DNS Sinkhole Parser Script Update

Published: 2011-10-15
Last Updated: 2011-10-15 22:32:48 UTC
by Guy Bruneau (Version: 1)
8 comment(s)

Those using the DNS Sinkhole ISO that I have made available on the Whitehats.ca site can now download the most current version of sinkhole_parser.sh script between new ISO releases. The script contains new lists that were not part of the 7 July 2011 release. The script is available on the handler's server here with the MD5 here.

DNS Sinkhole using your own BIND Server

I have posted all the necessary scripts use in the ISO if you want to use your own BIND setup. The tarball is available here with the MD5 here. Follow the instructions posted on this page to get started.


[1] http://handlers.dshield.org/gbruneau/
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: DNS Sinkhole
8 comment(s)

Comments

Can you give me document to install and configure DNS Sinkhole for BIND in Redhat Linux 32 Bit server.

Kindly help if you have any.
Badu,

I indicated in http://handlers.dshield.org/gbruneau/ that all you need is to download the tarball, untar the file and copy the files from the bind_sinkhole directory to the Linux root (/) filesystem.

After the files have been copied to the filesystem, run /root/scripts/sinkhole_parser.sh select D, T and B to populate your DNS Sinkhole.

Check this documentation as well http://www.whitehats.ca/main/members/Seeker/seeker_sinkhole/Seeker_DNS_Sinkhole.html
Sir,
Is the document provided in http://www.whitehats.ca/main/members/Seker/seeker_sinkhole/Seeker_DNS_Sinkhole.html website applicable for Redhat Linux where already BIND is running?

Regads
Babu
Only section 1.2.1 applies. To complete the setup, do:

- Edit /etc/named.conf (Note: // is a comment in this file)

- If needed, change the allow transfer
- If needed, change the allow recursion
- Change the list of forwarder to your site list

- Ensure your list of include domains matches your site custom lists. This is important when the sinkhole_parser.sh script test the zones for errors and duplicate. Any custom lists you wish to add to your sinkhole (i.e. guy_blacklist.conf) must be included in the named.conf file to be loaded in the sinkhole. The default list is:

- site_specific_sinkhole.conf (single = match specific domain)
- entire_domain_sinkhole.conf (wildcard = match entire domain)

- Save the changes

DNS Sinkhole - Hijack domains

- Edit the /var/named/sinkhole/client.nowhere and change the 192.168.1.5 IP address to your site sinkhole IP address and save the change.

- Edit the /var/named/sinkhole/domain.nowhere which is used to wildcard an entire domain and change the 192.168.1.5 IP address to your site sinkhole IP address (this maybe the same as client.nowhere) and save the change. (wildcard = *.domain.ca)

By default, the sinkhole_parser.sh script populates the site_specific_sinkhole.conf and all domains included in this file are putting in the sinkhole just the listed sites.
To those of us wondering what this is for, and unwilling to read the PDF,
https://isc.sans.edu/diary.html?storyid=7930
Dear Sir,

When i executed sinkhole_parser.sh and selected option A to load individual domain into sinkhole. when i load the zone file using "B" option, i am getting below output but the newly added zone is not showing in /var/named/site_specific_sinkhole.conf file

Reloading Bind updated zones...

Before the update there was records and after the update there are 3 records

server reload successful
/bin/rm: cannot remove `final.sorted': No such file or directory
/bin/rm: cannot remove `malwaredomains': No such file or directory
/bin/rm: cannot remove `/tmp/site_specific_sinkhole.conf': No such file or directory
Done DNS Malware list zone updates...

number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running

Done reloading Bind zones...
Press ENTER to exit ...



NEED your advice

Hi Badu,

These are custom sinkhole additions and will be added either custom_single_sinkhole.conf (domain name such as www.google.com) or custom_wildcard_sinkhole.conf (wilcard domain such as *.google.com)

The site_specific_sinkhole.conf file only get populated when you select "D" to download the web lists.

As for the errors, the script is getting its count from when the list is downloaded from the web and can be ignored. My guess from your count you did not have anything in your sinkhole before and just added 3. Run a nslookup against the added records and it should show they are in your DNS sinkhole.
Dear Sir,

Thanks for your response. From your update, i have following queries, please let me know

1. As per update, newly added test.com is not added in either custoer_wildcard_sinkhole.conf or custom_sinkhole.conf file either. Below is the output

[root@test named]# pwd
/var/named
[root@test named]# ls -trl *.conf
-rw-r--r-- 1 root named 183 Oct 23 10:45 site_specific_sinkhole.conf
-rw-r--r-- 1 root named 94 Oct 23 10:45 entire_domain_sinkhole.conf
-rw-r--r-- 1 root named 0 Oct 23 10:45 custom_wildcard_sinkhole.conf
-rw-r--r-- 1 root named 0 Oct 23 10:45 custom_single_sinkhole.conf


2. Is it possible to implement BIND Sinkhole in secondary DNS servers wherein all zones are maintained in zonefilename.db format?.. meaning is it possible to sink sinkhole files from primary to secondary DNS server automatically

3. As per your documentation, you have updated that it maintain 20,000 malware domain entries. Will the dns name resoltion will be delayed becuase of these many entries maintained in configuraiton file

Diary Archives