DNS sinkhole
A DNS sinkhole, also known as a sinkhole server, internet sinkhole, or BlackholeDNS[1] is a DNS server that gives out false information, to prevent the use of the domain names it represents.
Operation
A sinkhole is a standard DNS server that has been configured to hand out non-routeable addresses for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real website.[2] The higher up the DNS server is, the more computers it will block. Some of the larger botnets have been made unusable by TLD sinkholes that span the entire Internet.[3] DNS Sinkholes are effective at detecting and blocking malicious traffic, and used to combat bots and other unwanted traffic.
A sinkhole does not need to be a large DNS server, it only needs to be in the DNS lookup chain. The local hosts file on a Windows, Unix or Linux computer is checked before DNS servers, and can also be used to block sites in the same way.
Uses
Sinkholes can be used both constructively and destructively, depending on the target.
One use is to stop botnets, by interrupting the DNS names the botnet is programmed to use for coordination. The most common use of a hosts file-based sinkhole is to block ad serving sites.[4]
References
- ↑ kevross33, pfsense.org (Nov 22, 2011). "BlackholeDNS: Anyone tried it with pfsense?". Retrieved Oct 12, 2012.
- ↑ Kelly Jackson Higgins, sans.org (Oct 2, 2012). "DNS Sinkhole - SANS Institute". Retrieved Oct 12, 2012.
- ↑ Kelly Jackson Higgins, darkreading.com (Oct 2, 2012). "Microsoft Hands Off Nitol Botnet Sinkhole Operation To Chinese CERT". Retrieved Oct 12, 2012.
- ↑ Dan Pollock, someonewhocares.org (Oct 11, 2012). "How to make the internet not suck (as much)". Retrieved Oct 12, 2012.