Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Easy DNS BIND Sinkhole Setup - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Easy DNS BIND Sinkhole Setup

ISC handlers have written several reports this past week dealing with malware that redirect a client to download suspicious files from sites that we often want to block. It is common for malware to use evading techniques such as fast flux to avoid being blocked by constantly changing the IP(s). However, the website name remains static and this is where DNS sinkhole comes in to play.

A way to deal with this is to resolve the address before it leaves your site to get a response from the DNS site owner. Several lists already exist on the Internet that can be used to populate a sinkhole.

The first step is to add a configuration file to the /etc/named.conf. For example, add:

include "/var/named/sink_local.conf";

Run the command "named-checkconf" to make sure you have no errors in your named.conf file.

The second step is to edit (or create it of not already done) the sink_local.conf file in the /var/named directory and add to the sinkhole the malicious site. For example, we are going to use the site published in Patrick's Diary http://isc.sans.org/diary.html?storyid=7918 our.org.molendf.co.kr. Add in sink_local.conf the following line:

zone "our.org.molendf.co.kr" IN { type master; file "/var/named/sinkhole/redirect.nowhere"; };

Third, you need to create the master file in the new sinkhole directory /var/named/sinkhole/redirect.nowhere that will redirect the client to the sinkhole address. This file never changes and remains static. I have called my file redirect.nowhere which I think is only fitting. Here is an example of this file:

$TTL    600
@                       1D IN SOA       localhost root (
                                        42              ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        5 IN A          192.168.25.5

The IP address I have assigned here is an IP that can be used to alert on. For example, this IP can be a website to show a policy page. This will only work if the client is attempting to contact a website. Add  this IP (192.168.25.5) to your IDS/IPS to alert every time a PC connects to it (on any ports). The security team can verify the PC for signs of system compromise.

Last, reload your zone for your new list to take effect by executing "rndc reconfig"

Make sure the clients are now using the name server that has been configured with the sinkhole. The final step is to test the configuration to ensure the clients are resolving the malicious sites using our sinkhole address:

C:Users:guy>nslookup our.org.molendf.co.kr
Server: somename.sinkhole.com
Address: 192.168.25.25

Name: our.org.molendf.co.kr
Address: 192.168.25.5

This can be expended using other trusted list. For example, you could use the SRI "Most Observed Malware-Related DNS Names" list and add a new include option in the named.conf like sri.conf in the /var/named directory and populate with the list. This could be scripted to update daily to keep the list up-to-date. This adds another layer of defense you can control.

If you know of other lists that could populate a sinkhole, I will add them later to this diary.

Update: The Malware Domain List provides a list of website currently serving malware as well as a description (i.e. Trojan, PDF exploit, etc).

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Guy

427 Posts
ISC Handler
Just curious if anyone has any expertise to see if what is going on here is the same thing or different from the sinkhole description:
http://pgl.yoyo.org/adservers/hosts2bind.php
Anonymous
I would recommend using the current Zeus Domain Blocklist -
https://zeustracker.abuse.ch/blocklist.php
Not sure if the terms of service would allow Malware URL text file to be automated, but I believe you could download it once every week/month -
http://www.malwareurl.com/index.php
Great article Guy =)
SecurityFr3ak

5 Posts
I wasn't aware of this web form but it could be used to create the zone list as long as you follow the format they have listed:

192.168.25.25 our.org.molendf.co.kr
Guy

427 Posts
ISC Handler
There are some issues to consider before blacklisting whole domains.
a) What is the provenance of the data source?
b) Do we trust that every domain on the blacklist should be there?
c) What happens when a domain gets de-listed from the blacklist (how soon will this propagate)?
d) What if bona-fide domain(s) gets onto the blacklist either by accident or as a deliberate malevolent action?

See also: http://www.malwaredomains.com/wordpress/?page_id=6

It is also useful to configure a webserver (I use Apache) at the re-directed IP address (of the "sink hole") becausze this will provide additional information in the Apache logs.

HTH.
--
Paul Blackburn GCIH
Guy
7 Posts
Some more links about DNS blackholing that might be worth checking out.
http://dns-bh.sagadc.org/
http://www.malwaredomains.com/bhdns.html
TomU

7 Posts
yoyo.org offers a list of adservers in multiple formats, one of which is a bind zone file. So yes, it's the same thing except that the localhost address in their zone file can't be used for logging or IDS.
advaxtriumf.ca

7 Posts

Sign Up for Free or Log In to start participating in the conversation!