The client is unable to contact the malicious site and the command and control connection with the botnet is never established.
Instead, it is sent to the sinkhole which in turn responds with an IP of the local host, forcing the client to connect to itself instead of the malicious IP. But the request is not passed to the malicious URL. With the basic sinkhole functionality, the malware on the infected machine attempts to initiate a connection to a system hosted on a URL with a known malicious domain configured in the DNS sinkhole.
Instead, the DNS sinkhole intercepts the DNS request and responds with an authoritative answer configured by the organization. It doesn’t allow the domain to be resolved by the domain’s authoritative owner. The DNS sinkhole bypasses the DNS request and provides the response that is configured by the DNS sinkhole administrator. The figure illustrates the DNS flows that occur when an attacker compromises a user and this infected user tries to contact a botnet. This request resolution can be handled on a client basis and can handle an ongoing process. The DNS can be used to route the data and can send a diverted request to the server-side. A hierarchical DNS can solve queries in a manner that is capable of resolving the functionality of a system. This DNS resolution is capable of resolving data from queries. The client-server using a DNS mechanism goes around matching the domain names with that of the IP address. This is represented in a string of labels listed from right to left and separated by dots. The domain name of the node is the concatenation of all the labels on the path from the node to the root node. The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Users look up information in the DNS by referencing a resolver library, which sends queries to multiple name servers and also acts as a responder. DNS is a hierarchical distributed database that contains information mapping internet hostnames to IP addresses and vice-versa.
This protocol has a wide variety of applications that has to be passed through the interface that can be interfered with. A DNS server or name server manages a massive database that maps domain names to IP addresses. A DNS service is used for routing the domain name of sites with their IP address. What is DNS?ĭNS is a protocol within the set of standards for how computers exchange data on the internet and many private networks, known as the TCP/IP protocol suite. Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware. A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security analysts. These malicious URLs can be gathered from already known C&C servers, through the malware analysis process or open-source sites that are providing malicious IP details.ĭNS sinkholing is used to provide wrong DNS resolution and alternate the path of the users to different resources instead of the malicious or non-accessible content. The sinkhole can be used to change the flow to malicious URLs by entering the fake entry in the DNS. This web page can be created with information detailing the corporate policy restriction and can be hosted on a local server.Ī DNS sinkhole can be used to control the C&C traffic and other malicious traffic across the enterprise level. When a user tries to access a sinkholed URL, a customized web page can be shown. This can be used to restrict access to specific sites that violate corporate policies, including social networking, abusive content and more. Normally firewalls and proxies are used to block malicious traffic across the organization.īy using the DNS sinkhole technique it is also possible to deny access to any of the websites. The malicious URLs can be blocked by adding a false entry in the DNS and thus there will be a second level of protection. DNS sinkholing can be used to prevent access to malicious URLs at an enterprise level. This can be achieved by configuring the DNS forwarder to return a false IP address to a specific URL. Excerpt: Utilizing DNS sinkholes to prevent malwareĭNS sinkhole or black hole DNS is used to spoof DNS servers to prevent resolving hostnames of specified URLs.
0 kommentar(er)
