DNS Sinkhole Parser Script Update

DNS Sinkhole Parser Script Update
Those using the DNS Sinkhole ISO that I have made available on the Whitehats.ca site can now download the most current version of sinkhole_parser.sh script between new ISO releases. The script contains new lists that were not part of the 7 July 2011 release. The script is available on the handler's server here with the MD5 here. DNS Sinkhole using your own BIND Server I have posted all the necessary scripts use in the ISO if you want to use your own BIND setup. The tarball is available here with the MD5 here. Follow the instructions posted on this page to get started. [1] http://handlers.dshield.org/gbruneau/ ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu	Guy 499 Posts ISC Handler Oct 15th 2011
Thread locked Subscribe	Oct 15th 2011 9 years ago
Can you give me document to install and configure DNS Sinkhole for BIND in Redhat Linux 32 Bit server. Kindly help if you have any.	Anonymous
Quote	Oct 16th 2011 9 years ago
Badu, I indicated in handlers.dshield.org/gbruneau/ that all you need is to download the tarball, untar the file and copy the files from the bind_sinkhole directory to the Linux root (/) filesystem. After the files have been copied to the filesystem, run /root/scripts/sinkhole_parser.sh select D, T and B to populate your DNS Sinkhole. Check this documentation as well whitehats.ca/main/members/Seeker/seeker_sinkhole/…	Guy 499 Posts ISC Handler
Quote	Oct 16th 2011 9 years ago
Sir, Is the document provided in http://www.whitehats.ca/main/members/Seker/seeker_sinkhole/Seeker_DNS_Sinkhole.html website applicable for Redhat Linux where already BIND is running? Regads Babu	Guy 4 Posts
Quote	Oct 17th 2011 9 years ago
Only section 1.2.1 applies. To complete the setup, do: - Edit /etc/named.conf (Note: // is a comment in this file) - If needed, change the allow transfer - If needed, change the allow recursion - Change the list of forwarder to your site list - Ensure your list of include domains matches your site custom lists. This is important when the sinkhole_parser.sh script test the zones for errors and duplicate. Any custom lists you wish to add to your sinkhole (i.e. guy_blacklist.conf) must be included in the named.conf file to be loaded in the sinkhole. The default list is: - site_specific_sinkhole.conf (single = match specific domain) - entire_domain_sinkhole.conf (wildcard = match entire domain) - Save the changes DNS Sinkhole - Hijack domains - Edit the /var/named/sinkhole/client.nowhere and change the 192.168.1.5 IP address to your site sinkhole IP address and save the change. - Edit the /var/named/sinkhole/domain.nowhere which is used to wildcard an entire domain and change the 192.168.1.5 IP address to your site sinkhole IP address (this maybe the same as client.nowhere) and save the change. (wildcard = *.domain.ca) By default, the sinkhole_parser.sh script populates the site_specific_sinkhole.conf and all domains included in this file are putting in the sinkhole just the listed sites.	Guy 499 Posts ISC Handler
Quote	Oct 17th 2011 9 years ago
To those of us wondering what this is for, and unwilling to read the PDF, https://isc.sans.edu/diary.html?storyid=7930	Guy 28 Posts
Quote	Oct 17th 2011 9 years ago
Dear Sir, When i executed sinkhole_parser.sh and selected option A to load individual domain into sinkhole. when i load the zone file using "B" option, i am getting below output but the newly added zone is not showing in /var/named/site_specific_sinkhole.conf file Reloading Bind updated zones... Before the update there was records and after the update there are 3 records server reload successful /bin/rm: cannot remove `final.sorted': No such file or directory /bin/rm: cannot remove `malwaredomains': No such file or directory /bin/rm: cannot remove `/tmp/site_specific_sinkhole.conf': No such file or directory Done DNS Malware list zone updates... number of zones: 3 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/1000 tcp clients: 0/100 server is up and running Done reloading Bind zones... Press ENTER to exit ... NEED your advice	Guy 4 Posts
Quote	Oct 23rd 2011 9 years ago
Hi Badu, These are custom sinkhole additions and will be added either custom_single_sinkhole.conf (domain name such as google.com) or custom_wildcard_sinkhole.conf (wilcard domain such as *.google.com) The site_specific_sinkhole.conf file only get populated when you select "D" to download the web lists. As for the errors, the script is getting its count from when the list is downloaded from the web and can be ignored. My guess from your count you did not have anything in your sinkhole before and just added 3. Run a nslookup against the added records and it should show they are in your DNS sinkhole.	Guy 499 Posts ISC Handler
Quote	Oct 23rd 2011 9 years ago
Dear Sir, Thanks for your response. From your update, i have following queries, please let me know 1. As per update, newly added test.com is not added in either custoer_wildcard_sinkhole.conf or custom_sinkhole.conf file either. Below is the output [root@test named]# pwd /var/named [root@test named]# ls -trl *.conf -rw-r--r-- 1 root named 183 Oct 23 10:45 site_specific_sinkhole.conf -rw-r--r-- 1 root named 94 Oct 23 10:45 entire_domain_sinkhole.conf -rw-r--r-- 1 root named 0 Oct 23 10:45 custom_wildcard_sinkhole.conf -rw-r--r-- 1 root named 0 Oct 23 10:45 custom_single_sinkhole.conf 2. Is it possible to implement BIND Sinkhole in secondary DNS servers wherein all zones are maintained in zonefilename.db format?.. meaning is it possible to sink sinkhole files from primary to secondary DNS server automatically 3. As per your documentation, you have updated that it maintain 20,000 malware domain entries. Will the dns name resoltion will be delayed becuase of these many entries maintained in configuraiton file	Guy 4 Posts
Quote	Oct 24th 2011 9 years ago