<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="margin: 0in 0in 0pt; background: none repeat scroll 0% 0% white;" class="MsoNormal"><span style="color: black;"><a href="http://www.sans.org/reading_room/whitepapers/dns/dns-sinkhole_33523"><font face="Times New Roman" size="3" color="#0000ff">http://www.sans.org/reading_room/whitepapers/dns/dns-sinkhole_33523</font></a></span></div><div style="MARGIN: 0in 0in 0pt; BACKGROUND: white" class="MsoNormal"><br><span style="COLOR: black"></span></div><div>Perhaps the above link target may help.<br></div><div>Thanks.</div><div><br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"><div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"><font face="Arial" size="2"><hr
size="1"><b><span style="font-weight:bold;">From:</span></b> "Lightner, Jeff" <JLightner@water.com><br><b><span style="font-weight: bold;">To:</span></b> Ryan Novosielski <novosirj@umdnj.edu>; babu dheen <babudheen@yahoo.co.in>; Bind Users Mailing List <bind-users@lists.isc.org>; "cet1@cam.ac.uk" <cet1@cam.ac.uk><br><b><span style="font-weight: bold;">Sent:</span></b> Monday, October 17, 2011 4:05 PM<br><b><span style="font-weight: bold;">Subject:</span></b> RE: DNS Sinkhole in BIND<br></font><br>
<meta http-equiv="x-dns-prefetch-control" content="off"><div id="yiv271659810">
<style type="text/css">#yiv271659810 P.yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36 {
MARGIN:0cm 0cm 0pt;}
#yiv271659810 LI.yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36 {
MARGIN:0cm 0cm 0pt;}
#yiv271659810 DIV.yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36 {
MARGIN:0cm 0cm 0pt;}
#yiv271659810 TABLE.yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36Table {
MARGIN:0cm 0cm 0pt;}
#yiv271659810 DIV.yiv271659810Section1 {
}
</style>
<style>
<!--
#yiv271659810
_filtered #yiv271659810 {font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
_filtered #yiv271659810 {font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
#yiv271659810
#yiv271659810 p.yiv271659810MsoNormal, #yiv271659810 li.yiv271659810MsoNormal, #yiv271659810 div.yiv271659810MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
#yiv271659810 a:link, #yiv271659810 span.yiv271659810MsoHyperlink
{color:blue;
text-decoration:underline;}
#yiv271659810 a:visited, #yiv271659810 span.yiv271659810MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
#yiv271659810 span.yiv271659810EmailStyle17
{
font-family:Arial;
color:navy;}
_filtered #yiv271659810 {
margin:1.0in 1.25in 1.0in 1.25in;}
#yiv271659810 div.yiv271659810Section1
{}
-->
</style>
<div>
<div class="yiv271659810Section1">
<div class="yiv271659810MsoNormal"><font face="Arial" size="2" color="navy"><span style="
font-size:10.0pt;font-family:Arial;color:navy;">I’m confused – does the OP want to block or does he want to redirect. “block/redirect” are two different things. What I wrote will
block. If he wants to redirect that’s fine but I don’t think he’d want to redirect to his real webserver – why send bogus traffic there and also take the risk that being so directed the bad user will be able to hack? Dropping the packet in DNS stops it
cold. (Not saying they can’t get to web server’s via legitimate paths but it appears the OP has know malefactors.) Is the OP building a honeypot?</span></font></div>
<div class="yiv271659810MsoNormal"><font face="Arial" size="2" color="navy"><span style="
font-size:10.0pt;font-family:Arial;color:navy;"> </span></font></div>
<div>
<div class="yiv271659810MsoNormal" style="text-align:center;" align="center"><font face="Times New Roman" size="3"><span style="font-size:12.0pt;"></span></font></div>
</div>
</div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"> </div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"> </div>
<div class="yiv271659810Section1">
<div>
<div class="yiv271659810MsoNormal" style="text-align:center;" align="center"><font face="Times New Roman" size="3"><span style="font-size:12.0pt;">
<hr tabindex="-1" size="2" width="100%" align="center">
</span></font></div>
<div class="yiv271659810MsoNormal"><b><font face="Tahoma" size="2"><span style="font-size:10.0pt;
font-family:Tahoma;font-weight:bold;">From:</span></font></b><font face="Tahoma" size="2"><span style="font-size:10.0pt;font-family:Tahoma;"> bind-users-bounces+jlightner=water.com@lists.isc.org
[mailto:bind-users-bounces+jlightner=water.com@lists.isc.org] <b><span style="font-weight:bold;">On Behalf Of
</span></b>Ryan Novosielski<br>
<b><span style="font-weight:bold;">Sent:</span></b> Monday, October 17, 2011 3:52 PM<br>
<b><span style="font-weight:bold;">To:</span></b> babu dheen; Bind Users Mailing List; cet1@cam.ac.uk<br>
<b><span style="font-weight:bold;">Subject:</span></b> Re: DNS Sinkhole in BIND</span></font></div>
</div>
<div class="yiv271659810MsoNormal"><font face="Times New Roman" size="3"><span style="
font-size:12.0pt;"> </span></font></div>
<div class="yiv271659810MsoNormal"><font face="Times New Roman" size="3"><span style="
