Saturday, March 15, 2008

DNS-redirection techniques

We talked previously about malwares fighting and containment techniques, today I’ll talk about an interesting way to prevent internal hosts from reaching malicious websites.

Malwares today are more sophisticated, and depend on multi-staged infection, which means that the current code is always updated and replaced by another to add more functions or to use new evasion techniques.

To use DNS-redirection we need to know the original problem first. Malware writer’s aim is to infect as much as possible of machines using many ways, such as Spams, Malicious web pages, or P2P infected shares. Spams and malicious web pages use domain names mostly, and obfuscated or numeric URLs. And we know that to reach any web page in the Internet, the browser needs to translate the domain name to IP.

To imagine an example, Joe received an e-mail about love cards and he as usual (we need user awareness here folks!) will follow the instructions and open the URL ( and visit it to download some lovely cards to send them to his girlfriend … but our friend didn’t realized that it’s not a legitimate cards website, but it’s a fake one that provides malicious malwares instead of cards. And at the moment he downloaded an executable faked card Boom! His computer got infected.

What we can do here to prevent the infection as early as possible? We can use the DNS server to send back “fake and not reachable” replies to the client. Such as the IP of is ( This is called the “Loopback Redirection”. With such reply, there is no way to reach this malicious site and this will give “Web site unavailable” error to the user. Good, let it be, we don’t want the user to access any malicious pages from now on.

You can implement such technique using two ways, while getting the same result. Either using the HOSTFILE, by inserting as many entries as you can with fake answers. Or use your internal DNS server (MS DNS or BIND) to create a “Malware Domains Blacklist Zone”. The latest is the best, because you have a centralized place to control name resolutions.

This is a cheap way to prevent users from accessing such domains. It’s different from Web sites filtering solutions which depend on a database contains millions of URLs and provide policy-based filtering. Here we use the DNS server, which serves every host in the network.

If you want a starting point, visit and download their free blacklists of malicious domains and import them and start prevention.