Source: Here.

Stop Malware with DNS.....

Imagine trying to add all the primary zones that you can find that are sources of spyware/malware into your DNS servers so that they resolve those bad domains to, (or anywhere other than the actual site). It would just be too much work. As the article above describes there is a nice easy way to do it and it works soooo nicely and takes less then 30 minutes.

The article discusses doing this on your primary DNS servers. We all know that the primary DNS servers in a Windows AD domain are the AD controllers themselves and that the DNS is held within the registry. He suggests that you can do this with AD but that you need to change your domain DNS from "AD Integrated" to "Standard Primary" in order to make this work since the zones need to be loaded from file. If you are a Win200X admin like me the thought of messing with the domain DNS is a lot like looking for a gas leak with a match...... But all is not lost.

Properly managed DNS in an AD domain should be what is known as split or double DNS. The AD servers should be entirely internal and access to them from the internet should be blocked. These servers should contain both the public and private information about your domain. They should be set to use forwarders and the forwarders should be your public DNS servers located in the DMZ. They should be the only machines allowed to make outbound DNS requests and should only be allowed to make their requests from the public servers in the DMZ to keep their existence hidden. The public DNS servers should only hold your public records and no private information about internal hosts. These public DNS servers should be allowed to make requests from anywhere on the internet and resolve addresses of your public domain resources to any location on the internet.

With that system in place you can quite happily implement the suggestions in the article. It works very nicely and therefore kills access to some 2470 domains, (not just web pages but entire domains and all their subdomains). Be aware that if the IP address of the domain is hard-coded then the domain will still be contacted but the use of domain names is common so that blocking IP's at the firewall can be rendered ineffective by changing the IP which would still be resolved by DNS.

Note of warning: The DNS boot file available for download currently contains two errors that prevent the DNS service from starting. They are both instances where the domain name begins with a ", (double quote), just search for them and remove them.

I really like this.... nicely creative.....