Introduction:-
The Domain Name Service (DNS) is an integral part of Internet access. It translates host names into computer-readable IP addresses in order to established connection between devices.
A DNS sinkhole, or sinkhole server, gives organizations to prevent internal access to malicious websites along with that this will give added value to recognized devices who are really infected.
DNS sinkhole can be used to control the C&C traffic and other malicious traffic across the enterprise level. The sinkhole can be used to change the flow to malicious URLs by entering the fake entry in the DNS. These malicious URLs can be gathered from already known C&C servers, through the malware analysis process, open source sites that are providing malicious IP details, etc.
How it works
The above diagram shows how the users will be infected and tried to connect to command and control center.
With the basic sinkhole functionality, the malware on the infected machine attempts to initiate a connection to a system hosted on a URL, i.e., a known malicious domain configured in the DNS sinkhole. But the request is not passed to the malicious URL, instead it is sent to the sinkhole which in turn responds with an IP of the local host, forcing the client to connect to itself instead of the malicious IP. The client is unable to contact the malicious site and the command and control connection with the botnet is never established. The bot master will be unaware that the compromise has occurred.
Limitation
How it works with NG Firewall
1. The infected machine asks for a DNS resolution of infected domain from the local DNS server.
2. The local DNS forwards the query to the public DNS server.
3. NG Firewalls sees the query and detects the malicious domain using the latest signatures.
4. It overrides the DNS response with an IP address that the administrator dedicates, (sinkhole address) and sends the spoofed response to the client.
5. The client attempts a connection to the sinkhole IP address.
6. NG Firewall blocks the traffic and logs the attempt.
7. Firewall administrator receives a notification about the event.
8. The malicious client is removed from the network and cleaned form the virus.
Configuration Scenario
Client using external DNS server:
Client Output When Using External DNS Server
Client using Internal DNS server:
Client Output When Using Internal DNS Server
The Domain Name Service (DNS) is an integral part of Internet access. It translates host names into computer-readable IP addresses in order to established connection between devices.
A DNS sinkhole, or sinkhole server, gives organizations to prevent internal access to malicious websites along with that this will give added value to recognized devices who are really infected.
DNS sinkhole can be used to control the C&C traffic and other malicious traffic across the enterprise level. The sinkhole can be used to change the flow to malicious URLs by entering the fake entry in the DNS. These malicious URLs can be gathered from already known C&C servers, through the malware analysis process, open source sites that are providing malicious IP details, etc.
How it works
The above diagram shows how the users will be infected and tried to connect to command and control center.
With the basic sinkhole functionality, the malware on the infected machine attempts to initiate a connection to a system hosted on a URL, i.e., a known malicious domain configured in the DNS sinkhole. But the request is not passed to the malicious URL, instead it is sent to the sinkhole which in turn responds with an IP of the local host, forcing the client to connect to itself instead of the malicious IP. The client is unable to contact the malicious site and the command and control connection with the botnet is never established. The bot master will be unaware that the compromise has occurred.
Limitation
- A DNS sinkhole cannot prevent a malware from being executed and also being spread to other computers. Also, by using a DNS sink hole, a malware cannot be removed from an infected machine.
- A DNS sinkhole will be input with the indicators of the malware, and these indicators should be analyzed beforehand.
How it works with NG Firewall
1. The infected machine asks for a DNS resolution of infected domain from the local DNS server.
2. The local DNS forwards the query to the public DNS server.
3. NG Firewalls sees the query and detects the malicious domain using the latest signatures.
4. It overrides the DNS response with an IP address that the administrator dedicates, (sinkhole address) and sends the spoofed response to the client.
5. The client attempts a connection to the sinkhole IP address.
6. NG Firewall blocks the traffic and logs the attempt.
7. Firewall administrator receives a notification about the event.
8. The malicious client is removed from the network and cleaned form the virus.
Configuration Scenario
- Client using external DNS server
- Client Using Internal DNS Server
Client using external DNS server:
- When the users try to access a malicious website. The client system will send the DNS query to an external DNS server to get the IP address of the malicious website. The firewall will receive the DNS query directly from the client system.
- The firewall will hijack the DNS query and will give a DNS sinkhole IP address to the client and should be able to see the threat logs with client IP address as a source.
Client Output When Using External DNS Server
Client using Internal DNS server:
- When users try to access a malicious website. The client system will send the DNS query to an internal DNS server to acquire the IP address of the malicious website. Here, the internal DNS server will forward the DNS query to an external DNS server. The firewall will receive a DNS query from the internal DNS server.
- The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS server. The internal DNS server will forward the response to the client system and the user should be able to see threat logs with Internal DNS server IP address as a source. However, Next generation firewall should able to see client IP address in the traffic logs because client will try to access that website with DNS sinkhole IP address, as shown in the following screenshot
Client Output When Using Internal DNS Server
