In this post I will talk about DNS Sinkholing, what it is and how it can help you identify potentially infected machines. Useful in the fight against malware such as viruses, Ransomware and Crypto Jacking!
What is DNS?
Domain Name System – in very basic terms, the internet (and local networks) are all routed by IP Address. These IP addresses appear (in the case of IPv4) as 32bit, 4 octet addresses, such as “220.127.116.11” (Google DNS Server). What DNS allows you as a user to do, is remember a simple domain, such as synack.co.uk – your PC will then send a DNS request to your assigned DNS server saying “What IP belongs to synack.co.uk” known as a forward DNS request. Your DNS server responds with the appropriate IP and your PC then makes a request to that IP address.
What is a DNS Sinkhole?
This is where a device, usually a firewall, will provide a false response to your DNS request to prevent you from making a request to the genuine IP and sending you to an IP chosen by whomever configured the firewall. In the case of the firewall providing the sinkhole address, this is usually when your internal DNS server makes a request externally for a domain it doesn’t know – the firewall would inspect this traffic, intercept it and provide the sinkhole address in a response.
Why would I want this to happen?
There are a lot of organisations who spend a lot of time trying to identify domains that are used for malicious intent. There are also some organisations that make this list public, which can be sync’d to your firewall. Often firewall vendors will maintain their own lists which are then sync’d automatically. When DNS requests for these domains are detected, you can prevent the user from accessing this by forwarding them to a false IP address, thus protecting them from the potentially malicious content.
Why not just block the DNS reqeust?
Visibility. When you block a DNS request from the DNS Server itself on the firewall, you are unable to see the original source of that request – as only the internal DNS server should be making requests externally. What the DNS Sinkhole allows you to do is see what devices are attempting to connect to this false IP address following the DNS request.
How does this help detect infected machines?
A request to a potentially malicious IP address isn’t confirmation of infection – it’s more of an indicator. It could simply be a reference within a web page such as an advertisement – or the domain may falsely be categorised as malicious. To understand why this helps, you’ll need to understand how some malware works. They will often try to call back to either request a payload or transfer data to a central server(s). Seeing these connection attempts should make you raise an eyebrow and be a cause for further investigation – which should allow you to identify whether a machine has been infected more quickly.
If you are familiar with and have a SIEM solution installed within your environment – often these can be sync’d with the malicious hostname lists to detect connection attempts – this is reliant on receiving appropriate logs from your DNS Server(s) and/or firewalls.
You should ensure the sinkhole address you’re using will not route your users to a genuine external service. If you want the firewall to log the connection attempts, you’ll need to make sure it is routed by the firewall – or you could look in to a honeypot type system where the IP is owned by a honeypot on your network that will alert you to any connection attempts.
Thanks for reading.