DNS Sinkholing: Pinpointing Infected Devices With PAN-OS 6.0

DNS sinkholing? What’s that?

Images of cars, telephone poles, and intersections being swallowed by large, random holes in the earth come to mind. Pretty terrifying, especially if you’re the owner of that brand new Corvette that’s now 30 feet below ground. But how do you sinkhole domain names and why would you want to?

If someone attempted to rob your house, even if they didn’t actually steal anything, you’d want to know. Similarly, if your computer were infected with malicious files, regardless of how they got there, you’d want to know, even if nothing bad resulted from it. This is exactly what DNS sinkholing does: it allows you to identify infected devices on your network immediately, even if they were infected via a system or application vulnerability that hasn’t been publicly discovered yet. But how does this actually work?

The Internet is full of bandits

There number of domain names on the Internet is mind boggling. This interesting site estimates that there were 759 million web sites as of 2013, an increase of 103 million from 2012… and it’s been 9 months since those numbers were released, so you can only guess how big the internet is today: VERY big, and it’s not all good. There are thousands of malicious domains with evil-intentioned attackers behind them… and those are only domains that have been identified as malicious — the best way for a bad guy to continue his bad ways is to make people think he’s good.

Domain Name System, referred to simply as DNS, is a service used by
devices to map IP addresses to their corresponding domain names, which
is important to the way we use the Internet and ease with which we do so.
Imagine having to remember your news site is located at, or as
a business having to update all your users whenever you migrate to a new
server. No thank you. DNS allows you to use a name for your website that is
both descriptive of the content and persistent, regardless of how many times
its IP address changes.

But bad guys around the world leverage DNS as a way to avoid detection and the subsequent failure of their efforts to take over devices. Attackers will set up command-and-control centers to connect to computers and mobile devices that are already hosting their malicious files, or botnets, and the device owner usually has no clue that something evil is taking place. The bot is programmed to connect back to the command center at some interval (usually irregularly so as to avoid detection) to upload data it’s stolen or receive instructions for its next move. This is what’s known as a command-and-control attack, abbreviated as CnC or C2. The result is the user is now compromised and completely unaware of that fact, their device subject to the whim of the attacker.

Don’t be the guy whose device leaks data

But DNS sinkholing prevents users from being totally owned. By setting up a sinkhole, instead of sending outbound traffic to malicious domains, I can send it to one of my own unused IPs, effectively stopping the bot’s attempts to contact its command center, and capturing useful data about the attack. Every beacon attempt caught in the sinkhole is logged, including user ID, which means I can look at my logs each day and immediately identify whose device I need to scrub — much easier than digging through mountains of DNS server logs. Setting up a sinkhole makes it easy to figure out whose device is infected.

DNS sinkholing is especially useful for enterprises that don’t log all DNS requests because the stress of billions of requests would crash their DNS servers. Trying to catch outbound CnC traffic that beacons at irregular intervals to avoid detection (like once every month or two at 2am) is particularly difficult if you’re only be able to turn on logging for an hour or two to avoid flooding those servers. Sinkholing bypasses this problem by capturing only the traffic that is redirected to your chosen sinkhole IP, whenever that traffic occurs. In fact, one of our customers said they migrated Palo Alto Networks platform to PAN-OS 6.0 just to take advantage of this feature because this was the case within their organization.

Be more intelligent about attack patterns

Palo Alto Networks allows you the option to sinkhole DNS traffic as a part of the Threat Prevention subscription in PAN-OS version 6.0, and can be enabled within the Anti-Spyware profiles. The logs from this feature yield some pretty interesting CnC traffic patterns, such as when they occur and for how long. I might find that some bots will try to phone home a few hundred times in a row before going dark for a few months, or that phone home attempts only occur at 2am when my security staff isn’t around. Threat intelligence like this combined with the ease of identifying infected devices makes this feature a particularly powerful incident response and threat intelligence tool, while still preventing successful CnC attacks.

To learn more about enabling DNS Sinkhole on your Palo Alto Networks platform, take a look at this nifty video created by one of our partners, Nebula Solutions.


Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42