DNS Sinkhole Logs

Location

Description

Logs from DNS sinkholes or Response Policy Zones (RPZ) recording queries that were intercepted and redirected to a sinkhole IP instead of the actual malicious destination.

Forensic Value

Sinkhole logs provide a definitive list of internal hosts attempting to contact known-malicious domains. Unlike general DNS logs, every sinkholed query represents a blocked threat -- the host is confirmed infected but the C2 communication was prevented. Recurring sinkhole hits from the same host after remediation indicate incomplete cleanup. Time-series analysis of sinkhole hits quantifies the scope of an infection across the environment.

Tools Required

Collection Commands

pihole -t | tee pihole_live_log.txt && sqlite3 /etc/pihole/pihole-FTL.db "SELECT timestamp,domain,client FROM queries WHERE status IN (1,4,5,6,7,8,9,10,11) ORDER BY timestamp DESC LIMIT 5000;" > sinkholed_queries.csv

grep "QNAME redirect" /var/log/named/rpz.log | awk '{print $1, $2, $NF}' > rpz_redirects.txt

index=dns sourcetype=sinkhole earliest=-30d | stats count by src_ip, query | sort -count | head 100

MITRE ATT&CK Techniques