Knowledge Base ISC Main Website Ask a Question/Contact ISC
When maintaining a DNS RPZ, how do I put infected users into a walled garden?
Author: Reference Number: AA-00520 Views: 11031 Created: 2011-11-01 06:18 Last Updated: 2017-08-09 20:37 0 Rating/ Voters

These Techniques Can Be Applied to a Variety of Malware Threats

Although this article was originally written about a specific piece of malware that is no longer a current threat, the techniques discussed can still be potentially useful in blocking the command and control apparatus of current malware.

If you know that the well known computer virus Conficker uses a domain generation algorithm (DGA) to choose up to fifty thousand (50,000) command and control domains per day, you might hesitate to try to create an RPZ that contains so many domain names and which changes so much on a daily basis. In that case you might want to trigger your RPZ rule based on the well-known name server names for these command and control domains, rather than trying to trigger on each of 50,000 different (daily) query names. Since the well known name server names for Conficker's domain names are never used by nonmalicious domains, it is safe to poison all lookups that rely on these name servers. Here is an example that achieves this result:


The * at the beginning of these CNAME target names is special, and it causes the original query name to be prepended to the CNAME target. So if one of your users tries to visit the Conficker command and control domain (which is a valid Conficker command and control domain name for 19-October-2011), your RPZ-connected recursive name server will send back this answer:     CNAME     A

This example presumes that you've also created the following DNS content, which is not part of the RPZ zone itself but is in one of your other domains.

*     A

Assuming that you're running a web server listening on that always displays a warning message no matter what URI is used, the above RPZ configuration will instruct the web browser of any infected end user to connect to a "server name" consisting of their original lookup name ( prepended to the walled garden domain name ( This is the name which will appear in the web server's log file, and having the full name in that log file will facilitate your analysis as to which users are infected with what virus.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu