How can someone sinkhole domains?
In the article referenced by the Wikipedia page, things are clearer. Here is the story:
The CryptoLocker malware encrypts the user files with a randomly generated key. In order to enact the ransoming, the malware must send the decryption key to a command-and-control centre operated by the bad guys. A single, fixed C&C server IP or name would soon be shut down by authorities. To avoid this issue, the CryptoLocker authors used the following scheme: the C&C registers random-looking domain names at a rather high rate (1000 per day !). The domain names are generated with a deterministic pseudo-random algorithm, that the malware knows too. Therefore, when CryptoLocker executes on a victim's computer, it tries to use one of the domain names du jour in order to talk to the C&C. The attacker's hope is that law enforcement agencies will have to go through heavy administrative bureaucracy to force the shut down of a domain name, and won't be able to do that 1000 times per day.
Since the malware knows the domain-generation algorithm, a researcher (Dimiter Andonov) reverse-engineered the code, and thus became able to predict the domain names in advance. Kaspersky "sinkholed" three domain names out of the 3000 for three consecutive days; this means that they simply... registered these domains. Which prevented the bad guys from doing the same, but also gives some data to Kaspersky. Kaspersky wanted to make measures, not to contain the infection. With their three domain names, the saved about 1/1000th of the CryptoLocker victims during three days (not a high achievement, generally speaking), but they also obtained statistics on the worldwide distribution of victims: 1/1000th of the CryptoLocker-infected machines, during these three days, talked not to the C&C, but to Kaspersky's systems, who of course told them not to encrypt the data, but also noted who talked to them.
To really block CryptoLocker at the DNS level, all 1000 domains each day would have to be blocked (e.g. by root DNS), which could imply some collateral damage (normal, honest domains may be, out of bad luck, part of the randomly generated names).
The term "sinkhole" is somewhat abusive here. A real DNS sinkhole implies something more forceful: the sinkhole is a DNS server which "somehow" gets inserted in the chain of DNS servers who will get asked for their opinion on the resolution of a given name. A local version is easy: put some explicit host-to-IP information in /etc/hosts
(or its Windows equivalent), which will override anything that external DNS system may say about the name. For a more global effect, this has to be done either at the OS level (e.g. Microsoft may push an OS patch which alters name resolution) or on a root DNS (or a "sub-root" like the ones for "co.uk
").
In that sense, the difference between a DNS sinkhole and DNS spoofing is that in the former case, it is performed by "good" people. Formally, it is a kind of attack... which reminds us that the vendor of the OS and browser you use (e.g. Microsoft) and the root DNS operators are "trusted": if they are hostile to you, you are doomed.
How does this work? Who can sinkhole domains?
Anyone can sinkhole domains. The key is that it only affects the systems that are using that particular sinkhole for DNS resolution. Obviously, root DNS servers or DNS servers controlled by ISPs will affect a larger number of machines.
Have a look at the article the wikipedia page linked to.
Dimiter Andonov from ThreatTrack Security reverse- engineered the algorithm and Kaspersky Lab sinkholed three domains to measure the number of worldwide victims. In total, we've had 2764 unique victim IP's contacting the sinkholed domains.
Kaspersky is using a DNS sinkhole to measure the number of worldwide victims. The article doesn't state who or which DNS servers Kaspersky is using to accomplish this, but it's presumably one owned by them.
And is there a way to notice that a domain is sinkholed? Maybe a flag or something? Or is the only way to consult an additional, alternative DNS server and compare the resolved IPs?
I don't think there is any quick and easy way to do this. I have noticed this tool called dnsyo on GitHub that might be helpful is doing this but you will have to investigate this further yourself.