Windows – Black Hole DNS on Windows DNS Server

blackholeblacklistdomain-name-systemwindows

I am looking at configuring our Windows DNS Servers for some type of DNS based blackhole operation. Ideally, we would be able to use feeds from MalwareDomains.com or the like. I was curious how one could go about setting up and implementing such a setup. The workflow would look something like the following:

Script to pull down and parse the feed list
Script to publish feed list into Windows DNS
Bad connections stopped due to new DNS entries

The challenge that I am having deals with step 2. I am not sure how to publish a large list of DNS entries into the Windows DNS server. Ideally this would work for Server 2008 or newer.

Best Answer

To attack #2, "Script to publish feed list into Windows DNS", you'll most likely be using dnscmd in some capacity. You'll need to use some PowerShell cmdlets (like get-content and write-host for possible examples) to cut up the feed list into the bits of information that are pertinent to the creation of an A or CNAME record in your own DNS server. Then stick the pertinent information into variables for dnscmd to work with.

To attack #3, you would create records that misdirect people. So either A records that point to an IP address under your control (perhaps a web server you control that says "You've been blocked! Expect a call from HR lol!!1") or simply send people to 0.0.0.0. Another option is to CNAME the domains to a web server that you control.

Instead of building this out yourself, consider standing on the back of someone who has done much of this work for you: Windows DNS Server Sinkhole Domains Tool. That is a SANS Institute backed PowerShell script that managed DNS blacklists on a Windows DNS server. There is a sister project called Windows HOSTS File Script To Block Bad Domains which, predictably, uses hosts files on local machines, which sounds icky but perhaps a GPO to push it out to your Windows clients could be used (as long as user permissions disallow any hosts file tampering and also assuming that your Active Directory controls all PCs that you want to use the blacklist for).

As for reporting on the blockages, that's a little tougher since Windows DNS doesn't really have response-per-domain reports that I've found. What might be to your advantage would be to CNAME the blacklisted domains, and then use the faculties of the web server that you CNAME the blacklisted domains to as a means of checking up on who's doing what. You could theoretically deconstruct the incoming HTTP requests based on referring domain and source IP address and make quite the set of nifty reports. AWStats might even be of some out-of-the-box help.

Related Solutions

Windows – How to find what process is holding a file open in Windows

I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"

Windows – What’s the command-line utility in Windows to do a reverse DNS look-up

ping -a w.x.y.z

Should resolve the name from the IP address if the reverse lookup zone has been set up properly. If the reverse lookup zone does not have an entry for the record, the -a will just ping without a name.

Best Answer

Related Solutions

Windows – How to find what process is holding a file open in Windows

Windows – What’s the command-line utility in Windows to do a reverse DNS look-up

Related Topic