A script to build a Response Policy Zone from malwaredomains.com data.
Background and rationale
The lovely people at RiskAnalytics provide lists of domains known to serve malware at http://www.malwaredomains.com/. It makes these available in several formats including DNS zone files. They don't even charge for the service which is, frankly, awesome!
Many people configure their DNS servers so that they spoof the zone for each domain such that
traffic is redirected to
127.0.0.1 (i.e. your own machine). This effectively stops hosts on
that network from connecting to those zones and downloading unpleasant stuff. However, if you're
running a local webserver, say for development purposes, things can get confusing very quickly!
An alternative is using a DNS Response Policy Zone. This requires
BIND version 9.8 or greater (or another DNS server
that supports RPZ). RPZs are much more flexible than the approach above because it gives
us finer control over what we want the DNS server to tell the client. I have taken the approach
NXDOMAIN is the cleanest way of blocking traffic to these domains because a
web browser will immediately give up on receiving that response. There's no need to worry that
a local webserver might interfere with domain blocking.
What the script does
This script builds an RPZ by including a local set of records (which might be blank), then one line per malware domain. It then reloads BIND to bring the new RPZ into play.
It's a naive little hack that might need some tweaking, in particular:
MY_RPZ_RECORDSshould contain your local RPZ stuff. I have records in here to stop my television phoning home and to curtail Windows 10's telemetry.
MY_RPZ_ZONEis the output zonefile. This will need both
response-policystanzas in your BIND configuration.
MY_RPZ_ZONE_NAMEis the name of your RPZ zone.
MALWARE_URLis where to get the list of bad domains from. You could be nice and use a local mirror.
MALWARE_MIN_LINESis the minimum number of lines that the script will accept in the bad domains list before it will go any further. This is to stop empty RPZs being generated if the list is empty or very short.
What the script doesn't do
- Many things.
Are patches and issues welcome?
Of course! I don't turn down free help!
25th January 2018