Preventions
- Home
- - Preventions
- -PV064
- ID: PV064
- Created: 31st July 2025
- Updated: 31st July 2025
- Platform: Linux
- Contributor: The ITM Team
Local DNS Sinkhole, Linux
On Linux, the “hosts” file is a text file used by the operating system as a local DNS resolver. It is located at etc\hosts
.
An entry can be created in this file on a new line in the format “X.X.X.X domain.com”. To sinkhole a domain so that it doesn't resolve, the hosts entry could look like: 127.0.0.1 drive.google.com
. If a user account attempted to reach this domain in a browser, the operating system would first check the hosts file, and resolve drive.google.com as 127.0.0.1 (localhost), preventing a valid DNS resolution.
Such modifications can prevent requests from reaching DNS infrastructure or network-based logging points (proxy, NGFW), creating a forensic blind spot for investigators. An EDR solution should still detect a network connection being initiated from a process and provide visibility.