3

I am looking at configuring our Windows DNS Servers for some type of DNS based blackhole operation. Ideally, we would be able to use feeds from MalwareDomains.com or the like. I was curious how one could go about setting up and implementing such a setup. The workflow would look something like the following:

  1. Script to pull down and parse the feed list
  2. Script to publish feed list into Windows DNS
  3. Bad connections stopped due to new DNS entries

The challenge that I am having deals with step 2. I am not sure how to publish a large list of DNS entries into the Windows DNS server. Ideally this would work for Server 2008 or newer.

John
  • 2,266
  • 6
  • 44
  • 60
  • Is the Windows DNS server even capable of this? Many blackhole lists use specialized DNS servers such as nsd or PowerDNS for this purpose. – Michael Hampton Apr 01 '13 at 16:28

3 Answers3

5

To attack #2, "Script to publish feed list into Windows DNS", you'll most likely be using dnscmd in some capacity. You'll need to use some PowerShell cmdlets (like get-content and write-host for possible examples) to cut up the feed list into the bits of information that are pertinent to the creation of an A or CNAME record in your own DNS server. Then stick the pertinent information into variables for dnscmd to work with.

To attack #3, you would create records that misdirect people. So either A records that point to an IP address under your control (perhaps a web server you control that says "You've been blocked! Expect a call from HR lol!!1") or simply send people to 0.0.0.0. Another option is to CNAME the domains to a web server that you control.

Instead of building this out yourself, consider standing on the back of someone who has done much of this work for you: Windows DNS Server Sinkhole Domains Tool. That is a SANS Institute backed PowerShell script that managed DNS blacklists on a Windows DNS server. There is a sister project called Windows HOSTS File Script To Block Bad Domains which, predictably, uses hosts files on local machines, which sounds icky but perhaps a GPO to push it out to your Windows clients could be used (as long as user permissions disallow any hosts file tampering and also assuming that your Active Directory controls all PCs that you want to use the blacklist for).

As for reporting on the blockages, that's a little tougher since Windows DNS doesn't really have response-per-domain reports that I've found. What might be to your advantage would be to CNAME the blacklisted domains, and then use the faculties of the web server that you CNAME the blacklisted domains to as a means of checking up on who's doing what. You could theoretically deconstruct the incoming HTTP requests based on referring domain and source IP address and make quite the set of nifty reports. AWStats might even be of some out-of-the-box help.

Wesley
  • 32,320
  • 9
  • 80
  • 116
1

A while back I published a PowerShell module DnsBlockList available on GitHub and PowerShell Gallery.

It will natively ingest lists from SANS, ZeusTracker, and Malware Domains with the capability to add lists, create your own, etc. The trick is parsing these lists as that process may require additional logic depending on the format it comes in. However there's room for that too!

A Query Resolution Policy is created for each domain to be blocked. This avoids creating DNS records for loopback addresses.

There are a lot more features documented in the README. I encourage you to check it out.

Since its published to PowerShell Gallery, installing the module is easy:

Install-Module DnsBlockList
phbits
  • 206
  • 1
  • 8
0

There is instruction for this on site that you mention: http://www.malwaredomains.com/?page_id=6#MS and special file format for this instruction: http://mirror1.malwaredomains.com/files/BOOT

dsznajder
  • 547
  • 4
  • 13
  • Thanks for the links. However, those sites reference Windows Server 2000 and are a little dated for what we are wanting to do with Windows Server 2008 or newer and have it work with AD DNS. – John Apr 01 '13 at 19:10