DNS sinkholing (or black hole DNS) is used to identify infected network connected hosts when potentially malicious DNS traffic appears in the firewall logs. Since only the IP address of the organization’s DNS server and not the originator of the query appears in the firewall logs, sinkholing can be used to determine which host made the malicious request. By returning a specific benign IP address (a dead end) for the DNS query, the infected device can be pinpointed in the firewall logs when it attempts to reach the initial malicious domain.

For example, an organization’s server used for networking monitoring is infected with the SUNBURST backdoor malware. The command-and-control (C2) domain used for SUNBURST is avsvmcloud[.]com. If the firewall sees the internal DNS server request the IP address for the malicious domain from a public DNS server, the firewall forges the DNS response with a pre-configured replacement sinkhole IP address. The compromised server then tries to connect with the benign sinkhole IP address which goes nowhere. An alert that is created in the firewall or SIEM if a device ever tries to reach the sinkhole address notifies the cybersecurity team a device is infected. The offending server can easily be identified because it is the only device that tries to reach the sinkhole shortly after the malicious DNS request. Without the IP addresses of the compromised server and the sinkhole showing up in the firewall logs, it wouldn’t be possible to determine which device made the initial DNS query.

Sinkholing provides a relatively easy and low cost (or even no additional cost) method to strengthen the cybersecurity of your organization. There are pre-made lists of domains to sinkhole as well as threat data subscription feeds. Plus you can always create your own custom list of domains to sinkhole. Palo Alto has instructions for setting up DNS sinkholing here. Overall, DNS sinkholing is an important security technique that can help organizations protect their networks and devices from malicious attackers.

Does your organization struggle to identify malicious traffic and infected devices? Oviedo Networks can help overcome these cyber challenges with expert threat detection consulting services and threat data feeds. Contact us to learn how we can help build a stronger cyber defense for your organization.