In order to better understand how a computer resolves a domain name to a public IP address, the viewer will now go over a step-by-step process of how this works.
1) User enters a domain name in the browser to the site he/she desires to navigate to.
2) The user's device will send a DNS request to a public DNS server such as Google.
3) The Google DNS server will respond back with an IP address that correlates to the domain name.
4) The user's device will then route packets to the IP address provided by Google.
5) The user sees on his/her screen the requested domain webpage.
This process enables a device to communicate over the Internet with the user only needing to remember domain names vice strings of numerical IP addresses, which would be difficult for a human to accurately keep track of.
Malicious Software & DNS
Now that we understand how a user's device resolves a domain to an IP address. We can now describe how malicious software uses this same process in order to communicate with an attacker's command & control (C2) infrastructure. The process below would happen behind-the-scenes, without the user's knowledge.
1) A user unknowingly clicks a link or opens an attachment which installs malicious software onto the device.
2) The software attempts to contact the attacker's C2 infrastructure by sending a DNS request to Google for a predetermined malicious domain.
3) The Google DNS server responds back with the appropriate IP address of the domain.
4) The software establish's contact with the C2 network and awaits further guidance from the attacker.
Coordinated "Domain Sinkholing"
Currently, some public DNS servers will provide an incorrect IP address to a DNS request if the domain in question was flagged as being malicious. The incorrect IP address will be sent back to the device, which will inhibit it from making connection to the attacker's C2 infrastructure (Sancho & Link, 2012). This process is commonly referred to as "sinkholing the domain."
There is no current process in place to globally share malicious domain names and provide a consolidated effort to sinkhole these domains, across the majority of the most common DNS servers. The establishment of a global coordination center that assisted public DNS providers with the ability to track, identify, and sinkhole these malicious domains would help reduce cyber activity.