Understanding DNS Sinkholes – A weapon against malware
DNS sinkhole or black hole DNS is used to spoof DNS servers to prevent resolving host names of specified URLs. This can be achieved by configuring the DNS forwarder to return a false IP address to a specific URL. DNS sinkholing can be used to prevent access of malicious URLs in an enterprise level. The malicious URLs can be blocked by adding a false entry in the DNS and thus there will be a second level of protection. Normally firewalls and proxies are used to block malicious traffic across the organization.
By using the DNS sinkhole technique it is also possible to deny access to any of the websites. This can be used to restrict access to specific sites that violate corporate policies, including social networking, abusive content, etc. When a user tries to access a sinkholed URL, a customised webpage can be shown. This webpage can be created with information detailing the corporate policy restriction and can be hosted on a local server.
A DNS sinkhole can be used to control the C&C traffic and other malicious traffic across the enterprise level. The sinkhole can be used to change the flow to malicious URLs by entering the fake entry in the DNS. These malicious URLs can be gathered from already known C&C servers, through the malware analysis process, open source sites that are providing malicious IP details, etc.
DNS sinkholing is used to provide wrong DNS resolution and alternate the path of the users to different resources instead of the malicious or non-accessible content. A sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analysed by security analysts. Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.
DNS is a protocol within the set of standards for how computers exchange data on the Internet and on many private networks, known as the TCP/IP protocol suite. A DNS service is used for routing the domain name of sites with its IP address. A DNS server or name server manages a massive database that maps domain names to IP addresses.
This protocol has a wide variety of applications that has to be passed through the interface that can be interfered. DNS is a hierarchical distributed database that contains information mapping Internet hostnames to IP addresses and vice-versa. Users look up information in the DNS by referencing a resolver library, which sends queries to multiple name servers and also acts as a responder.
The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. The domain name of the node is the concatenation of all the labels on the path from the node to the root node. This is represented in a string of labels listed from right to left and separated by dots.
The client server using a DNS mechanism goes around matching the domain names with that of the IP address. This DNS resolution is capable of resolving data from queries. A DNS that is hierarchical in nature is able to solve queries in a manner that is capable of resolving the functionality of a system. The DNS can be used to route the data and can send a diverted request to the server side. This request resolution can be handled on a client basis and can handle an ongoing process.
The figure illustrates the DNS flows that occur when an attacker compromises a user and this infected user tries to contact a botnet.
The DNS sinkhole bypasses the DNS request and provides the response that is configured by the DNS sinkhole administrator. It doesn’t allow domain to be resolved by the domain’s authoritative owner. Instead, the DNS sinkhole intercepts the DNS request and responds with an authoritative answer configured by the organization.
With the basic sinkhole functionality, the malware on the infected machine attempts to initiate a connection to a system hosted on a URL, i.e., a known malicious domain configured in the DNS sinkhole. But the request is not passed to the malicious URL, instead it is sent to the sinkhole which in turn responds with an IP of the local host, forcing the client to connect to itself instead of the malicious IP. The client is unable to contact the malicious site and the command and control connection with the botnet is never established. The bot master will be unaware that the compromise has occurred.
After this step, the preparation, detection and partial containment is finished. Containment is partial because the compromised computer may still attempt to attack internal computers. Therefore, additional analysis and eradication steps should be carried out by the corresponding teams.
A DNS sinkhole has a major set of functionalities that has multiple use cases:
- Blocking Drive-by Downloads
DNS sinkhole redirects user access to a legitimate website that an attacker has secretly inserted with a malicious hidden link, which forces the client to download and execute malicious code without their knowledge.
- Blocking C&C Channels
When a user tries to connect a C&C server, a Referrer can be popped up, which indicates a direct connection to the domain. This is a good indicator that tells the user is being compromised and the bot is attempting to contact the controller for further malicious commands.
There are a number of limitations related with to DNS sinkholing.
In order to block a malware or its traffic by using a DNS sinkhole, it is required by the malware to use the organization’s DNS server itself. A malware with its own hardcoded DNS server and IP address cannot be detected by the DNS sinkholing mechanism. But this drawback can be mitigated by using perimeter firewalls configured to block all other outbound DNS queries rather than organization’s DNS servers.
A DNS sinkhole cannot prevent a malware from being executed and also being spread to other computers. Also, by using a DNS sink hole, a malware cannot be removed from an infected machine.
A DNS sinkhole will be input with the indicators of the malware, and these indicators should be analysed beforehand. Also the malicious IP information gathered from open sources that are to be given into the DNS sinkhole may contain false positives. The sources may contain a URL that is not malicious in nature, and hence it will result in the unwanted restriction to legitimate websites.
A DNS sinkhole should be isolated from the external network, so that the attacker cannot be informed of the fact that their C&C traffic has been mitigated. Otherwise it results in a reverse effect where attackers may manipulate the entries in the DNS sinkhole and use it for malicious purposes.
DNS records should be implemented with time-to-live (TTL) settings with short values, or it may result in users caching the old data for a longer time period.
DNS sinkholes were used in several cases in order to mitigate different malware campaigns. It can act as a major tool for eradicating the spreading of malware infection vectors and also can be used to break the C&C connection.
One of the scenarios in which a DNS sinkhole was used is when the infamous CryptoLocker malware was infected in the wild. The CryptoLocker malware is a ransomware that works by encrypting the user’s files with a randomly generated key. It then sends the decryption key to a C&C server, and in normal cases a C&C server with a fixed IP or name would soon be shut down by authorities. In order to overcome this issue, CryptoLocker uses the C&C register’s random-looking domain names at a rather high rate. The domain names are generated with a pseudo-random algorithm that the malware knows. When CryptoLocker executes on a victim’s computer, it connects to one of the domain names in order to contact the C&C.
In this case, the malware knows the domain-generation algorithm and through reverse-engineering the code, it was possible to predict the domain names in advance. Kaspersky “sinkholed” three domain names out of these domain names for a three day time period. With their three domain names, about 1/1000th of the CryptoLocker victims were saved and also they were able to gather the statistics of the infection from across the world.