DNS Sinkhole
A DNS sinkhole is a [[dns-zone|DNS zone]] or [[recursive-dns|resolver]] configuration that returns a non-routable or controlled IP address for domains associated with malware, botnet command-and-control servers, phishing sites, or other malicious infrastructure. Security teams and ISPs deploy sinkholes to neutralize threats by redirecting malicious traffic to a controlled endpoint rather than letting it reach its intended destination. Sinkholes also enable traffic analysis: every connection attempt to the sinkhole IP reveals an infected host. Commercial services like Cloudflare Gateway, Quad9, and enterprise DNS security platforms implement sinkholing as a core feature.
Example
When Quad9 (9.9.9.9) receives a query for a known malware C2 domain, it returns a sinkhole IP instead of the real address, preventing the infected host from communicating with the attacker's server.