ITM is an open framework - Submit your contributions now.

Preventions

No Ready System-Level Mitigation

Restrict Access to Administrative Privileges

Enforce an Acceptable Use Policy

Enforce a Social Media Policy

Install an Anti-Virus Solution

Install a Web Proxy Solution

Restrict Access to Registry Editor

Enforce File Permissions

Prohibition of Devices On-site

Physical Access Controls

End-User Security Awareness Training

Pre-Employment Background Checks

Disable Printing, Windows

Application Whitelisting

Enforce a Data Classification Policy

Prohibit Email Auto-Forwarding to External Domains, Exchange

Network Intrusion Prevention Systems

Data Loss Prevention Solution

DNS Filtering

Internal Whistleblowing

Access Reviews

Employee Off-boarding Process

Full Disk Encryption

Restrict Mobile Clipboard via Intune App Protection Policies

Financial Approval Process

Corporate Card Spending Limits

Enterprise-Managed Web Browsers

Bootloader Password

Next-Generation Firewalls

Native Anti-Tampering Protections

Protocol Allow Listing

Restrict Disc Media Mounting, Group Policy

Restrict Floppy Drive Mounting, Group Policy

Restrict Removable Disk Mounting, Group Policy

Insider Threat Awareness Training

Employee Mental Health & Support Program

Network Access Control (NAC)

Mobile Device Management (MDM)

Employee Vulnerability Support Program

Restrict Windows System Time Modification

Windows Time Service Synchronization

Exchange Restrict Outbound Emails via Recipient Domain

Regulation Awareness Training

Implement MIP Sensitivity Labels

Privileged Access Management (PAM)

Managerial Approval

Social Media Screening

Employment Reference Checks

Criminal Background Checks

Government-Issued ID Verification

Human Resources Collaboration for Early Threat Detection

Enforce Multi-Factor Authentication (MFA)

Azure Conditional Access Policies

Structured Request Channels for Operational Needs

Consistent Enforcement of Minor Violations

Insider-Focused Threat Intelligence

Disable Proxy Configuration on Windows Systems

Disable Snipping Tool, Group Policy

Static Code Analysis via CI/CD Pipelines

Local DNS Sinkhole, Windows

Local DNS Sinkhole, Linux

ID: PV063
Created: 30th July 2025
Updated: 31st July 2025
Platform: Windows
Contributor: The ITM Team

Local DNS Sinkhole, Windows

On Windows, the “hosts” file is a text file used by the operating system as a local DNS resolver. It is located at C:\Windows\System32\drivers\etc\hosts.

An entry can be created in this file on a new line in the format “X.X.X.X domain.com”. To sinkhole a domain so that it doesn't resolve, the hosts entry could look like: 127.0.0.1 drive.google.com. If a user account attempted to reach this domain in a browser, Windows would first check the hosts file, and resolve drive.google.com as 127.0.0.1 (localhost), preventing a valid DNS resolution. This prevention can be deployed through Group Policy by overwriting the existing hosts file.

Such modifications can prevent requests from reaching DNS infrastructure or network-based logging points (proxy, NGFW), creating a forensic blind spot for investigators. An EDR solution should still detect a network connection being initiated from a process and provide visibility.