Re: [RI-DISCUSS] Is it possible to block or modify DNS' resolution of a malware address?

Fri, 01 Apr 2011 08:46:24 -0700 

Came up with this as a simple straight-forward quick answer
http://www.malwaredomains.com/bhdns.html

My thanks to everyone who responded so quickly!

Our phishing email looked like this

You have exceeded the storage capacity of your designated mail box and
is thus required to revalidate immediately.
you may not receive/send mails until your mailbox is revalidated,
revalidation increases your mailbox storage capacity and is fast and easy.
Please click here
<http://www.update.10001mb.com/revalidate.php?webmail=form> to
revalidate your mailbox.
- Admin
Note that even tho my internal DNS server is now authoritative for 10001mb.com, anyone who's swallowed the bait (before I set up the dummy domain) gets a cookie set in the browser that keeps them going to that malign webpage even after the address resolution call times out :( 

On 4/1/2011 10:36 AM, Jose Nazario wrote:

On Apr 1, 2011, at 10:22 AM, Stewart Dean wrote:


That is, if we know that a symbolic address is malign, is there some way to 
refuse to resolve it or change its resolution when an internal users asks for 
its resolution from the internal DNS server?

All my Google searching turns up DNSBLs and blocking incoming mail from BLed 
addresses, but this is another matter...



hrm .. i may have mis-read this. i was thinking you didn't want to do the 
standard DNSBL approach (have your local DNS servers become authoritative for 
the zone and control its resolution). i was thinking you wanted to do this off 
the DNS servers, hence the network-centric approach (read the DNS traffic and 
rewrite it as needed).

_____________________________
jose nazario, ph.d. j...@arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/



--
<pre>
"One must think like a hero to behave like a merely decent human being." - May Sarton "Having overcome your worst fear, the thing you are most vulnerable to, that is the definition of heroic. 
Also, it's such a worthwhile human activity. The most." -Fran Liebowitz
Funny how it's women who see the real heroism (that of going on, of being true) so clearly. 
Stewart Dean, Unix System Admin, Bard College, New York 12504 sd...@bard.edu
voice: 845-758-7475, fax: 845-758-7035
</pre>
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to