> > When the conficker worms phones home to one of the 50,000 potential > > domains names it computes each day, there are a lot of IT folks out > > there that wish their local resolver would simply reject those DNS > > requests so that infected machines in their network fail to phone > > home. > > That's an extremely bad idea: many of the domains generated by the > Conficker algorithm are already registered by a legitimate registrant > (in .FR: the national railways, a national TV, etc).
It's an idea that needs to be used *with caution*. We did something similar as part of testing a new DNS product, and found that any such list of domain names needed to be *manually* vetted before being used as input to a DNS-based blackhole system. We also found that we had to explicitly whitelist a number of domains (generated by Conficker but registered many years ago and pretty clearly legit). Steinar Haug, Nethelp consulting, sth...@nethelp.no
