Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNS Sinkhole Parser Script Update - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS Sinkhole Parser Script Update

Those using the DNS Sinkhole ISO that I have made available on the site can now download the most current version of script between new ISO releases. The script contains new lists that were not part of the 7 July 2011 release. The script is available on the handler's server here with the MD5 here.

DNS Sinkhole using your own BIND Server

I have posted all the necessary scripts use in the ISO if you want to use your own BIND setup. The tarball is available here with the MD5 here. Follow the instructions posted on this page to get started.



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


417 Posts
ISC Handler
Can you give me document to install and configure DNS Sinkhole for BIND in Redhat Linux 32 Bit server.

Kindly help if you have any.

I indicated in that all you need is to download the tarball, untar the file and copy the files from the bind_sinkhole directory to the Linux root (/) filesystem.

After the files have been copied to the filesystem, run /root/scripts/ select D, T and B to populate your DNS Sinkhole.

Check this documentation as well…

417 Posts Posts
ISC Handler
Is the document provided in website applicable for Redhat Linux where already BIND is running?

Only section 1.2.1 applies. To complete the setup, do:

- Edit /etc/named.conf (Note: // is a comment in this file)

- If needed, change the allow transfer
- If needed, change the allow recursion
- Change the list of forwarder to your site list

- Ensure your list of include domains matches your site custom lists. This is important when the script test the zones for errors and duplicate. Any custom lists you wish to add to your sinkhole (i.e. guy_blacklist.conf) must be included in the named.conf file to be loaded in the sinkhole. The default list is:

- site_specific_sinkhole.conf (single = match specific domain)
- entire_domain_sinkhole.conf (wildcard = match entire domain)

- Save the changes

DNS Sinkhole - Hijack domains

- Edit the /var/named/sinkhole/client.nowhere and change the IP address to your site sinkhole IP address and save the change.

- Edit the /var/named/sinkhole/domain.nowhere which is used to wildcard an entire domain and change the IP address to your site sinkhole IP address (this maybe the same as client.nowhere) and save the change. (wildcard = *

By default, the script populates the site_specific_sinkhole.conf and all domains included in this file are putting in the sinkhole just the listed sites.

417 Posts Posts
ISC Handler
To those of us wondering what this is for, and unwilling to read the PDF,
Dear Sir,

When i executed and selected option A to load individual domain into sinkhole. when i load the zone file using "B" option, i am getting below output but the newly added zone is not showing in /var/named/site_specific_sinkhole.conf file

Reloading Bind updated zones...

Before the update there was records and after the update there are 3 records

server reload successful
/bin/rm: cannot remove `final.sorted': No such file or directory
/bin/rm: cannot remove `malwaredomains': No such file or directory
/bin/rm: cannot remove `/tmp/site_specific_sinkhole.conf': No such file or directory
Done DNS Malware list zone updates...

number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running

Done reloading Bind zones...
Press ENTER to exit ...

NEED your advice

Hi Badu,

These are custom sinkhole additions and will be added either custom_single_sinkhole.conf (domain name such as or custom_wildcard_sinkhole.conf (wilcard domain such as *

The site_specific_sinkhole.conf file only get populated when you select "D" to download the web lists.

As for the errors, the script is getting its count from when the list is downloaded from the web and can be ignored. My guess from your count you did not have anything in your sinkhole before and just added 3. Run a nslookup against the added records and it should show they are in your DNS sinkhole.

417 Posts Posts
ISC Handler
Dear Sir,

Thanks for your response. From your update, i have following queries, please let me know

1. As per update, newly added is not added in either custoer_wildcard_sinkhole.conf or custom_sinkhole.conf file either. Below is the output

[root@test named]# pwd
[root@test named]# ls -trl *.conf
-rw-r--r-- 1 root named 183 Oct 23 10:45 site_specific_sinkhole.conf
-rw-r--r-- 1 root named 94 Oct 23 10:45 entire_domain_sinkhole.conf
-rw-r--r-- 1 root named 0 Oct 23 10:45 custom_wildcard_sinkhole.conf
-rw-r--r-- 1 root named 0 Oct 23 10:45 custom_single_sinkhole.conf

2. Is it possible to implement BIND Sinkhole in secondary DNS servers wherein all zones are maintained in zonefilename.db format?.. meaning is it possible to sink sinkhole files from primary to secondary DNS server automatically

3. As per your documentation, you have updated that it maintain 20,000 malware domain entries. Will the dns name resoltion will be delayed becuase of these many entries maintained in configuraiton file

Sign Up for Free or Log In to start participating in the conversation!