The Domain Name Service (DNS) is an integral part of Internet access. It translates human-recognized domain names into computer-readable IP addresses in order to facilitate online communication and connection between devices.
Occasionally, an individual or enterprise needs to find a way to control certain aspects of Internet connections in order to maintain a safe and accessible online environment (for instance, when attempting to block out malicious web traffic).
And one of the best ways to gain control is via DNS itself, in order to disrupt malware transmission at the very point of connection. A DNS sinkhole, or sinkhole server, gives organizations this control in order to prevent internal access to malicious websites.
Why do I need a sinkhole server?
SANS Institute calls this “the golden age of bots.” A botnet is a group of Internet-connected computers working together via distributed tasks to accomplish a specified — typically malicious or disruptive — goal.
Botnet traffic has a number of methods at its disposal to exploit computer systems and to set up “command and control” centers (often selling these vulnerabilities to the highest bidder). The InfoSec Reading Room paper describes common solutions including firewalls, web filtering, and Network Intrusion Prevention Systems.
Organizations must use finite resources to implement and maintain tight internal security in a world where even big-name software products (such as Microsoft Office and Adobe Reader) often fall victim to exploits and malicious attacks.
Botnets are highly successful at evading these security measures by employing rapid techniques such as changing their IP addresses in order to avoid blocking. The SANS Institute determines it is “almost impossible” for small organizations to manage botnet traffic through merely patching and blocking individual IP addresses. A DNS sinkhole presents a firm, centralized solution by blocking the domain name itself, which is often hard-coded into the malware.
How a DNS sinkhole works
DNS sinkholes rely on open source lists of known malware sites. The security community at large is constantly updating and monitoring these lists, so there is very little administrative effort.
Some important community resources include the SANS Internet Storm Center, with its frequent discussions and current events, as well as the Someone Who Cares hosts file, a repository for known malicious websites. Someone Who Cares categorizes these into “shock sites,” hijack sites, spyware sites, doubleclick sites, and many more.
This database also includes potentially disruptive sites called “maybe-spy” which include attempts by major corporations (such as Microsoft and Verisign) to redirect mistyped URLs to their own domains. Additionally, organizations can add their own blocked domains (for instance, many public schools prefer to block social networking services from their students’ access).
An organization that is operating its own DNS server will already be familiar with standard DNS architecture. A normal DNS flow would respond to a malicious email, for instance, with little to no protection against the associated botnet IP address. The client computer queries the DNS server for the IP address, the server provides the malicious address back to the client computer, and the unsuspecting victim is now free to access the malicious domain.
The SANS Institute illustrates a basic DNS sinkhole flow with four primary components: the DNS server itself, a Linux operating system with Berkeley Internet Name Domain (BIND) for translating domain names into IP addresses, a list of malicious hosts such as the Someone Who Cares hosts file, and customized configuration and upgrade scripts.
In this basic setup, a compromise still takes place. When the client computer queries the DNS sinkhole server, the server intercepts the request after recognizing the malicious host on its hosts file and directs the client computer back to the localhost. Although the client does not access the malicious website, no detection takes place and no external authority is notified of the attack.
Advanced DNS sinkhole flows implement more sophisticated detection methods for a complete security strategy. These include listening servers, real-time alerts, and scheduled reports. This way, the organization’s Incident Response Team can make regular analyses of frequent attacks and implement more robust security measures in response.
Different types of DNS sinkholes
An internal DNS sinkhole mimics an authoritative DNS server in the face of malicious requests. This method is effective as long as the host’s file is properly and routinely kept up to date. A single host’s file can also be used for single platforms as long as there are only a small number of malicious hosts in the platform’s concern.
An Intrusion Prevention System (IPS), while not effective in typical DNS server communications, works well with fast-flux DNS systems. These botnets are in a state of perpetual change and, as such, are extremely difficult to track and manage.
A variety of DNS sinkhole servers are available commercially and can work with an organization in order to fit the enterprise’s specific needs. The disadvantage to using a third-party commercial vendor is, of course, a lack of access to critical information (such as the complete hosts file), as this information is the vendor’s competitive advantage. There are a number of free and open source DNS sinkholes available on the market including Norton ConnectSafe and OpenDNS. The author of the SANS Institute white paper provides a ready-to-use DNS sinkhole at WhiteHats for those who are interested in installing and testing their own.
What a DNS sinkhole does not do
Internal DNS sinkhole servers do not eradicate malware. It is primarily a detection and redirect service that does not block installation. Unfortunately, it is also not a “smart” detector that predicts malicious behavior and keeps it from happening before an attack occurs.
DNS sinkholes rely on comprehensive host files and are limited to the constraints of these files and, consequently, the knowledge of the community. A DNS sinkhole requires a malware attack to occur in the first place before it can act; it is not a prevention technique. Any DNS sinkhole server requires regular administration and quality control procedures.
Case study on DNS sinkhole use
A 2013 report from CERT Polska in Poland provides a case study on the use of DNS sinkholes to subvert malicious botnet activity. The report first points out that a botnet is only useful to the original malicious attacker (the “botmaster”) when the attacker can maintain control over all infected devices. This is typically accomplished via Command and Control (C&C) techniques whereby compromised machines are controlled from remote C&C servers. Often, attempts to stifle the botmaster’s power involve a concentrated effort to cut off communication from these C&C servers to the infected machines.
A DNS sinkhole server can impersonate one of these C&C servers and redirect infected devices to itself, effectively cutting off communication to the malicious server and forcing the botmaster to relinquish control of the botnet. DNS sinkholes also help an Incident Response Team to determine the scope of the attack (referred to in CERT Polska’s report as the “botnet footprint”). CERT Polska’s DNS sinkhole included both a DNS server and a TCP server emulating one of several different types of malicious C&C servers.
In 2013, a Dorkbot attack targeted Internet users in Poland and became CERT Polska’s first sinkhole target. By the end of the year, CERT Polska had used DNS sinkholes to take down the botnets Dorkbot, Virut, and Domain Silver, Inc., and any malware of interest using the Polish .pl domain space. While the majority of these were based in Poland, several were found to be based in Germany, France, the United States, the Czech Republic, the United Kingdom, and other locations.
As malicious botnets become more sophisticated, however, it is essential to keep track of current trends and to remain aware of limitations and the need for reform. At the beginning of 2014, CERT Polska observed significant changes in botnet behavior. “Development of botnets also shows that correct and effective use of cryptography has become an increasingly important part of implementation of bots.” The report discusses malicious use of cryptocurrency and warns that the domain .bit (which is used by the Necurs malware) is “much more dangerous” because it is impossible to sinkhole domains on that server.
DNS sinkholes are most effective as tools to contain compromised computers (so that they do not join an infected botnet “army”) and to keep malware from spreading. They are also useful for breaking the C&C connection between a botnet and the botmaster. Most recommend that a DNS sinkhole is used in conjunction with other security strategies. The InfoSec Institute recommends an organization implements DNS records with time-to-live (TTL) settings that have short values, so that old data is not cached for a lengthy period of time.
Dan Virgillito is a security researcher for the InfoSec Institute and a digital consultant for startups in the tech space.