DNS sinkhole

A DNS sinkhole, also known as a sinkhole server, Internet sinkhole, or Blackhole DNS^[1] is a Domain Name System (DNS) server that has been configured to hand out non-routable addresses for a certain set of domain names. Computers that use the sinkhole fail to access the real site.^[2] The higher up the DNS resolution chain the sinkhole is, the more requests will fail, because of the greater number of lower nameservers that in turn serve a greater number of clients. Some of the larger botnets have been made unusable by top-level domain sinkholes that span the entire Internet.^[3] DNS Sinkholes are effective at detecting and blocking bots and other malicious traffic.

By default, the local hosts file on a computer is checked before DNS servers, and can be used to block sites in the same way.

Applications

Sinkholes can be used both constructively, to contain threats such as WannaCry^[4] and Avalanche,^[5][6] and destructively, for example disrupting DNS services in a DoS attack.^{[clarification needed]}

DNS sinkholing can be used to protect users by intercepting DNS request attempting to connect to known malicious domains and instead returning an IP address of a sinkhole server defined by the DNS sinkhole administrator.^[7] One example of blocking malicious domains is to stop botnets, by interrupting the DNS names the botnet is programmed to use for coordination.^[8] Another use is to block ad serving sites, either using a hosts file-based sinkhole^[9] or by locally running a DNS server (e.g., using a Pi-hole). Local DNS servers effectively block ads for all devices on the network.^[10]

References

1. kevross33, pfsense.org (November 22, 2011). "BlackholeDNS: Anyone tried it with pfsense?". Retrieved October 12, 2012.^{[permanent dead link]}
2. Kelly Jackson Higgins, sans.org (October 2, 2012). "DNS Sinkhole - SANS Institute". Retrieved October 12, 2012.
3. Kelly Jackson Higgins, darkreading.com (October 2, 2012). "Microsoft Hands Off Nitol Botnet Sinkhole Operation To Chinese CERT". Retrieved September 2, 2015.
4. Hay Newman, Lily (2017-05-13). "The WannaCry Ransomware 'Kill Switch' That Saved Untold PCs From Harm". Wired. Archived from the original on 2022-06-27. Retrieved 2022-08-19.
5. Symantec Security Response (December 1, 2016). "Avalanche malware network hit with law enforcement takedown". Symantec Connect. Symantec. Retrieved December 3, 2016.
6. Europol (December 1, 2016). "'Avalanche' network dismantled in international cyber operation". europol.europa.eu. Europol. Retrieved December 3, 2016.
7. "DNS Sinkhole". ENISA. Retrieved 2022-08-19.
8. Hay Newman, Lily (2018-01-02). "Hacker Lexicon: What Is Sinkholing?". Wired. Retrieved 2022-08-19.
9. Dan Pollock, someonewhocares.org (October 11, 2012). "How to make the Internet not suck (as much)". Retrieved October 12, 2012.
10. "Turn A Raspberry Pi Into An Ad Blocker With A Single Command". Lifehacker Australia. 2015-02-17. Retrieved 2018-05-06.