A DNS server configured to return false or null responses to queries, redirecting traffic away from a target domain or IP address. Typically used by ISPs, corporate networks, and law enforcement to block access to malware distribution sites, phishing pages, or content deemed illegal in their jurisdiction.
How it works: When a user queries a domain name, the sinkhole intercepts the request and returns a dummy IP (often the sinkhole server itself or 0.0.0.0) instead of the legitimate nameserver response. The user's browser hits a dead end.
Why it matters: Sinkholes are the DNS equivalent of a firewall block — cheaper and faster than BGP hijacking, but less transparent. They're used legitimately (malware cleanup, botnet disruption) and less legitimately (censorship, surveillance). Law enforcement agencies worldwide run sinkholes to contain infected machines; authoritarian regimes use them to block dissent.
For domain owners: If your domain lands on a sinkhole list (UDRP seizure, court order, abuse report escalation), legitimate users see nothing. No warning, no redirect — just failure. Recovery requires legal action or registry intervention. Bulletproof registrars can't prevent a sinkhole, but they can help you fight the underlying takedown notice with a counter-notice.