DNS Sinkhole Parser Script Update
Those using the DNS Sinkhole ISO that I have made available on the Whitehats.ca site can now download the most current version of sinkhole_parser.sh script between new ISO releases. The script contains new lists that were not part of the 7 July 2011 release. The script is available on the handler's server here with the MD5 here.
DNS Sinkhole using your own BIND Server
I have posted all the necessary scripts use in the ISO if you want to use your own BIND setup. The tarball is available here with the MD5 here. Follow the instructions posted on this page to get started.
[1] http://handlers.dshield.org/gbruneau/
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
×
Diary Archives
Comments
Kindly help if you have any.
babu
Oct 16th 2011
1 decade ago
I indicated in http://handlers.dshield.org/gbruneau/ that all you need is to download the tarball, untar the file and copy the files from the bind_sinkhole directory to the Linux root (/) filesystem.
After the files have been copied to the filesystem, run /root/scripts/sinkhole_parser.sh select D, T and B to populate your DNS Sinkhole.
Check this documentation as well http://www.whitehats.ca/main/members/Seeker/seeker_sinkhole/Seeker_DNS_Sinkhole.html
Guy
Oct 16th 2011
1 decade ago
Is the document provided in http://www.whitehats.ca/main/members/Seker/seeker_sinkhole/Seeker_DNS_Sinkhole.html website applicable for Redhat Linux where already BIND is running?
Regads
Babu
babu
Oct 17th 2011
1 decade ago
- Edit /etc/named.conf (Note: // is a comment in this file)
- If needed, change the allow transfer
- If needed, change the allow recursion
- Change the list of forwarder to your site list
- Ensure your list of include domains matches your site custom lists. This is important when the sinkhole_parser.sh script test the zones for errors and duplicate. Any custom lists you wish to add to your sinkhole (i.e. guy_blacklist.conf) must be included in the named.conf file to be loaded in the sinkhole. The default list is:
- site_specific_sinkhole.conf (single = match specific domain)
- entire_domain_sinkhole.conf (wildcard = match entire domain)
- Save the changes
DNS Sinkhole - Hijack domains
- Edit the /var/named/sinkhole/client.nowhere and change the 192.168.1.5 IP address to your site sinkhole IP address and save the change.
- Edit the /var/named/sinkhole/domain.nowhere which is used to wildcard an entire domain and change the 192.168.1.5 IP address to your site sinkhole IP address (this maybe the same as client.nowhere) and save the change. (wildcard = *.domain.ca)
By default, the sinkhole_parser.sh script populates the site_specific_sinkhole.conf and all domains included in this file are putting in the sinkhole just the listed sites.
Guy
Oct 17th 2011
1 decade ago
https://isc.sans.edu/diary.html?storyid=7930
BJ
Oct 17th 2011
1 decade ago
When i executed sinkhole_parser.sh and selected option A to load individual domain into sinkhole. when i load the zone file using "B" option, i am getting below output but the newly added zone is not showing in /var/named/site_specific_sinkhole.conf file
Reloading Bind updated zones...
Before the update there was records and after the update there are 3 records
server reload successful
/bin/rm: cannot remove `final.sorted': No such file or directory
/bin/rm: cannot remove `malwaredomains': No such file or directory
/bin/rm: cannot remove `/tmp/site_specific_sinkhole.conf': No such file or directory
Done DNS Malware list zone updates...
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
Done reloading Bind zones...
Press ENTER to exit ...
NEED your advice
babu
Oct 23rd 2011
1 decade ago
These are custom sinkhole additions and will be added either custom_single_sinkhole.conf (domain name such as www.google.com) or custom_wildcard_sinkhole.conf (wilcard domain such as *.google.com)
The site_specific_sinkhole.conf file only get populated when you select "D" to download the web lists.
As for the errors, the script is getting its count from when the list is downloaded from the web and can be ignored. My guess from your count you did not have anything in your sinkhole before and just added 3. Run a nslookup against the added records and it should show they are in your DNS sinkhole.
Guy
Oct 23rd 2011
1 decade ago
Thanks for your response. From your update, i have following queries, please let me know
1. As per update, newly added test.com is not added in either custoer_wildcard_sinkhole.conf or custom_sinkhole.conf file either. Below is the output
[root@test named]# pwd
/var/named
[root@test named]# ls -trl *.conf
-rw-r--r-- 1 root named 183 Oct 23 10:45 site_specific_sinkhole.conf
-rw-r--r-- 1 root named 94 Oct 23 10:45 entire_domain_sinkhole.conf
-rw-r--r-- 1 root named 0 Oct 23 10:45 custom_wildcard_sinkhole.conf
-rw-r--r-- 1 root named 0 Oct 23 10:45 custom_single_sinkhole.conf
2. Is it possible to implement BIND Sinkhole in secondary DNS servers wherein all zones are maintained in zonefilename.db format?.. meaning is it possible to sink sinkhole files from primary to secondary DNS server automatically
3. As per your documentation, you have updated that it maintain 20,000 malware domain entries. Will the dns name resoltion will be delayed becuase of these many entries maintained in configuraiton file
babu
Oct 24th 2011
1 decade ago