What Is a DNS Sinkhole?
Table of Contents
- Nov 07, 2023
People are very comfortable clicking on website links these days. This trend is a blessing for the criminals creating and spreading a ludicrous number of malicious URLs. Infected links can automatically download malware to your device or lead to spoofed websites that will trick you into divulging sensitive information.
This is obviously a threat to organizations whose ability to maintain data security contributes largely to their success. DNS sinkholes are one way to cut off malicious URLs in a way that focuses on the entire network rather than individual endpoints.
What Is DNS?
Humans aren’t the best at memorizing random alphanumeric codes, but we can remember full names or phrases more easily. That’s why website URLs are formatted like “Google.com” or “TikTok.com” rather than “8753:ar00:4328:1::b902:x9d2.”
DNS, short for Domain Name System, is the protocol that translates domain names from what we see in the address bar into a language machines can access.
How Does DNS Work?
Every device connected to the internet is assigned a code known as an IP address. These aren’t restricted to smartphones and computers; routers, servers, and websites also have unique IP addresses used to identify them.
DNS services, like OpenDNS or Amazon Route 53, operate like an address book by telling everyone which device and IP address match up. When you type a domain name like “InfoPay.com” into the address bar, you send a DNS query to the DNS, searching for your query’s matching IP address.
There are two types of DNS services: authoritative and recursive. Authoritative DNS services act as directories for developers. This makes them the most updated database for domain information and the preeminent choice for enterprise-level businesses.
Recursive DNS services are used by people who don’t actively seek out authoritative services, meaning recursive providers are the default. These services act as middlemen, temporarily requesting and storing information from authoritative sources to match URLs with IP addresses.
What Is a DNS Sinkhole?
A DNS sinkhole is sometimes called a black hole DNS. Put shortly, it is a server that purposefully matches incorrect domain names to a query.
Deceiving the query means the requesting device is routed to a predetermined domain rather than a potentially malicious one.
The network administrator configures the DNS forwarder to return a false IP address in response to specific queries. The sinkhole can appear anywhere in the DNS lookup process or even be configured on a person-to-person basis.
The importance of the role that DNS sinkholes play cannot be overstated. Nearly all successful malware attacks bypass security networks due to human error. Phishing emails are attacks that include an infected link that’ll download malware when clicked on. Cybercriminals often target low-level employees when phishing, and it only takes one inattentive individual to fall for it and compromise a network.
DNS sinkholes jump in and redirect the employee from where the criminal wants them to go. In these scenarios, sinkholes are a defense against the human errors that cost businesses billions each year.
Limitations of a DNS Sinkhole
A DNS sinkhole is effective at preventing people from following infected links, but it’s not a completely fleshed-out security measure. Sinkholes work by comparing DNS queries to a constantly updating list of suspicious domains or other indicators of compromise.
Sometimes, the sinkhole marks healthy URLs as malicious due to specific behavior. These fake positives can put a hamper on the individual’s workflow.
The list of problematic websites can come from various places, and the database your application uses will decide how effective it is. Some administrators create their own list by combining the results from multiple sources. This approach is likely to come back with more false positives and requires constant updates.
It’s not as if cybercriminals are only recycling the same 100 websites.
Administrators shouldn’t consider sinkholes as a way to prevent malware installation or remove it. Instead, it’s a tool to prevent employees from getting in contact with dangerous elements. This is a slight distinction, but there are other ways for criminals to sneak malware onto devices that everyone should prepare for.
Additionally, sinkholes can only detect a compromised URL if it uses the same DNS server as the querier. If the infected link uses a personal DNS server, then the sinkhole won’t catch it and redirect the request. While this is a considerable limitation, this issue is quickly addressed by configuring firewalls to block outbound DNS queries.
The Sinkhole that Stopped WannaCry
The 2017 WannaCry ransomware was an attack that shook businesses and governments on a global scale. It shut down hospitals and tech giants alike and held more than 200,000 computers hostage.
Luckily, Marcus Hutchins (who was on vacation at the time) discovered an unregistered domain in the attack’s code. He quickly registered “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com,” for a paltry $10, and created a DNS sinkhole that froze the attack in its tracks.
WannaCry used this unregistered domain to check if it was going undetected. If a response came back when the program tried to query the domain, WannaCry would cease its attack. By registering this random domain as a legitimate query, Hutchins caused all of the ransomware’s queries to return positive.
Using a DNS Sinkhole for Security Research
DNS sinkholes are an excellent preventative measure, but they also contribute to an organization’s overall cybersecurity plan. Sinkholes create logs or activity histories that professionals can analyze to locate problems and create better defenses.
For example, if a device is repeatedly blocked from accessing several sites, it’s a clear sign that the machine is already infected with malware. This list of blocked websites can be found in the DNS sinkhole’s logs and used to identify other potentially compromised devices.
So, if another machine is blocking some of the same sites, there’s a chance it’s infected with the same malicious program. From this point, it’s possible to learn the attacker’s point of entry and customize the security infrastructure to prevent it in the future.
Choices for Implementing a DNS Sinkhole
Administrators have three options for adding a DNS sinkhole to their request chains.
- Trusting a third-party service as a DNS forwarder
- Setting up and configuring a private DNS server
- Using a firewall with a sinkhole feature
The easiest method is outsourcing a third-party service with sinkhole capabilities. Administrators lose some customization options, but it will take the shortest time to get set up and protected. There are also no maintenance costs, and you don’t have to curate a personal list of dangerous domains.
However, if control is vital to your operations, setting up your own DNS server isn’t the worst choice. Someone knowledgeable must be ready to address problems and analyze the logs for security research.
Rather than integrating a new service into your operations, you might be able to pull similar effects from your existing firewall. You can use the support options of the firewall to address problems and configure a database of domains to redirect. The risk with this option is that if the firewall goes down, the sinkhole goes down with it, whereas a separate service would act as a redundant security measure.
Protect Your Information with DNS Sinkholes
DNS sinkholes are a reliable defense against human error and malware infections. Through DNS sinkholes, administrators can create barriers beforehand to block dangerous traffic.
Not only do they play a pre-emptive role, but sinkholes can also point out the existence of server-wide threats when analyzed correctly. These stopgaps have much more utility than you see on the surface, and understanding them entirely is essential to beefing up security. The same is true for all defensive features.
Our team at IDStrong is always ready to help you learn more about getting the most out of your existing cybersecurity framework. From firewalls, artificial intelligence detection, and employee training, we have content that can help you take every one of them to the next step!