ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV064
  • Created: 31st July 2025
  • Updated: 31st July 2025
  • Platform: Linux
  • Contributor: The ITM Team

Local DNS Sinkhole, Linux

On Linux, the “hosts” file is a text file used by the operating system as a local DNS resolver. It is located at etc\hosts.

 

An entry can be created in this file on a new line in the format “X.X.X.X domain.com”. To sinkhole a domain so that it doesn't resolve, the hosts entry could look like: 127.0.0.1 drive.google.com. If a user account attempted to reach this domain in a browser, the operating system would first check the hosts file, and resolve drive.google.com as 127.0.0.1 (localhost), preventing a valid DNS resolution.

 

Such modifications can prevent requests from reaching DNS infrastructure or network-based logging points (proxy, NGFW), creating a forensic blind spot for investigators. An EDR solution should still detect a network connection being initiated from a process and provide visibility.