Why You Need to Block Access to Sinkhole Domains

Using our new sinkhole blocking category, prevent intelligence gathering and surveillance on your compromised users and infected endpoints.

What is a DNS Sinkhole?

DNS Sinkhole is a security technique used to redirect the intended flow of malicious network traffic. Sinkholes steer connections by manipulating the destination IP address of a resolved domain. For example, if a Securd customer attempts to resolve a malicious domain, the client attempting to connect to a malicious domain is provided with a Securd IP address hosting a customer block page. When the requesting client attempts to connect to the Securd IP, we’ve redirected the connection versus allowing the domain to resolve its A record in external DNS and connect to its intended IP address.

with securd protection

There Are Different Types of Sinkholes

There are different ways a domain can be sinkholed with DNS. Each of these techniques results in the same outcome; changing the intended or original target IP address’s target destination. However, where and who sinkholes the domain has serious implications for your organization’s security and privacy.

Sinkhole by Recursive DNS

Recursive DNS allows endpoints to speed up DNS performance and reduce authoritative DNS look ups by caching the most frequently accessed domains. In a recursive DNS sinkhole, the authoritative DNS server for a domain never gets a query because the recursor handles the query, and the DNS response is spoofed. When a domain is sinkholed with recursive DNS, the endpoints using the recursive DNS service are directed to a new destination. The authoritative DNS server for the sinkholed domain never receives a DNS query. The client making the request doesn’t resolve the requested hostname’s real IP address but the one provided by the recursive DNS server.

Sinkhole by Authoritative DNS

In an authoritative DNS sinkhole, the authoritative DNS service takes control of the destination information. For example, if a domain registrar deems a domain abusive, it will either pull all the DNS records for the domain OR redirect host records to a parked destination. In this situation, the recursive DNS service and the Authoritative DNS service provider can become aware of the client’s DNS query to the target’s hostname.

Sinkhole by Seized Domain

In a seized domain DNS sinkhole, an organization can get a court order to seize a domain which ultimately leads to a change in Authoritative DNS. In July 2020, Microsoft secretly seized domains involved in Covid-19 cyber attacks. As the case file details, Microsoft asked a federal court to allow it to take control and “sinkhole” the attacker’s domains. By getting control of these domains, they were able to down the domains involved in the cybercrime operation. In this situation, the recursive DNS service and the Authoritative DNS service provider are aware of the client’s DNS query.

Case-1-20-cv-00730-LO-JFA

Microsoft was able to get the domains in the figure below seized. These domains now all point to Microsoft’s MICROSOFTINTERNETSAFETY.NET name servers and resolve to Microsoft owned IP space.

Case-1-20-cv-00730-LO-JFA-domains

While the seizure of the domain disrupts the criminals behind the cyber attack and protects customers from phishing attacks, there are new issues that are not so obvious. As we lookup one of the WHOIS records for a seized domain, we see that the domain is now in Microsoft’s control.

Domain Name: officemtr.com
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registrant Name: Domain Administrator
Registrant Organization: Microsoft Corporation
Registrant Street: One Microsoft Way,
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052
Registrant Country: US
Registrant Phone: +1.4258828080
Registrant Fax: +1.4259367329
Registrant Email: [email protected]
Name Server: nsc19a.microsoftinternetsafety.net
Name Server: nsc19b.microsoftinternetsafety.net
>>> Last update of WHOIS database: 2021-04-14T06:24:05-0700 <<<

While the domains in this seizure are no longer a risk to Microsoft and its customers, there is an unanswered question.  Why does the domain above need to resolve an IP address?

; <<>> DiG 9.10.6 <<>> officemtr.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2049 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 8192 ;; QUESTION SECTION: ;officemtr.com. IN A ;; ANSWER SECTION: officemtr.com. 3600 IN A 168.62.217.117 ;; Query time: 184 msec ;; SERVER: 4.2.2.1#53(4.2.2.1) ;; WHEN: Wed Apr 14 10:20:39 EDT 2021 ;; MSG SIZE rcvd: 58

Our open source intelligence tools show that this IP address has numerous ports listening and accepting traffic. It is fair to assume that the target IP address is a honeypot and being used to collect threat intelligence. What this means is that anyone who visits this domain is now interacting with this web server. What is being done with this connection information is unknown, and we don’t know what details are being logged, retained, and used. Secondly, nothing is being displayed to any visiting end-user that Microsoft has seized this domain. If you visit officemtr[.]com, the only thing shown is a blank web page. A blank page is a missed opportunity for Microsoft to communicate to victims and IT pros that this domain was involved in criminal activity.

Sinkhole by Registered Domain

In a registered domain DNS sinkhole, a security company or organization will register known malicious domains. By getting control of these domains, security organizations intercept domain traffic for a variety of purposes. When used for good, well-intended researchers use this data to research and dismantle botnets and criminal infrastructure. When used for profit, organizations acquire control of these domains to monetize this data as “compromise intelligence.” In some cases, this information is sold back to compromised organizations. However, organizations also sell this data to governments, insurance providers, and third-party risk management organizations. Sinkhole data is quite valuable as BitSight acquired Anubis Networks for $13 million. Their network alone currently hosts thousands of domains on known sinkhole IP space. There is a small concentration of security companies and organizations that sinkhole domains. There are more than 250,000+ domains online used as honeypots they are collecting petabytes of network traffic and aggregating vary dangerous datasets.

Reduce Your Privacy, Cyber and Financial Risk

Securd protects your endpoints and end-users from resolving and connecting to 250,000+ sinkhole domains with the Sinkhole category.

If your using a “free DNS service” such as Quad9, please be aware we’ve observed this and other categories of domains resolve that create concern. The domains we are using in this blog do resolve to the Microsoft sinkhole IP address. You can perform this test with the simple command as ‘dig @{DNS SERVER IP}’ domain:

dig @9.9.9.9 officemtr.com

; <<>> DiG 9.10.6 <<>> @9.9.9.9 officemtr.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61112
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;officemtr.com. IN A
;; ANSWER SECTION:
officemtr.com. 3600 IN A 168.62.217.117
;; Query time: 89 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Thu Apr 15 07:10:31 EDT 2021
;; MSG SIZE rcvd: 58

Unless you have a protective DNS service where you can observe and review answer data in real-time, it’s wise not to assume your security and privacy are being protected. There is no valid reason why your network or endpoints should be able to resolve or connect to a domain being used for intelligence gathering.

Start Protecting Your Privacy Now with Securd Protective DNS

This security category is available to all protective DNS customers. This category will increase your organizational privacy. It will reduce the intelligence gathered about your networks and endpoints. It will reduce what cybersecurity and posture information is sold or shared with any third-party without your control.  Your source -> destination DNS traffic logs are 100% private and will never be shared or sold with anyone.

Other than setting up your DNS, there is no effort required on active subscribers to detect Sinkhole traffic. If we detect a connection to a Sinkhole domain with our real-time logging capability, you will automatically see a /Sinkhole category in your dashboard and traffic logs. To block this traffic, you will have to edit your active security policies. Check the block Sinkhole category and apply your policy. Blocking for the category will immediately take effect.

sinkhole_hits

Securd Protective DNS is a recursive DNS solution that prevent your endpoints from resolving and connecting to high-risk domains. Start protecting your end users wherever they are in less than 5 minutes. Our plans are for any size organization and you can create a free business account to get started. The first 500,000 DNS queries a month are free!