Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS Sinkhole Scripts Fixes/Update

Published: 2012-01-21
Last Updated: 2012-01-21 22:29:28 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

In October 2011 [1], I released an update for the main parser script used to generate the BIND/PowerDNS configuration files. This release of the sinkhole_parser.sh script contains some important fixes, including a rewrite of the section that parses the multiple sites into 2 separate lists: site_specific_sinkhole.conf (host web list) and entire_domain_sinkhole.conf (domain wildcard web list). The script contains new lists that were not part of the 7 July 2011 release.

The script contains a fix for parsing and loading records into PowerDNS database where sometimes it would fail indicating that a record was already loaded. It has been fixed in both the sinkhole_parser.sh and powerdns_sinkhole_logs.sh (located in /usr/local/sbin) used in Webmin to load records from the GUI.

A new script, search.sh (/root/scripts) has been added to provide a search capability in Webmin (two files copied to /etc/webmin/dns-sinkhole) of the BIND DNS Sinkhole lists to verify if a particular host or domain is listed in the sinkhole.

The script is available on the handler's server here with the MD5 here. You can either untar the tarball in / or move the scripts in the location indicated in this diary.

[1] http://isc.sans.edu/diary.html?storyid=11818
[2] http://handlers.dshield.org/gbruneau/
[3] http://handlers.dshield.org/gbruneau/dns-sinkhole/dns-sinkhole-scripts.tgz

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: DNS Sinkhole
4 comment(s)
Diary Archives