Apr 29, 2011

Building a DNS Blackhole with FreeBSD

If you want full article, please go to the Source.

This document will outline how to setup FreeBSD to act as a DNS Blackhole (DNSBH).

What is a DNS Blackhole and why would I want one?
A DNS blackhole (DNSBH) in its simplest form is just a box running bind that maintains a listing of malicious domains. When clients request a 'flagged' domain they will be redirected to either themselves (localhost), or to a safe local location that explains to the user why they just ended up where they did.

How to configure BIND

1) Edit
*** The IP address of this server will be
ifconfig_bge0="inet netmask"

Save and exit the file.

2) Edit /etc/hosts:
::1 localhost localhost.my.domain bhdns localhost localhost.my.domain bhdns bhdns.mydomain.ca bhdns

Save and exit the file.

3) Edit /etc/resolv.conf and add:
nameserver mydomain.ca
nameserver <upstream provider>

Save and exit the file.

4) Now take a look at /etc/namedb. The file is well documented. These are the changes/additions that you should make:

In the options section you need to add an entry to allow clients access. This fictitious install is on a 10 network so it would look like:
allow-query {; };

Next you want to set the address that the service will listen on. Use the same address you set in rc.conf:

listen-on {; };

Now you can set up a forwarder, in my case the same one used in /etc/resolv.conf:

forwarders { <upstream provider>; };

This isn't a requirement but by using a forwarder you will take advantage of a more local cache which will increase performance.
include "/etc/namedb/blackhole/spywaredomains.zones";

5) Create a folder called blackhole (same location you specified above) and fetch the zonefile:
~# mkdir /etc/namedb/blackhole
~# cd /etc/namedb/blackhole
~# fetch http://www.malwaredomains.com/files/spywaredomains.zones

This file contains entries that look like:
zone "razdrochi.ru" {type master; file "/etc/namedb/blockeddomain.hosts";};

With this loaded, any client request for
razdrochi.ru will be redirected to whatever we have set up in /etc/namedb/blockeddomain.hosts. Essentially, all we are doing is mapping all of the domains listed in that file to the same DNS (A) record.

Lets create this record now.

6) Edit /etc/namedb/blockeddomain.hosts: and start service.
; This zone will redirect all requests back to the blackhole itself.

$TTL 86400 ; one day

bhdns.mydomain.ca. bhdns.mydomain.ca. (
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day


* IN A

Note: You can redirect the request to anywhere you wish but it is worthwhile to send the user to a place that explains what just happened. If not, the user might get confused and open a vague "The Interweb is broken" helpdesk ticket.
~# /etc/rc.d/named start

For debugging (or other) reasons it might be worth it to separate named logs from the syslog catchall. To do this, edit /etc/syslogd.conf and add:
*.* /var/log/named.log

Save and exit the file and then:
~# touch /var/log/named.log
~# /etc/rc.d/syslogd restart

How to automate the update process

1) Fetches the zonefile
2) Performs a comparison with the current file, if there are no changes, exit. If there are then
3) Make note of the additions/removals
4) Put the new zonefile in place
5) Restart the service
6) Email the changes to an admin

If you want to get the script, please go to the Source.

1) Download getzones.sh:
~# cd /etc/namedb/blackhole
~# fetch http://www.pintumbler.org/getzones.sh
~# chmod +x /etc/namedb/blackhole/getzones.sh

2) Create the temp directory:
~# mkdir /etc/namedb/blackhole/work

3) Add an entry to roots crontab to run the script daily:

~# crontab -e

once the editor comes up, input the following line:
0 * * * /etc/namedb/blackhole/getzones.sh > /dev/null 2>&1

This will update the file every day at midnight.

My bash is pretty shoddy so you might want to test it out first :)
~# /etc/namedb/blackhole/getzones.sh

How to setup Apache to provide an information page

As I mentioned earlier, to avoid confusion it is a good idea to send the users to an information page. You can use any web server here, Apache is way overkill but its what I know.

1) Install Apache. You can do this however you wish, I will just use the ports tree:

~# cd /usr/ports/www/apache22; make install clean

2) Edit
/usr/local/etc/apache22/httpd.conf and make the following changes (in order of appearance):Listen
ServerAdmin atech@mydomain.ca
DocumentRoot "/usr/local/www/dnsbh"
ErrorDocument 500 /404.html
ErrorDocument 404 /404.html
ErrorDocument 402 /404.html

3) Create the web directory:
~# mkdir /usr/local/www/dnsbh
4) Create
/usr/local/www/dnsbh/index.html this will be the main landing page when folks are redirected:
<!DOCTYPE html>
<title>Your Org Name - IT services</title>
<script type="text/javascript">url = parent.window.location.href;</script>
<h3>Security Notice...</h3>

You have been redirected to this page because the website that you tried to visit has been known to harbor
or distribute Spyware, Viruses or other forms of malicious software.


As part of our Information Security Policy we maintain a listing of potentially harmful sites to assist in the protection and stability of our computing resources. This is also done to protect users from divulging personal information to third parties where it could be used for illicit purposes such as Spam or Fraud.


If you feel your access to this web site is a requirement, contact your local Information Technology Services department for assistance.

5) Create /usr/local/www/dnsbh/warn.png. This image should be around 127 X 57 pixels and contain something that identifies your organization along with something that conveys 'warning' either through words or images.

6) Create
/usr/local/www/dnsbh/404.html. This should look something like:
<!DOCTYPE html>
<a href="/index.html" target="_new"><img border="0" src="/warn.png"></a>

Monitoring examples and ideas
The examples below are simply trending connections to port 80.

The shortcomings of this solution aside, that second image is quite compelling. You don't even need an analyst to interpret it. This is the kind of stuff that can be easily offloaded because the message is so poignant.

This example shows a typical day of activity:

This shows an infection:

A nice summary table like the one below is very useful. It is important to not just focus on hits but just how much data a client trying to send out. Large payloads repeatedly sent to this device should be an instant alarm.

Keep in mind too that that this is a webserver people are connecting to. Which means: LOGS! Aside from the fact that we can use these to clarify events, the data is screaming to be mined. I am not quite there yet, but soon.


Being a little short handed at work, this was one of the first security solutions that I gravitated towards. The passiveness (and price) just made sense. A DNSBH can dramatically improve an organizations overall security posture for next to nothing. Yes, understand that It is NOT going to help you deal with intelligent threats, but you know what? that doesn't really matter because most aren't.
The sludge, the unworthy.. that is where this solution shines. If you are short on time, and short on resources, this is a gift.

Source: http://www.pintumbler.org/Code/dnsbl

No comments: