DNS Sinkhole and Honeypot to Record URLs accessed

Yang_Chen — Thu, 01 Jun 2017 19:13:06 GMT

We've set up DNS sinkhole and it works as expected. We're able to find out which IP addresses tried to access malious sites. However, we won't be able to see the URLs these IPs were trying to access. We're thinking of building a honeypot (or maybe something else) to accept access requests from these IPs and set the sinkhole IP addrss to this machine. That way we will be able to record the URLs these IPs try to access. Does anyone know what software we can use to acheive this goal? All we need is to finish three-way handshake and record the URL requested.

Re: DNS Sinkhole and Honeypot to Record URLs accessed

BPry — Thu, 01 Jun 2017 19:21:47 GMT

@Yang_Chen,

So you don't really need a 'honeypot' in the sense that you are thinking. Any type of Applicaiton Delivery Controller would do this for you, as it would generate an error in it's logs that you wouldn't have a rule allocated to tell it where to send that traffic. I would setup one of these types of devices and set that as your sinkhole. The logs would show the requested URL and indicate that it didn't know where to send it, but it would give you something to actually look at.

As far as an actual 'honeypot' for this type of thing I'm sure they are out there, but I can't seem to find any with a quick Google search easily.

topic DNS Sinkhole and Honeypot to Record URLs accessed in General Topics

DNS Sinkhole and Honeypot to Record URLs accessed

Re: DNS Sinkhole and Honeypot to Record URLs accessed