Exam SY0-601 topic 1 question 293 discussion

The question states that the attack is happening, DNS Sink hole is a disruption technique that can be used to disrupt malware transmission at the very point of connection. Moreover, it can route suspect traffic to a different network, such as a honeynet, where it can be analyzed. See the following link: https://resources.infosecinstitute.com/topic/dns-sinkhole-can-protect-malware/

A DNS (Domain Name System) sinkhole is a technique used to redirect malicious or unwanted traffic to a non-existent or controlled destination. By redirecting the traffic to a sinkhole, organizations can effectively contain the spread of the attack by preventing the malicious traffic from reaching its intended targets. When an attack is rapidly spreading and affecting multiple organizations, a DNS sinkhole can be deployed at a network level to block access to malicious domains or IP addresses associated with the attack. This prevents infected systems from establishing connections with the attacker's infrastructure, effectively containing the attack and limiting its impact on other organizations.

A DNS sinkhole is a DNS server that gives incorrect results for one or more domain names. If you enter a domain name into your web browser during normal operation, the web browser queries DNS for the website and takes you to the site. However, if the DNS server has a sinkhole for the domain name, you won’t be able to reach the site. Investigative authorities have used sinkholes to disrupt botnets and malware. Infected computers frequently check in with command and control servers, and the malware includes the domain names of these servers. Authorities reverse engineer the malware to discover these domain names, and then they coordinate with DNS owners to redirect traffic destined for these domain names. This effectively prevents infected computers from contacting the command and control servers for instructions.

The question states: "is affecting a large number of organizations" - not necessarily the organization your working under is being targeted. Having a blocklist based on the IoC from other organizations would best prevent an attack.

A DNS sinkhole, also known as a DNS blackhole, is a security measure that involves redirecting traffic from malicious domains to a predetermined location, such as a "blackhole" server that is not connected to the internet. DNS sinkholing can be an effective way to contain a rapidly spreading attack that is affecting a large number of organizations. By redirecting traffic away from the malicious domains, it is possible to prevent the attack from spreading and mitigate the impact on the affected organizations.

A DNS sinkhole would be the most effective option to contain a rapidly spreading attack that is affecting a large number of organizations. A DNS sinkhole is a type of security measure that involves redirecting traffic from malicious domains to a controlled environment, such as a "sinkhole" server. This can help to prevent the spread of the attack by blocking access to the malicious domains and preventing users from inadvertently accessing them.

That’s B. Quote from Ian Neil’s book: “DNS Sinkhole: A DNS Blacklist can be created on a firewall so that it can identify malicious traffic trying to gain access to your network. A DNS sinkhole can be created so that it either returns false information to the attacker or forwards the malicious traffic to a honeypot or honeynet, thereby protecting your network against an attack.”

B. DNS Sink hole