Blocking Malware with DNS Sinkhole

The DNS sinkhole method can be used to block communication between malware and its command-and-control (C2) server, or to detect systems infected with malware. It can also be used to identify or neutralise the impact of botnets. This article focuses on how DNS sinkhole can be implemented in corporate networks to block malware.

The idea behind the method is to give fake responses to DNS requests, preventing the malware from resolving the real IP address of the domain it’s trying to reach. An example configuration can be set up by following these steps:

On a Linux system (Ubuntu in this example), install the Bind DNS server with:

apt-get install bind9

Then create the required directory and zone file:

mkdir /etc/bind/zones
nano /etc/bind/zones/malware.db

Inside the blacklist.host file, add a record like this:

$TTL    3600
@        IN    SOA    ns1.malware.com. root.malware.com. (2012041615 10800 3600 604800 86400)
         IN    NS     ns1.malware.com.
         IN    NS     ns2.malware.com.
         IN    A      192.168.41.1
*        IN    A      192.168.41.1

Depending on your setup, replace 192.168.41.1 in the last two lines with the address you want the malicious traffic redirected to. Also, make sure the newly created zones directory has read, write, and execute permissions for the bind user:

chown bind /etc/bind/zones
chmod u+rwx /etc/bind/zones

You can verify the syntax of your zone file with:

named-checkzone malware.com /etc/bind/zones/malware.db

Next, add the domains you want to sinkhole into /etc/bind/named.conf.local in this format:

zone "malware.com" {
    type master;
    file "/etc/bind/zones/malware.db";
};

zone "malicious.com" {
    type master;
    file "/etc/bind/zones/malware.db";
};

Finally, restart the Bind service to apply the changes:

service bind9 restart

The steps above configure Bind as a sinkhole only. If you want it to also respond to normal DNS requests, you’ll need to make the appropriate network configuration changes.

To test whether the DNS server is working correctly, use a Linux system with the dnsutils package installed:

dig malware.com @192.168.41.142

Here, malware.com should be a domain on your blacklist, and 192.168.41.142 is your DNS server’s IP address.

In the example configuration, the output will look like this:

;; ANSWER SECTION:
malware.com.    3600    IN    A    192.168.41.1

This shows that DNS requests for malware.com are being resolved to 192.168.41.1.

You can also test it from a Windows machine by setting its DNS server to 192.168.41.142 in the network settings and trying to access a blacklisted domain.

These domains can be mapped to unreachable IP addresses (such as 0.0.0.0) to block access, or, as in the example above, redirected to a local machine where the traffic can be monitored to identify infected systems.