[RI-DISCUSS] Is it possible to block or modify DNS' resolution of a malware address?

Stewart Dean sdean at bard.edu
Fri Apr 1 15:41:50 UTC 2011 

Came up with this as a simple straight-forward quick answer
http://www.malwaredomains.com/bhdns.html

My thanks to everyone who responded so quickly!

Our phishing email looked like this
> You have exceeded the storage capacity of your designated mail box and
> is thus required to revalidate immediately.
> you may not receive/send mails until your mailbox is revalidated,
> revalidation increases your mailbox storage capacity and is fast and easy.
> Please click here
> <http://www.update.10001mb.com/revalidate.php?webmail=form> to
> revalidate your mailbox.
> - Admin

Note that even tho my internal DNS server is now authoritative for 10001mb.com, 
anyone who's swallowed the bait (before I set up the dummy domain) gets a cookie 
set in the browser that keeps them going to that malign webpage even after the 
address resolution call times out :(

On 4/1/2011 10:36 AM, Jose Nazario wrote:
> On Apr 1, 2011, at 10:22 AM, Stewart Dean wrote:
>
>> That is, if we know that a symbolic address is malign, is there some way to refuse to resolve it or change its resolution when an internal users asks for its resolution from the internal DNS server?
>>
>> All my Google searching turns up DNSBLs and blocking incoming mail from BLed addresses, but this is another matter...
>
>
> hrm .. i may have mis-read this. i was thinking you didn't want to do the standard DNSBL approach (have your local DNS servers become authoritative for the zone and control its resolution). i was thinking you wanted to do this off the DNS servers, hence the network-centric approach (read the DNS traffic and rewrite it as needed).
>
> _____________________________
> jose nazario, ph.d. jose at arbor.net
> sr. manager of security research, arbor networks
> http://asert.arbor.net/
>

-- 
<pre>
"One must think like a hero to behave like a merely decent human being." - May 
Sarton
"Having overcome your worst fear, the thing you are most vulnerable to, that is 
the definition of heroic.
Also, it's such a worthwhile human activity. The most." -Fran Liebowitz

Funny how it's women who see the real heroism (that of going on, of being true) 
so clearly.
Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean at bard.edu
voice: 845-758-7475, fax: 845-758-7035
</pre>

More information about the bind-users mailing list