Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: This is _too_ Beautiful to ignore

  1. #11
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    Thanks A lot Tigershark.... Now I have something to do ..
    I looked on my 2003 Domain Controller and found the Boot file under winnt\system32\dns\samples ....
    This looks real promising.... Trying to determine if I should do it on the primary or backup DC......
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm figuring that I will have to do it manually unless this chap updates his list.

    Matt Jonkman at Bleeding Snort implied that he was going to make rules for all the domains in there. My guess is that at somepoint Bleeding Snort's list will match this one. Then, after that, whatever Bleeding Snort adds would be a candidate for the DNS.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by fraggin
    Thanks A lot Tigershark.... Now I have something to do ..
    I looked on my 2003 Domain Controller and found the Boot file under winnt\system32\dns\samples ....
    This looks real promising.... Trying to determine if I should do it on the primary or backup DC......
    Make sure to read the DOCs before you do this. The winnt\system32\dns\samples is not the boot file you want. You have to change over from registry to file and a new boot file will be created and put in winnt\system32\dns\

    I didn't have the problem that TS had with the " before 2 entries... so maybe its already updated?
    I'll grab a copy and check it from time to time to see if it has changed.

    It was actually a pretty easy setup.

    One thing I'm wondering... at the end of the page, it says
    "If you are using a rpoxy server, then be careful about using 127.0.0.1, which may overload the proxy."

    Why would it overload the proxy?

    If a source queries a dns server which points them to 127.0.0.1, it will simply try to connect to itself.

    Unless... the proxy is handling the web requests first and then the proxy will query the dns servers and resolve to localhost on itself. In this case using 0.0.0.0 would be better than using 127.0.0.1.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #14
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    The article discusses doing this on your primary DNS servers. We all know that the primary DNS servers in a Windows AD domain are the AD controllers themselves and that the DNS is held within the registry. He suggests that you can do this with AD but that you need to change your domain DNS from "AD Integrated" to "Standard Primary" in order to make this work since the zones need to be loaded from file. If you are a Win200X admin like me the thought of messing with the domain DNS is a lot like looking for a gas leak with a match...... But all is not lost.
    I was wondering if one can just create a DNS server that is not a AD Integrated DNS server but just a standard primary, and then forward the AD Integrated DNS servers to the DNS server(s) you setup just for the spyware lookups. Then the forwarders can go out to your public DNS servers.

    Or... would that just be more overhead and a waste of resources than is needed?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #15
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Phish: That's _effectively_ what I did. I used my public servers that are only standard primaries and secondaries for my public domain resources. My internal services use those as forwarders and are not allowed to contact the root servers themselves. Thus, if a domain is requested internally the AD servers ask the public DNS servers for resolution. If you were silly enough to use my public DNS servers to resolve coolwebsearch.com then you will get 127.0.0.1.... Frankly, if you are silly enough to use my DNS servers rather than the servers the root servers point to for those domains then it's your silly fault if you can't get to your spyware....

    So your thought of an additional DNS server is good. Put it in the DMZ and only allow it to house public records for your domain and you would have a nice split DNS setup like mine which, in the long run, is more secure. It can't be conned into giving up information about my internal zones because it has no idea of the structure.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #16
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Yeah, I thought it would be a better setup. However, I have no public servers on my network, so there is no need to put them in the DMZ?

    One thing that I'm worried about though...

    From my previous post...

    One thing I'm wondering... at the end of the page, it says
    "If you are using a rpoxy server, then be careful about using 127.0.0.1, which may overload the proxy."

    Why would it overload the proxy?

    If a source queries a dns server which points them to 127.0.0.1, it will simply try to connect to itself.

    Unless... the proxy is handling the web requests first and then the proxy will query the dns servers and resolve to localhost on itself. In this case using 0.0.0.0 would be better than using 127.0.0.1.
    I guess the only way to find out who is contacting the DNS servers is to sniff it.
    Or... I can just check out the logs. I'm not responsible for the DNS servers or the proxy... so I really had no reason to think about it before.

    I never really paid attention to find out if it is the clients who are resolving via dns and the proxy grabs the page, or if the proxy is resolving and grabbing the pages.

    I surely don't want to overload the proxy servers by constantly referring them to localhost.

    Any insight?

    My instinct tells me that the clients are resolving and then the proxy is serving the pages. I say this because there is a different set of DNS addresses in my proxy and is not pointed to the test server. If I just try to pull up any spyware page/domain, it rejects because it is pointing back to my machine which has no HTTP servers running.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #17
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Dunno... never used a proxy... But yeah, on a large network with a "healthy" infestation it could cause an issue i suppose.

    OTOH, I have 650 workstations and while I have done some cleanup and prevention stuff my Bleeding Snort malware logs were only showing 30-40 detections a day. So, let's assume I'm only detecting 1/10th of all the malware.... That's 400/day at worst... What <10/hour? So, if you have done some prior cleanup and prevention I would suggest that the load wouldn't be that high with 650 workstations on the network.

    I'd be inclined to warn the owners of the proxy server(s) that you are going to try it and then have them monitor. If it causes an issue it's pretty easy to reverse - just remove all the pointers to the domains from the Boot file.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #18
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    TS: One you may want to add that is part of that DNS cache poisioning.

    From http://isc.sans.org/diary.php?date=2005-03-04

    7sir7.com

    7sir.com is already in there along with the other two they reference... 123xxl.com and abx4.com
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #19
    This is GREAT! We have put this up at work and it rocks...works as advertised.

    I also threw together a quick Perl script which pulls down a spyware hosts file from MVPS.org, parses it and creates a zone file with the domains contained in the file. It also checks for and throws away duplicates comparing against the existing zones in the BleedingSnort file. It's very basic and I'm not an experienced Perl scripter at all...so you have permission to laugh at some of the code inefficiencies...lol. Hey, it works at least. Also, very very little documentation since it was thrown together quickly.

    One enhancement could be to simply add the MVPS.org domains to the existing BleedingSnort zones file rather than creating a new one as this script does.

    Enjoy.

  10. #20
    Junior Member
    Join Date
    Mar 2005
    Posts
    6
    I'm reading this thread with great interest since I'm one the people who originally put the DNS Black-Hole file together

    A few comments:
    -Someone told me that a proxy serverwill connect back to itself if everything resolves to 127.0.0.1, and may overload itself.
    - If anyone can write up special instructions or comments about running this in active directory, I'd be happy to post it on the bleeding snort web site.
    - I purposely left out the mvps list (and others) since it contains many *ad servers*, which most corporations may not want to block
    -I'm adding about 1500 CoolWebSearch domains within the next day or two.
    -I just noticed the problem with the space on the first line, I'll fix this as soon as I can.
    -I believe you can use something like "wget" (http://www.interlog.com/~tcharron/wgetwin.html) to download the file as a scheduled task ("wget http://www.bleedingsnort.com/blackhole-dns/files/BOOT" )

    The files are in something called CVS, so there should be a CVS app which downloads only the modifications and then changes the main file (to avoid a big download). Personally, I always download these things manually (after making a few backup copies) since if there's a mistake in the file then you've hosed your DNS server...

    Thanks for testing the zone file. If you get a chance, please post comments to the bleedingsnort malware forum!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •