Easy DNS BIND Sinkhole Setup
ISC handlers have written several reports this past week dealing with malware that redirect a client to download suspicious files from sites that we often want to block. It is common for malware to use evading techniques such as fast flux to avoid being blocked by constantly changing the IP(s). However, the website name remains static and this is where DNS sinkhole comes in to play.
A way to deal with this is to resolve the address before it leaves your site to get a response from the DNS site owner. Several lists already exist on the Internet that can be used to populate a sinkhole.
The first step is to add a configuration file to the /etc/named.conf. For example, add:
include "/var/named/sink_local.conf";
Run the command "named-checkconf" to make sure you have no errors in your named.conf file.
The second step is to edit (or create it of not already done) the sink_local.conf file in the /var/named directory and add to the sinkhole the malicious site. For example, we are going to use the site published in Patrick's Diary http://isc.sans.org/diary.html?storyid=7918 our.org.molendf.co.kr. Add in sink_local.conf the following line:
zone "our.org.molendf.co.kr" IN { type master; file "/var/named/sinkhole/redirect.nowhere"; };
Third, you need to create the master file in the new sinkhole directory /var/named/sinkhole/redirect.nowhere that will redirect the client to the sinkhole address. This file never changes and remains static. I have called my file redirect.nowhere which I think is only fitting. Here is an example of this file:
$TTL 600
@ 1D IN SOA localhost root (
42 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
5 IN A 192.168.25.5
The IP address I have assigned here is an IP that can be used to alert on. For example, this IP can be a website to show a policy page. This will only work if the client is attempting to contact a website. Add this IP (192.168.25.5) to your IDS/IPS to alert every time a PC connects to it (on any ports). The security team can verify the PC for signs of system compromise.
Last, reload your zone for your new list to take effect by executing "rndc reconfig"
Make sure the clients are now using the name server that has been configured with the sinkhole. The final step is to test the configuration to ensure the clients are resolving the malicious sites using our sinkhole address:
C:Users:guy>nslookup our.org.molendf.co.kr
Server: somename.sinkhole.com
Address: 192.168.25.25
Name: our.org.molendf.co.kr
Address: 192.168.25.5
This can be expended using other trusted list. For example, you could use the SRI "Most Observed Malware-Related DNS Names" list and add a new include option in the named.conf like sri.conf in the /var/named directory and populate with the list. This could be scripted to update daily to keep the list up-to-date. This adds another layer of defense you can control.
If you know of other lists that could populate a sinkhole, I will add them later to this diary.
Update: The Malware Domain List provides a list of website currently serving malware as well as a description (i.e. Trojan, PDF exploit, etc).
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Comments
http://pgl.yoyo.org/adservers/hosts2bind.php
sbleven
Jan 11th 2010
1 decade ago
https://zeustracker.abuse.ch/blocklist.php
Not sure if the terms of service would allow Malware URL text file to be automated, but I believe you could download it once every week/month -
http://www.malwareurl.com/index.php
Great article Guy =)
SecurityFr3ak
Jan 11th 2010
1 decade ago
192.168.25.25 our.org.molendf.co.kr
Guy
Jan 11th 2010
1 decade ago
a) What is the provenance of the data source?
b) Do we trust that every domain on the blacklist should be there?
c) What happens when a domain gets de-listed from the blacklist (how soon will this propagate)?
d) What if bona-fide domain(s) gets onto the blacklist either by accident or as a deliberate malevolent action?
See also: http://www.malwaredomains.com/wordpress/?page_id=6
It is also useful to configure a webserver (I use Apache) at the re-directed IP address (of the "sink hole") becausze this will provide additional information in the Apache logs.
HTH.
--
Paul Blackburn GCIH
Paul Blackburn
Jan 11th 2010
1 decade ago
http://dns-bh.sagadc.org/
http://www.malwaredomains.com/bhdns.html
TomU
Jan 11th 2010
1 decade ago
adaviel
Jan 12th 2010
1 decade ago