--> A DNS sinkhole, also known as a sinkhole server, Internet sinkhole, or BlackholeDNS is a DNS server that gives out false information to prevent accessing a domain name.
--> The DNS sinkhole action enables the firewall to forge a response to a DNS query for a known malicious domain, causing the malicious domain name to resolve to an IP address that you define.
--> This feature can be used to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client's DNS query.
--> In a typical deployment where the firewall is north of the local DNS server, the threat log will identify the local DNS resolver as the source of the traffic rather than the actually infected host.
--> Sinkholing malware DNS queries solve this visibility problem by forging responses to the client host queries directed at malicious domains so that clients attempting to connect to malicious domains (for command-and-control, for example) will instead attempt to connect to a sinkhole IP address that you define.
--> Infected hosts can then be easily identified in the traffic logs because any hosts that attempt to connect to the sinkhole IP address are most likely infected with malware.
--> The DNS sinkhole action enables the firewall to forge a response to a DNS query for a known malicious domain, causing the malicious domain name to resolve to an IP address that you define.
--> This feature can be used to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client's DNS query.
--> In a typical deployment where the firewall is north of the local DNS server, the threat log will identify the local DNS resolver as the source of the traffic rather than the actually infected host.
--> Sinkholing malware DNS queries solve this visibility problem by forging responses to the client host queries directed at malicious domains so that clients attempting to connect to malicious domains (for command-and-control, for example) will instead attempt to connect to a sinkhole IP address that you define.
--> Infected hosts can then be easily identified in the traffic logs because any hosts that attempt to connect to the sinkhole IP address are most likely infected with malware.
0 Comments