INFO
DNS sinkhole can be used to control the C&C traffic and other malicious traffic across the enterprise level. Its an easy way to identify infected hosts. This process will provide wrong DNS resolution and alter the path of the users to different resources instead of the malicious content. Please NOTE: in order required by the malware to use the organization’s DNS server itself. In other cases firewall could help and forward the traffic to sinkHole mahcine
For basic idea of DNS and how traffic is moved from one node to another, please take a look at the following video.
For DNS sinkholing once the DNS or firewall is configured to forward malicious domain traffic to Sinkhole machine, its ready for use. When infected machine tries to contact malicious domain, traffic will be forwarded to sinkHole IP address on a specific port. Since port is not open, sinkhole machine will send a RST
At the moment all traffic is blackHoled. We can identify that machine maybe infected but we don't know whats going on. To analyze the malicious traffic sinkHole machine provides a web interface
Infected IP's hitting Sinkhole machine i.e. Source IP, Dest should always be SinkholeIP. Port contacted and number of times infected machine tried to contact
Another view could show an overAll picture with more than an hour history
Admin can search for a specific IP and stats as well
Other stats, history and graphs could be stored
To analyze further, admin can open the port to see what the infected machine is trying to do
After opening the port, infected machine will interact, thinking sinkhole machine is the C&C. In the following screen shot infected machine is trying to exfiltrate keystrokes
All port 80 traffic will be captured as well (in text format)
