]> Blocking malware domain names in BIND. 🌐:aligrant.com

Blocking malware domain names in BIND.

Alastair Grant | Wednesday 7 June 2017

A lot of malware, including ransomware, make extensive use of the domain-name-system. Connecting to servers to report in or get latest scripts etc. This is probably due to the flexibility DNS provides over a direct IP. If an IP address is blocked or changed, then the malware can no longer phone-home. With DNS, an attacker can just update their domain to point towards another server without having to re-distribute anything.

As a result, a number of organisations are publishing lists of "bad" domains, which can be blocked, or "sinkholed" to provide a degree of protection against malware.

Projects like OpenDNS provide some of this functionality baked-in, but if you run your own resolving server then you will need to look elsewhere. I've gone with Malware Domains because for one, they provide a BIND configuration file directly, so no need to script your own.

You do though, need to script automatic updating to keep it effective. These instructions will vary depending on the flavour of Linux you're using. I'm using openSUSE.

First off, you need to create a zone file that will act as the sinkhole, this has to match the location provided in the malware list: /etc/namedb/blockeddomain.hosts

$TTL 4w
@               IN SOA          myserver.mydomain.      root.mydomain. (
                                2017060700      ; serial
                                6h              ; refresh
                                1d              ; retry
                                4w              ; expiry
                                1m )            ; minimum

                IN NS           myserver.mydomain.


By using the @ sign, the zone will be valid for any zone entry BIND loads against, which saves you creating thousands of zone files.

The next step is to create a script to update:

wget -N http://www.malware-domains.com/files/malwaredomains.zones.zip
unzip -u malwaredomains.zones.zip
chown named:named malwaredomains.zones
chmod 664 malwaredomains.zones
cp malwaredomains.zones /etc/named.d/
mv malwaredomains.zones /var/lib/named/etc/named.d/
rndc reload


This will download the zip, decompress it, prep permissions and place it into my configuration directory as well as the chroot directory of named. You need both directories unless you plan to restart the BIND server, which would be overkill as "rndc reload" takes care of changes to zone definitions.

You can then schedule this to run at whatever frequency you desire - I don't believe the list is published more than daily. If you have multiple resolvers, be sure to set them all up - but maybe only download the file once to keep bandwidth costs down.

The final step to piece it all together is to include the output of the script in your named.conf:

 

include "/etc/named.d/malwaredomains.zones";

Of course, if you find the service useful, then you may wish to consider donating to them.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.