Blocking malware URL lookup using BIND

[Matthew Seaman]

On 25/10/2011 10:03, babu dheen wrote:
>  We are seeing huge number of malware request going to malware domains performed by some malware infected clients. 
>  
>  All malware infected clients are trying to reach below URL . We would like to know how we can block if any dns query come to *****.-0-0-0-0-0-0-0-0-0-0.info domain, should be redirected to 127.0.01.
>  
>  Sample malware domains
>  
>  2-4-z-g-0-9-4-3-4-8-p-5-r-i-f-3-0-b-3-y-5-a-8-e-0-y-z-s-0-7-q-.0-0-0-0-0-0-0-0-0-0-0-0-0-21-0-0-0-0-0-0-0-0-0-0-0-0-0.info
>  
> u-r-k-w-5-b-s-7-m-2-p-s-n-j-2-7-3-3-1-q-2-0-i-5-g-9-1-i-0-p-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-41-0-0-0-0-0-0-0-0-0-0-0-0-0.info
>  
> 9-9-e-d-p-b-2-e-r-c-7-1-3-p-v-5-0-b-3-1-1-n-3-h-4-9-i-6-1-r-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-6-0-0-0-0-0-0-0-0-0-0-0-0-0.info

This is exactly what RPZ was designed for:

http://www.isc.org/files/TakingBackTheDNSrpz2.pdf

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111025/22460a7b/attachment.bin>