DNS Sinkhole in BIND

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 17 20:27:49 UTC 2011

On 10/17/2011 09:05 PM, Lightner, Jeff wrote:
> I’m confused – does the OP want to block or does he want to redirect.
> “block/redirect” are two different things. What I wrote will block. If

It'll block IPs, and whole IPs at that. If the server is shared, you 
block all traffic to it, not just the domain name you want to block 
(this is more a theoretical than practical concern - how often do 
malware nodes share an IP with legit nodes?)

Malware queries names, and those names are often updates frequently, or 
are random names inside a well-known domain.

> he wants to redirect that’s fine but I don’t think he’d want to redirect
> to his real webserver – why send bogus traffic there and also take the
> risk that being so directed the bad user will be able to hack? Dropping

I can't parse that last sentence, but the idea behind directing to a 
webserver you control is logging; it can be easier to correlate hits on 
a (relatively quiet) logging webserver than an (possibly very busy) DNS 

> the packet in DNS stops it cold. (Not saying they can’t get to web
> server’s via legitimate paths but it appears the OP has know
> malefactors.) Is the OP building a honeypot?

No. He's directing (wanting to direct) malware control / download / 
self-update DNS queries away from the real zones and to a logging 
webserver under his control, as far as I can see.

More information about the bind-users mailing list