Items 0

DNS Domain Blacklisting and Sinkhole for Microsoft Server

Summary

You can import a list of malicious or undesired domains that you need to Block, Redirect, Monitor, and/or Report with your current DNS Servers; whether your DNS Server is an Active-Directory Integrated DNS, Standalone Microsoft DNS Server, or Unix BIND Server.

You can as well create a custom response of the requested domains that you want to control access to; such that you can identify the devices that are trying to communicate with the domains and URLs you want to monitor or control access to. Besides, you can make a use of your current network security solutions such as IPS, IDS, Honeypot, Next Generation Firewall, SIEM, or simply just log it with syslog or packet capture tools.  

Briefly; when a computer requests a URL or access to one of these undesired domains by sending a DNS query request, which could be even triggered by a malware/spyware, a customized response is sent by your DNS Server, thus enforcing and controlling access to the listed domains. 

This feature is also commonly known as RPZ (Response Policy Zone).

Introduction

One of the essential and critical techniques for mitigating, identifying, and preventing malwares/spywares among users is through the use of DNS, which can be configured with custom/synthesized responses such as redirection, blocking, and reporting.

Most commonly this will be achieve by importing the blacklisted or undesired domains into an Internal DNS Server. It can even be implemented on a DNS Caching Server, which will act as Authoritative DNS for only the undesired / blacklisted domains and Zones. Yet using a DNS Caching Server in this case will prevent you from identifying the source IP addresses and devices sending the DNS query requests. 

The DNS Server, which will be used, could also be configured as a “primary” or “master” resolver for domains associated with malicious malware, spyware, botnets, or any other domains that you need to control.

The DNS server will be “Authoritative” for these zones, which will answer the query instead of forwarding or recursion them with other DNS servers.


Once the domains that you need to control are added to your DNS Server, the requested clients will start receiving a custom response that you have specified.

These custom responses can be resolved to IP addresses that relates to one of the following:

1) A loopback address (127.0.0.1) or 0.0.0.0
2) An internal Web Portal or a Wall Garden configured to “redirect” all web requests to a warning web page.

3) An existing security device such as an IPS, IDS, Next-Generation Firewall, Honeypot….etc

4) A reporting solution such as a logging system, packet analyzer, SIEM, etc such that it will identify the device trying to access the listed domains.  

The last two options have the added advantage of logging the requesting device for inspection as well as enable an IPS, NG-FW, or IDS system to continue monitoring suspension traffic.

 

 

Configuring your Microsoft DNS server:

If you are running Microsoft’s DNS, please consider switching to a DNS server which recognizes “bind” formatted files.

If you insist on keeping Microsoft’s DNS server there is a simple workaround, which is to configure DNS to use a text file instead of the registry to load the zones that you want to blacklist and sinkhole at startup. This has the added advantage of making Microsoft DNS
more compatible with Bind format, as well as making it easier to migrate DNS to other machines. The boot file’s default name in Windows 2000 is boot (without any extension), and is located in the %SystemRoot%System32DNS folder (usually c:windowssystem32DNS, it may be different in Win2003 Server or for sites running Active Directory. If this is the case, please let us know so we can update this document.) - Click on let us know

After some experimentation, one of the ways is to create a blackhole zone file which can be used for multiple zones as follows:

1) create a single blackhole zone via the MS DNS console;

2) reconfigure the MS DNS server to load it’s zones via a boot file (instead of the registry)

3) add additional malware zones to the boot file.

1. Create a single blackhole zone file
From within the MS DNS Console, select “Forward Lookup Zones” and select action –> New Zone. Create a “Standard Primary” zone, and call the zone something like “blockeddomains.com” or whatever, and press Next twice. This will create a file called “blockeddomains.com.dns”.

Double-click on the new entry, which should be listed under “Forward Lookup Zones”. Add a single host called “www” to the file with an IP address of 127.0.0.1 (or, as discussed earlier, 0.0.0.0 or an internal server). Then under “Actions”, select “Update Server Data File.”

The Microsoft blockeddomains.com.dns zone file will look something like this:

blockeddomains.com.dns file:

; 
;  Database file blockeddomains.com.dns for blockeddomains.com zone. 
;      Zone version:  4 
@                       IN  SOA nameserver.blockeddomains.com.  admin.blockeddomains.com. (

4            ; serial number                            
900          ; refresh                                   
600          ; retry                                     
86400        ; expire                                    
3600       ) ; minimum TTL  
; 
;  Zone NS records 
@                       NS        nameserver.blockeddomains.com.  
; 
;  Zone records 
www                     A           127.0.0.1
 

The lines referring to the domain (blockeddomains.com) and nameserver (nameserver.blockeddomains.com) will be specific to your domain.

