A DNS sinkhole redirects a malicious domain away from the attacker's server and toward a controlled, harmless one — typically by changing the domain's authoritative DNS so it resolves to a benign address that serves a warning page or simply nothing.
Sinkholing is a disruption mechanism in takedowns: when a registrar or registry acts on an impersonation or malware domain, redirecting it to a sinkhole neutralizes the live threat immediately, even before the domain is formally cancelled or transferred. Traffic that would have reached a phishing page is captured and defused.
Sinkholes are also used to study and measure malicious campaigns, since the controlled server can observe the victim traffic that was destined for the attacker. It is one of several outcomes — alongside suspension, content removal, and transfer — that a takedown can produce.