DNS Sinkhole Logs

networkDNS AnalysisNetwork CaptureSIEM / Log Aggregator

Location

DNS sinkhole server logs (Response Policy Zones, Pi-hole block logs, Infoblox RPZ)

Description

Logs from DNS sinkholes or Response Policy Zones (RPZ) recording queries that were intercepted and redirected to a sinkhole IP instead of the actual malicious destination.

Forensic Value

Sinkhole logs provide a definitive list of internal hosts attempting to contact known-malicious domains. Unlike general DNS logs, every sinkholed query represents a blocked threat -- the host is confirmed infected but the C2 communication was prevented. Recurring sinkhole hits from the same host after remediation indicate incomplete cleanup. Time-series analysis of sinkhole hits quantifies the scope of an infection across the environment.

Tools Required

SIEM (Splunk, Elastic)DNS server logsgrepRPZ configuration tools

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical