Saturday, April 14, 2007

DNS Blackhole for Spyware/malware/adware

Everybody should familiar with DNS blackhole for SPAM. Many organizations like spamhaus (http://www.spamhaus.com) provide feeds for spammer IP addresses. These listed IP address not only suspected SMTP IP address but also IP address of URL domain inside of body e-mail.

But not many people familiar with DNS blackhole for spyware/malware/adware. The way it works is a bit different with above explanation. It use list of domains instead of IP address. The using of domains will be very effective as if the spy website change IP address, it still can be caught. In Bind, the configuration will be like this :

zone "coolwebsearch.com" { type master; file "/etc/namedb/blockeddomain.hosts"; };

where coolwebsearch.com is spyware domain and inside the blockeddomain.hosts file will point anything to 127.0.0.1.

More detail explanation and the feed for listed spyware/malware domains could be find here :
http://doc.bleedingthreats.net/bin/view/Main/BlackHoleDNS#Configuring_your_DNS_server_Bind

If ISP implement this feature in its DNS server, there will be reducing not necessary traffic flow to spyware/malware website and also will protect its customers.



Note
Spam is e-mail that is both unsolicited by the recipient and sent in substantively identical form to many recipients. Thus, a common synonym for spam is unsolicited bulk e-mail (UBE).
Spyware is computer software that collects personal information about users without their informed consent.
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent.
Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.



2 comments:

rendo said...

dns blackhole emang mantep.

ISP indo harus nya bikin 1 domain khusus buat nangkal spam maupun sebagai ad-aware. Tapi kalau ad-aware, blackhole nya kayaknya lebih ke arah lame server :D

Dulu sempat bikin rbl.itb.ac.id sebagai RBL dan RHSBL, isinya udah banyak, sayang databasenya amblas pas HD servernya tau2 sekarat.

Ibrahim / Ibam said...

Wah sayang, RBL-nya muatan lokal ya ? Sayang ID-SIRTI nggak nanganin itu sih. Atau mau kerja sama dengan IM2 untuk buat lagi :-)