While researching the use of honeypots, I came across the term sinkholes. One of the best ways to increase understanding of any subject is to examine various components with which they are associated.
So, what are DNS sinkholes? How are they implemented and what are their uses?
In order to answer this question, we must understand how the internet works at a basic level. A user enters a URL, or web address, and a DNS server returns the IP address for the connection. This allows a user to refer to websites by a common name instead of the actual IP address, which may be a hassle. DNS sinkholes are used to spoof DNS servers into returning the wrong IP address, thus rerouting the user to a specified IP address (Mazerik, 2021). In this way it is possible to deny access to a website.
A DNS forwarder can be used to create and use the sinkhole. In order to implement this, the user or organization must own or have ownership rights to the domain. Once active, a sinkhole can be used by researchers to reroute DNS queries for analysis. Often used to control network flood traffic, or as a measure to control botnets, sinkholes can be used to keep access to a site active while under various forms of attack.
References:
Mazerik, R. “Understanding DNS Sinkholes: A Weapon Against Malware. 17 May 2021. Infosecinstitute.com Understanding DNS sinkholes – A weapon against malware [updated 2021] – Infosec Resources (infosecinstitute.com)
Newman, L. “Hacker Lexicon: What is Sinkholing?” 2 January 2018. Wired.com Hacker Lexicon: What Is Sinkholing? | WIRED
Cybersecurity In Action 