Blog: SANS Audit Advice & Resources

Blog: SANS Audit Advice & Resources

DNS Sinkhole for Malware Defense and Policy Enforcement

BIND is usually the go-to DNS solution if you're looking to set up a DNS sinkhole to contain and identify malware. While I love BIND as much as the next guy, I find that it's a real pain in the neck to get everything set up just right and the maintenance involved in adding a new authoritative zone is just more than I'm willing to do.
As a solution to this, I've revived a tool that I wrote more than a decade ago for Internet usage policy enforcement. As it turns out, it already was a DNS sinkhole, I just never called it one!

(The accompanying webcast that demonstrates the tool and technique discussed in this article can be found here. Source code for the DNS Sinkhole can be downloaded here.)

DNS Sinkholes

The idea of a DNS Sinkhole is that if you know about some bad domain names that malware might use or that users might try to visit, you can create authoritative "Zone" files on your DNS server. This allows you to return any result you want to for any domain name or host you want to. The unfortunate downside is that you cannot create "wildcard" DNS zones to do substring matches. Also, the creation of a new zone, while not difficult, is definitely non-trivial.

About two years ago I taught the SANS 503 Advanced Intrusion Detection Immersion class for the first time in about 8 years. As I was reading through the section on DNS Sinkholes on the last day, I just kept thinking to myself, "Why are we creating new difficult solutions to problems that we solved years ago?" How is this a solved problem?




Controlling Internet Access

Back in the days before SurfControl, BlueCoat, SurfWatch and all of these other Internet filters were really mainstream and sorta worked, we had to come up with our own solutions to these types of problems. We weren't really concerned about C&C (Command and Control) servers at the time, we were just concerned about Internet abuse. While SurfControl and the like were busy creating lists of URLs that were "bad," I sat back and though about the problem and came up with a different solution.

The idea of SEO isn't a new one. Even in those days, you could be pretty sure that something about the domain name would tip you off as to what was involved. I'm sure that this will be no surprise to you, but if you're trying to prevent employees from going to pornographic websites the word "girl" and the letters "xxx" come up pretty often in the domain name. Why not create a simple tool to find substrings in domain names and then just spoof the response?

The result is the DNS Block tool (which you can download here). It operates by watching the network for DNS queries. Any time it finds one, it compares the queried name against a list of known bad sites and then checks each part of the name against a list of substrings. If there's a match, the tool immediately spoofs an authoritative response. The reason that this works is that it's much faster for me to figure out it's bad and spoof a response than it is for your real DNS server to recurse out to the Internet to find the real site. This means that since the spoofed response arrives first, it's the response that gets accepted. When the real response arrives, it's discarded since the port is no longer listening for a response.

There are other ways to use this tool for evil, of course. I'll discuss a few of those in some upcoming AuditCasts episodes.

David Hoelzer teaches several full week courses ranging from basic security through to advanced exploitation and penetration testing. For a thorough treatment of this specific issue and a discussion of controls to mitigate this and similar issues, consider attending thefull week course on Advanced System & Network Auditing. More information can be found here:AUD 507 course. AUD 507 gives both auditors and security professionals powerful tools to automate and manage security over time.


Posted November 03, 2011 at 8:10 AM | Permalink | Reply

jerry shenk

I don't see the DNS block took on the SANS - IT Audit community downloads page.

Posted November 03, 2011 at 8:13 AM | Permalink | Reply

David Hoelzer

There seems to be some delay on the SANS side getting the code posted. If it's not posted by the end of today, I'll make alternate arrangements.


Posted December 26, 2011 at 3:33 AM | Permalink | Reply



Thanks for such a great post. One question:

Can this tool be used to block IP addresses by entering them in the "blocked_strings" file?

Posted December 26, 2011 at 6:39 AM | Permalink | Reply

David Hoelzer

Good morning, Lambert!

Unfortunately, the answer is no. The reason is that if someone were to directly type an IP address, there will be no DNS lookup issued. Even if there were, the browser or other utility already knows where to go.

Posted May 15, 2012 at 11:10 AM | Permalink | Reply

Dan Dickey

Hi David,

I am just having a hard time compiling dns_block first error i got was
dns_block.c:63: warning: conflicting types for

Post a Comment

* Indicates a required field.