General security

Understanding DNS sinkholes - A weapon against malware [updated 2021]

Ryan Mazerik
May 17, 2021 by
Ryan Mazerik

Excerpt: Utilizing DNS sinkholes to prevent malware

DNS sinkhole or black hole DNS is used to spoof DNS servers to prevent resolving hostnames of specified URLs. This can be achieved by configuring the DNS forwarder to return a false IP address to a specific URL. DNS sinkholing can be used to prevent access to malicious URLs at an enterprise level. The malicious URLs can be blocked by adding a false entry in the DNS and thus there will be a second level of protection. Normally firewalls and proxies are used to block malicious traffic across the organization.

By using the DNS sinkhole technique it is also possible to deny access to any of the websites. This can be used to restrict access to specific sites that violate corporate policies, including social networking, abusive content and more. When a user tries to access a sinkholed URL, a customized web page can be shown. This web page can be created with information detailing the corporate policy restriction and can be hosted on a local server.

A DNS sinkhole can be used to control the C&C traffic and other malicious traffic across the enterprise level. The sinkhole can be used to change the flow to malicious URLs by entering the fake entry in the DNS. These malicious URLs can be gathered from already known C&C servers, through the malware analysis process or open-source sites that are providing malicious IP details.

DNS sinkholing is used to provide wrong DNS resolution and alternate the path of the users to different resources instead of the malicious or non-accessible content. A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security analysts. Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.

What is DNS?

DNS is a protocol within the set of standards for how computers exchange data on the internet and many private networks, known as the TCP/IP protocol suite. A DNS service is used for routing the domain name of sites with their IP address. A DNS server or name server manages a massive database that maps domain names to IP addresses.

This protocol has a wide variety of applications that has to be passed through the interface that can be interfered with. DNS is a hierarchical distributed database that contains information mapping internet hostnames to IP addresses and vice-versa. Users look up information in the DNS by referencing a resolver library, which sends queries to multiple name servers and also acts as a responder.

The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. The domain name of the node is the concatenation of all the labels on the path from the node to the root node. This is represented in a string of labels listed from right to left and separated by dots.

The client-server using a DNS mechanism goes around matching the domain names with that of the IP address. This DNS resolution is capable of resolving data from queries. A hierarchical DNS can solve queries in a manner that is capable of resolving the functionality of a system. The DNS can be used to route the data and can send a diverted request to the server-side. This request resolution can be handled on a client basis and can handle an ongoing process.

DNS architecture

The figure illustrates the DNS flows that occur when an attacker compromises a user and this infected user tries to contact a botnet.

The DNS sinkhole bypasses the DNS request and provides the response that is configured by the DNS sinkhole administrator. It doesn’t allow the domain to be resolved by the domain’s authoritative owner. Instead, the DNS sinkhole intercepts the DNS request and responds with an authoritative answer configured by the organization.

With the basic sinkhole functionality, the malware on the infected machine attempts to initiate a connection to a system hosted on a URL with a known malicious domain configured in the DNS sinkhole. But the request is not passed to the malicious URL. Instead, it is sent to the sinkhole which in turn responds with an IP of the local host, forcing the client to connect to itself instead of the malicious IP. The client is unable to contact the malicious site and the command and control connection with the botnet is never established. The botmaster will be unaware that the compromise has occurred.

After this step, the preparation, detection and partial containment are finished. Containment is partial because the compromised computer may still attempt to attack internal computers. Therefore, additional analysis and eradication steps should be carried out by the corresponding teams.

DNS sinkhole functionalities

A DNS sinkhole has a major set of functionalities that has multiple use cases:

  • Blocking drive-by downloads

DNS sinkhole redirects user access to a legitimate website that an attacker has secretly inserted with a malicious hidden link, which forces the client to download and execute malicious code without their knowledge.

  • Blocking C&C channels

When a user tries to connect to a C&C server, a referrer can be popped up, which indicates a direct connection to the domain. This is a good indicator that tells the user is being compromised and the bot is attempting to contact the controller for further malicious commands.

Limitations of DNS sinkholing

There are several limitations related to DNS sinkholing.

To block malware or its traffic by using a DNS sinkhole, it is required by the malware to use the organization’s DNS server itself. Malware with its own hardcoded DNS server and IP address cannot be detected by the DNS sinkholing mechanism. But this drawback can be mitigated by using perimeter firewalls configured to block all other outbound DNS queries rather than the organization’s DNS servers.

A DNS sinkhole cannot prevent malware from being executed and also being spread to other computers. Also, by using a DNS sinkhole, malware cannot be removed from an infected machine.

A DNS sinkhole will be put in with the indicators of the malware, and these indicators should be analyzed beforehand. Also, the malicious IP information gathered from open sources that are to be given into the DNS sinkhole may contain false positives. The sources may contain a URL that is not malicious, and hence it will result in an unwanted restriction to legitimate websites.

A DNS sinkhole should be isolated from the external network so that the attacker cannot be informed of the fact that their C&C traffic has been mitigated. Otherwise, it results in a reverse effect where attackers may manipulate the entries in the DNS sinkhole and use them for malicious purposes.

DNS records should be implemented with time-to-live (TTL) settings with short values, or it may result in users caching the old data for a longer period.

A DNS sinkhole scenario

DNS sinkholes were used in several cases to mitigate different malware campaigns. It can act as a major tool for eradicating the spreading of malware infection vectors and also can be used to break the C&C connection.

One of the scenarios in which a DNS sinkhole was used is when the infamous CryptoLocker malware was infected in the wild. The CryptoLocker malware is ransomware that works by encrypting the user’s files with a randomly generated key. It then sends the decryption key to a C&C server, and in normal cases, a C&C server with a fixed IP or name would soon be shut down by authorities. To overcome this issue, CryptoLocker uses the C&C register’s random-looking domain names at a rather high rate. The domain names are generated with a pseudo-random algorithm that the malware knows. When CryptoLocker executes on a victim’s computer, it connects to one of the domain names to contact the C&C.

In this case, the malware knows the domain-generation algorithm and through reverse-engineering the code, it was possible to predict the domain names in advance. Kaspersky “sinkholed” three domain names out of these domain names for three days. With their three domain names, about 1/1000th of the CryptoLocker victims were saved and they were able to gather the statistics of the infection from across the world.

Sources:

Ryan Mazerik
Ryan Mazerik

Ryan has over 10yrs of experience in information security specifically in penetration testing and vulnerability assessment. He used to train and mentor consultants of these offerings to expand security delivery capabilities.He has strong passion in researching security vulnerabilities and taking sessions on information security concepts.