Forum Discussion
MW1
Cirrus
CirrusGTM - anyway to add include file command in the bind config?
All,
I was looking in to dual purposing our GTM's to also act as a DNS sinkhole for my company. To do this I want to maintain another file on the GTM's which contain the list of malware domains...
MW1Cirrus
CirrusIn the /config/namedb/malwaredomains.zones file the domain entries are like this below example:
zone "zyvwh.ru" {type master; file "/etc/namedb/blockeddomain.hosts"; };
the /etc/namedb/blockeddomain.hosts file is the same for each blackholed domain. It is this that then contains the IP etc it will resolve to. Here is the content of mine (anonymised) - the 1.16.209.141 is where all blackholed requests get resolved to:
; This zone will redirect all requests back to the blackhole itself.
$TTL 3600 ; one day
@ IN SOA at1gtm.domain.com. hostmaster.at1gtm.domain.com. (
1
3600 ; refresh 8 hours
3600 ; retry 2 hours
3600 ; expire 10 days
3600 ) ; min ttl 1 day
NS ph1gtm.domain.com.
NS AT1PROGTM1.domain.net.
A 1.16.209.141
* IN A 1.16.209.141
I recommend checking out:
http://www.pintumbler.org/Code/dnsbl
and the SANS/dshield
http://www.whitehats.ca/main/members/Seeker/seeker_sinkhole/Seeker_DNS_Sinkhole.html
http://isc.sans.edu/diary.html?storyid=9037
To be honest I had meant to extract the sans script for pulling the list of in to the right format for bind as my multiple uses of sed is very painful. If you use wget to pull the list from the sites you may need to spoof the user agent as some of the sites block wget/curl
Hope the above helps
Matt