InfoSec News

In January, I posted a diary on how to configure a basic DNS Sinkhole using BIND. Last week, during the SANSFire conference, I did a talk on DNS Sinkhole and made an ISO available for download. It is a ready to install DNS Sinkhole server for those who would like to test and/or deploy one in their network as an internal forwarder. I also indicated that inserting a DNS sinkhole in a network is like putting a NIDS/NIPS inline with potentially several thousand signatures (DNS domains). After you loaded your DNS sinkhole list, it hijacks the clients DNS requests to known malicious sites responding with an IP address you control instead of its true address. It could also be used to enforce corporate policies (hacking, adults, gaming, social, etc) with the creation of separate sinkhole lists.
However, for maximum efficiency, it is important to only allow the DNS Sinkhole server to forward outbound requests (block all other outbound DNS request form internal servers/clients) otherwise, there are known cases where malware has been coded with its own DNS server/changer to evaded detection. Handler Bojan Zdrnja posted a diary here regarding this type of evasion.
The installation document is located in the rel_note directory of the CD and is available online here. This document provides all the information needed to install and configure the server. There are two ISO available for download:
- a 32-bit version can be downloaded here

- a 64-bit version can be downloaded here
The script to load the sinkhole list is located in the /root/scripts directory and is called sinkhole_parser.sh. This script contains a menu to download from 3 lists (Malware Domain Blocklist, ZeuS tracker and Malware Threat Center SRI). Any of these lists can be commented out in the script. They are merged, parsed and duplicates are removed to create a single list of 20,000+ sites. The sites are saved in a file in /var/named/site_specific_sinkhole.conf which can be loaded via the script in the DNS Sinkhole (server support either Bind or PowerDNS, see the release notes for configuration). I may add to the script other lists later.
Warning: If you are using any of the above lists, there is always the possibility that a site that you do business with may have been added to the sinkhole list because it has been detected serving malware.
There are various ways to capture the sinkhole data such as setting up a web server, IDS alerts, netflow, etc to find which clients were redirected to the sinkhole for signs of system compromise.


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The broadband industry and some politicians have reacted strongly to an FCC effort to have an open dialogue. In response to a Thursday vote by the FCC to open a Notice of Inquiry (NOI) period to consider the options for reclassifying how broadband service is governed, some broadband providers have responded with undue hyperbole that leads one to question their motives.
 
Scammers, spammers, purveyors of porn, hate mongers, and cyber predators -- it's no wonder parents are paranoid about what their kids are doing online.
 
A tiny start-up in Paris has started a service called Pearltrees that gives you a new way to organize your stuff online, writes columnist Mike Elgan.
 
With Microsoft and its hardware partners preparing for the back-to-school buying season, we offer a look at the latest Windows 7 machines for work and play -- from slim netbooks to big honkin' gaming laptops.
 

Internet Storm Center Infocon Status