the attacker cannot be informed of the fact that their C&C traffic has been mitigated. Otherwise, there is a reverse effect in which attackers can manipulate the entries in the DNS sinkhole and use them for malicious purposes. Additionally, DNS records must be implemented with short time-to-live (TTL) settings, or it may result in users caching old data for a longer period.
See also:
DNS Tunneling – A Data Encoder Attack Method
DNS Poisoning – A Real Danger for DNS Servers