Open the file in Notepad or another text editor, and add these lines to the bottom of the file:

Additional Lines:

; wildcard dns 
*                      A       127.0.0.1 
;

If you are using Notepad, then please remember to save files without the “.txt” extension. The file should now be configured for “Wildcard DNS”.

2. Configure the DNS server to load it’s zones via the boot file instead of the registry

To create a boot file, all you need to do is reconfigure the MS DNS server to load it’s zones from the boot file instead of the registry. That will automagically create the boot file for all of the existing zones. (This is roughly equivalent to the named.conf file.)
From the MS DNS console, right-click the local DNS server, select “Properties”, select the “Advanced” tab, and change the “Load zone data on startup:” setting to “From File”.
This will create (or update) the existing sample boot file.

According to this source, If you are using Active Directory, you may need to check the properties of each zone and change zones of type “Active Directory-integrated” to “Standard…”, and then repeat above.

You can still manage zones from Microsoft’s DNS Manager even when you start from the boot file, and the registry is still used for parameters which cannot be specified in the boot file.
The “boot” file should look something like this:

Microsoft boot file:

; Boot file generated from registry at 2/20/2000 11:36:22 AM 

PRIMARY    blockeddomains.com  blockeddomains.com.dns

There will be lines in this file referring to your specific domain(s).

As you can see, the syntax in the Microsoft boot file is not 100% compatible with the bind named.conf file.

In the file above, the line PRIMARY blockeddomains.com blockeddomains.com.dns refers to the new domain which the DNS server will be answer quesries for as a “master” or “primary”.

3. Add additional malware zones to the boot file.

Since the zones are loaded via the boot file, you can now add additional “Black-Hole” malware zones to that file.

Open the file in Notepad or another text editor, and add these lines to the bottom of the file:

Additional Lines:

PRIMARY    badsite.com   blockeddomains.com.dns 

PRIMARY    gator.com   blockeddomains.com.dns

If you are using Notepad, then please remember to save files without the “.txt” extension. The file should now be configured to be a “master” for the “badsite.com” and “gator.com” domains. Any queries for a host in that domain will be “answered” by your local DNS server as “127.0.0.1″ or whatever IP address you assigned.

Blockeddomains.zone.dns is the file containing information about the hosts in the “badsite.com” and “gator.com” domains. Of course, in our case, the information in this file will not contain the information placed there by the owners of the domains. Rather, it contains the information placed there.

Instead of querying an upstream DNS server for the answer, your local DNS server believes it is the “master” and “authoritative” for the “badsite.com” and “gator.com” domains. It will therefore “answer” any queries for a host within that domain with 127.0.0.1 or whatever IP address you placed in the zone file and will not query to see if it can find a record on an upstream DNS server with better credentials.

Testing the new zone

Start (or stop/restart the DNS server). Once DNS is running, change a desktop’s DNS settings to use this server.
If DNS is configured correctly, then, due to the wildcard entry (*) above, any and all queries to the “badsite.com” domain (such as www1.badsite.com, xyz.badsite.com, etc) will resolve back to 127.0.0.1 or watever you changed it to.

You can test this with tools such as “ping”, “dig”, or “nslookup” (from the command line):

Testing the new zone:

ping www.badsite.com    
ping anyrandomstring.badsite.com    
ping hsdsdshgdhsgd.badsite.com    
nslookup www.badsite.com    
nslookup ihatebrowserhijackers.badsite.com

All of the above should reply with 127.0.0.1, or whatever address you placed in the blockeddomains.zone.dns file You can
also attempt to reach the sites through a web browser (with sufficient precautions, such as making sure the sites you are testing are in your restricted zone, or use firefox with the all scripting disabled via the Web Developer Extension.)

 

DNS Related Tools and Articles:                  

DNS Centric Solution

Identify Threats with DNS Logging

DNS Domain Blacklisting and Sinkhole Overview

Configure Unix BIND DNS Server for Domain Blacklisting and Sinkhole

Configure Microsoft DNS Server for Domain Blacklisting and Sinkhole

Convert Microsoft DNS Debug File to CSV Table Format           

 

Start using the tool by selecting your DNS server type from the following list:  

Please Login to your account or Register for a new account in order to use this tool.



Target Audience

1- DNS Administrators 

2- Systems Security Team

3- IT 

Prerequisites

1- Microsoft DNS Server 

2- List of Domains that you need to block, monitor, redirect, and control

3- Optional attributes

Comments
Comment