I am looking at configuring our Windows DNS Servers for some type of DNS based blackhole operation. Ideally, we would be able to use feeds from MalwareDomains.com or the like. I was curious how one could go about setting up and implementing such a setup. The workflow would look something like the following:
- Script to pull down and parse the feed list
- Script to publish feed list into Windows DNS
- Bad connections stopped due to new DNS entries
The challenge that I am having deals with step 2. I am not sure how to publish a large list of DNS entries into the Windows DNS server. Ideally this would work for Server 2008 or newer.
To attack #2, "Script to publish feed list into Windows DNS", you'll most likely be using
dnscmdin some capacity. You'll need to use some PowerShell cmdlets (likeget-contentandwrite-hostfor possible examples) to cut up the feed list into the bits of information that are pertinent to the creation of anAorCNAMErecord in your own DNS server. Then stick the pertinent information into variables fordnscmdto work with.To attack #3, you would create records that misdirect people. So either
Arecords that point to an IP address under your control (perhaps a web server you control that says "You've been blocked! Expect a call from HR lol!!1") or simply send people to 0.0.0.0. Another option is to CNAME the domains to a web server that you control.Instead of building this out yourself, consider standing on the back of someone who has done much of this work for you: Windows DNS Server Sinkhole Domains Tool. That is a SANS Institute backed PowerShell script that managed DNS blacklists on a Windows DNS server. There is a sister project called Windows HOSTS File Script To Block Bad Domains which, predictably, uses hosts files on local machines, which sounds icky but perhaps a GPO to push it out to your Windows clients could be used (as long as user permissions disallow any hosts file tampering and also assuming that your Active Directory controls all PCs that you want to use the blacklist for).
As for reporting on the blockages, that's a little tougher since Windows DNS doesn't really have response-per-domain reports that I've found. What might be to your advantage would be to CNAME the blacklisted domains, and then use the faculties of the web server that you CNAME the blacklisted domains to as a means of checking up on who's doing what. You could theoretically deconstruct the incoming HTTP requests based on referring domain and source IP address and make quite the set of nifty reports. AWStats might even be of some out-of-the-box help.
A while back I published a PowerShell module
DnsBlockListavailable on GitHub and PowerShell Gallery.It will natively ingest lists from SANS, ZeusTracker, and Malware Domains with the capability to add lists, create your own, etc. The trick is parsing these lists as that process may require additional logic depending on the format it comes in. However there's room for that too!
A Query Resolution Policy is created for each domain to be blocked. This avoids creating DNS records for loopback addresses.
There are a lot more features documented in the README. I encourage you to check it out.
Since its published to PowerShell Gallery, installing the module is easy:
There is instruction for this on site that you mention: http://www.malwaredomains.com/?page_id=6#MS and special file format for this instruction: http://mirror1.malwaredomains.com/files/BOOT