Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: IPv6 and DNS Sinkhole SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IPv6 and DNS Sinkhole

In January 2010, I posted a diary on how to configure zone files to setup a DNS sinkhole using IPv4 addresses. This updated diary shows how to add IPv6 support to your zone file to sinkhole both IPv4 and IPv6.

Single Hostname (/var/named/sinkhole/client.nowhere)

 client.nowhere

Wildcard Domain (/var/named/sinkhole/domain.nowhere)

 domain.nowhere

Note: If you are not currently using IPv6 in your network, change the example fec0:0:0:bebb::5 to ::1 (localhost) to prevent 6to4, Toredo, etc from leaving the network.

To verify your zone files are correctly configured, you can use nslookup to query a hostname or a domain loaded in your sinkhole.

With Windows 7 (note that it shows both IPv4 and IPv6):

C:>nslookup zz87lhfda88.com
Server: seeker.someserver.com
Address: 192.168.25.5

Name: zz87lhfda88.com
Addresses:fec0:0:0:bebb::5
192.168.25.6

With Linux, you need to specify query AAAA record:

guy@seeker:~$ nslookup -q=aaaa zz87lhfda88.com
Server: 192.168.25.5
Address: 192.168.25.5#53

zz87lhfda88.com has AAAA address fec0:0:0:bebb::5

[1] http://isc.sans.edu/diary.html?storyid=7930
[2] http://www.whitehats.ca/main/members/Seeker/seeker_sinkhole/Seeker_DNS_Sinkhole.html
[3] http://www.whitehats.ca/downloads/sinkhole/sinkhole.iso
[4] http://www.whitehats.ca/downloads/sinkhole/sinkhole64-bit.iso

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

 Community SANS SEC 503 coming to Ottawa Sep 2011

Guy

470 Posts
ISC Handler
Sep 9th 2011

Sign Up for Free or Log In to start participating in the conversation!