In January 2010, I posted a diary on how to configure zone files to setup a DNS sinkhole using IPv4 addresses. This updated diary shows how to add IPv6 support to your zone file to sinkhole both IPv4 and IPv6.

Single Hostname (/var/named/sinkhole/client.nowhere)

Wildcard Domain (/var/named/sinkhole/domain.nowhere)

Note: If you are not currently using IPv6 in your network, change the example fec0:0:0:bebb::5 to ::1 (localhost) to prevent 6to4, Toredo, etc from leaving the network.

To verify your zone files are correctly configured, you can use nslookup to query a hostname or a domain loaded in your sinkhole.

With Windows 7 (note that it shows both IPv4 and IPv6):

C:>nslookup zz87lhfda88.com
Server: seeker.someserver.com
Address: 192.168.25.5

Name: zz87lhfda88.com
Addresses:fec0:0:0:bebb::5
192.168.25.6

With Linux, you need to specify query AAAA record:

guy@seeker:~$ nslookup -q=aaaa zz87lhfda88.com
Server: 192.168.25.5
Address: 192.168.25.5#53

zz87lhfda88.com has AAAA address fec0:0:0:bebb::5

[1] http://isc.sans.edu/diary.html?storyid=7930
[2] http://www.whitehats.ca/main/members/Seeker/seeker_sinkhole/Seeker_DNS_Sinkhole.html
[3] http://www.whitehats.ca/downloads/sinkhole/sinkhole.iso
[4] http://www.whitehats.ca/downloads/sinkhole/sinkhole64-bit.iso

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

 Community SANS SEC 503 coming to Ottawa Sep 2011