[unisog] sypware control through black-hole DNS

John Kristoff jtk at northwestern.edu
Wed Feb 1 21:21:50 GMT 2006


On Wed, Feb 01, 2006 at 11:03:50AM +1300, Russell Fulton wrote:
> 	the url below describes one approach to dealing with spyware.
> http://www.bleedingsnort.com/blackhole-dns/
> 
> We are thinking of trailing this on our campus dns servers.  Has anyone
> else done this? Any gotchas that you can think of?

There have been reports, though I don't recall seeing this recently,
where malware will not use the locally configured recursive server(s).
In that case, if you are allowing DNS queries to the outside world,
then it will bypass that solution.

Sometimes depending on the answer you give back, you get varying
results.  In my experience, Windows machines tend to react best
when they get either 127.0.0.0 or 127.255.255.255 as compared to
127.0.0.1 for example.  Do some experiments yourself and you'll
see why.  In a nutshell, you don't want the client system to
generate anymore traffic than necessary.  Actually, I think there
was a reason 127.0.0.0 was preferred over 127.255.255.255. I think
think the former is basically an error for Windows and the latter
just doesn't solicit a response.

Note, if a different group manages DNS and the people watching
network traffic want to see when this sort of thing occurs, you
might want to point it at something that will reach the router.

John


More information about the unisog mailing list