DNS Sinkhole in BIND

Mon Oct 17 18:19:39 UTC 2011

On 10/17/2011 06:38 PM, babu dheen wrote:
> YOu are obsolutely correct Chris.. I want to block/redirect all malware
> domain request intiated by clients by setting up DNS SINKHOLE in Redhat
> BIND server.

In older versions of bind, you needed to create a local zone per malware 
domain (or hostname). There's no special config - just a really big, 
long, list of zones. One problem - there can be hundreds or thousands, 
even tens of thousands of zones - and this makes bind slow to start, and 
use more RAM.

Example:

zone "www.badstuff.com" {
   type master;
   file "data/malware-common";
};

...and in data/malware-common:

$TTL 3H
@       IN SOA  @ rname.invalid. (
                                         0       ; serial
                                         1D      ; refresh
                                         1H      ; retry
                                         1W      ; expire
                                         3H )    ; minimum
         NS      @
         A       127.0.0.1
         AAAA    ::1

...adjust the A/AAAA records if you want to redirect.

In newer versions of bind, there is RPZ - response policy zone - where 
you create a zone e.g. "malware-list.example.com" and put policy records 
in it e.g. "www.badstuff.com.malware-list.example.com". Bind honours the 
RPZ when clients make a query

Example - see section 6.2.16.20 of the Bind 9.8 ARM:

http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.pdf