font-size:12.0pt;">I do this. There may now be a smarter way, but I have a small number so this is manageable for me: configure zones for each of the evil zones. Your server will appear
authoritative and you can direct clients wherever you like. I direct some of mine to a virtualhost handing out 503 errors.<br>
</span></font><font face="Verdana"><span style="font-family:Verdana;"><br>
<br>
</span></font></div>
<span id="yiv271659810signature">
<div>
<div class="yiv271659810MsoNormal"><font face="Arial" size="1" color="#999999"><span style="font-size:8.0pt;font-family:Arial;color:#999999;">-- Sent from my Palm Pre</span></font></div>
</div>
<div class="yiv271659810MsoNormal"><font face="Times New Roman" size="3"><span style="
font-size:12.0pt;"><br>
<br>
</span></font><font face="Verdana" color="navy"><span style="font-family:Verdana;
color:navy;"></span></font></div>
<div class="yiv271659810MsoNormal"><font face="Verdana" size="3" color="navy"><span style="font-size:12.0pt;font-family:Verdana;color:navy;">
<hr size="2" width="75%" align="left">
</span></font></div>
<div class="yiv271659810MsoNormal" style="margin-bottom:12.0pt;"><font face="Verdana" size="3" color="navy"><span style="font-size:12.0pt;font-family:Verdana;color:navy;">On Oct 17, 2011 13:46, babu dheen <babudheen@yahoo.co.in> wrote:
</span></font></div>
<table class="yiv271659810MsoNormalTable" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in;" valign="top">
<div>
<div class="yiv271659810MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12.0pt;">YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server.</span></font></div>
</div>
<div>
<div class="yiv271659810MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12.0pt;"> </span></font></div>
</div>
<div>
<div class="yiv271659810MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12.0pt;"><br>
<br>
--- On <b><span style="font-weight:bold;">Mon, 17/10/11,
Chris Thompson <i><span style="font-style:italic;"><cet1@cam.ac.uk></span></i></span></b> wrote:</span></font></div>
</div>
<blockquote style="border:none;border-left:solid #1010FF 1.5pt;padding:0in 0in 0in 3.0pt;
margin-left:3.4pt;margin-top:5.0pt;margin-bottom:5.0pt;">
<div class="yiv271659810MsoNormal" style="margin-bottom:12.0pt;"><font face="Times New Roman" size="3"><span style="font-size:12.0pt;"><br>
From: Chris Thompson <cet1@cam.ac.uk><br>
Subject: Re: DNS Sinkhole in BIND<br>
To: "Bind Users Mailing List" < bind-users@lists.isc.org ><br>
Cc: "babu dheen" <babudheen@yahoo.co.in><br>
Date: Monday, 17 October, 2011, 8:19 PM</span></font></div>
<div>
<div class="yiv271659810MsoNormal" style="margin-bottom:12.0pt;"><font face="Times New Roman" size="3"><span style="font-size:12.0pt;">On Oct 16 2011, babu dheen wrote:<br>
<br>
> Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition.<br>
<br>
All the replies to this so far seem to assume that he wants to block evil<br>
entities from using his nameservers. But Google seems to suggest that<br>
"DNS Sinkhole" usually refers to redirecting names that are being used<br>
for evil purposes to e.g. a local monitoring station - not the same thing<br>
at all.<br>
<br>
-- Chris Thompson<br>
Email: <a rel="nofollow" target="_blank" href="http://in.mc1373.mail.yahoo.com/mc/compose?to=cet1@cam.ac.uk">
cet1@cam.ac.uk</a><br>
<br>
</span></font></div>
</div>
</blockquote>
</td>
</tr>
</tbody>
</table>
<div class="yiv271659810MsoNormal"><font face="Times New Roman" size="3"><span style="
font-size:12.0pt;"> </span></font></div>
</span></div>
<div></div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"><font face="Arial"><font color="fuchsia"><font style="FONT-FAMILY:Arial;FONT-SIZE:10pt;" size="2"></font></font></font> </div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"> </div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"><font face="Arial"><font color="fuchsia"><font style="FONT-FAMILY:Arial;FONT-SIZE:10pt;" size="2">Athena<font size="1">®</font>, Created for the Cause</font><font size="1">™
</font></font></font></div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"><font face="Arial" size="2">Making a Difference in the Fight Against Breast Cancer</font></div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"><span style="FONT-FAMILY:Arial;FONT-SIZE:10pt;"></span> </div>
<div class="yiv2716598102d8b867a-877d-4abf-9f71-702c0dd4ea36"><span style="FONT-FAMILY:Arial;FONT-SIZE:10pt;">---------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information
is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------</span><span style="FONT-FAMILY:'Courier New';FONT-SIZE:9pt;"></span></div>
<div> </div>
</div>
</div><meta http-equiv="x-dns-prefetch-control" content="on"><br>_______________________________________________<br>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br><br>bind-users mailing list<br><a ymailto="mailto:bind-users@lists.isc.org" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br><br></div></div></blockquote></div></div></body></html>