Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNS Sinkhole ISO Available for Download - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS Sinkhole ISO Available for Download

In January, I posted a diary on how to configure a basic DNS Sinkhole using BIND. Last week, during the SANSFire conference, I did a talk on DNS Sinkhole and made an ISO available for download. It is a ready to install DNS Sinkhole server for those who would like to test and/or deploy one in their network as an internal forwarder. I also indicated that inserting a DNS sinkhole in a network is like putting a NIDS/NIPS inline with potentially several thousand signatures (DNS domains). After you loaded your DNS sinkhole list, it hijacks the client’s DNS requests to known malicious sites responding with an IP address you control instead of its true address. It could also be used to enforce corporate policies (hacking, adults, gaming, social, etc) with the creation of separate sinkhole lists.

However, for maximum efficiency, it is important to only allow the DNS Sinkhole server to forward outbound requests (block all other outbound DNS request form internal servers/clients) otherwise, there are known cases where malware has been coded with its own DNS server/changer to evaded detection. Handler Bojan Zdrnja posted a diary here regarding this type of evasion.

The installation document is located in the rel_note directory of the CD and is available online here. This document provides all the information needed to install and configure the server. There are two ISO available for download:

- a 32-bit version can be downloaded here
- a 64-bit version can be downloaded here

The script to load the sinkhole list is located in the /root/scripts directory and is called sinkhole_parser.sh. This script contains a menu to download from 3 lists (Malware Domain Blocklist, ZeuS tracker and Malware Threat Center SRI). Any of these lists can be commented out in the script. They are merged, parsed and duplicates are removed to create a single list of 20,000+ sites. The sites are saved in a file in /var/named/site_specific_sinkhole.conf which can be loaded via the script in the DNS Sinkhole (server support either Bind or PowerDNS, see the release notes for configuration). I may add to the script other lists later.

Warning: If you are using any of the above lists, there is always the possibility that a site that you do business with may have been added to the sinkhole list because it has been detected serving malware.

There are various ways to capture the sinkhole data such as setting up a web server, IDS alerts, netflow, etc to find which clients were redirected to the sinkhole for signs of system compromise.
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Guy

411 Posts
ISC Handler
good stuff here...I want to give this a spin!
Ron

29 Posts Posts
Thanks for posting. I set it up on a virtual machine and have been using it for the past couple days. It works great.
If anyone is interested in the virtual machine let me know and I could post if for download.
Cheers
Anonymous

Posts
Hi guys, thank you for this post.
Please update the download link, as there is a new version in the web server path, which is not reflected in the original post.

All the best,
Pedro Caetano


EDIT: Seems there is an even newer version here -> http://handlers.dshield.org/gbruneau/sinkhole.htm
Pedro Caetano

1 Posts Posts
Perhaps this script could have been automated rather than fetching the stuff manually. Does any one have automated script for the same.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!