The existing techniques that I've read about involve creating nameservers that are authoritative for a huge list of zones, either themselves resolving or forwarding to distinct resolvers. But as anybody that has run BIND configured with a large set of authoritative zones will know, the resource requirements for such a configuration are excessive: high memory usage, long pauses during cache cleanup, slow startup times...
So I derived an entirely different filtering technique that appears to work very well for blocking a set of over 100,000 domains, which has negligible resource requirements and which does not require reconfiguration of an existing resolver infrastructure.
The essential principle is that both UDP and TCP versions of the protocol for DNS queries are trivial to proxy in a robust manner at layer 4, i.e. using only simple NAT, without any application awareness. In fact, this is how many commodity broadband routers function - they perform NAT on DNS packets destined to their LAN-side IP address to redirect them to an ISP's resolvers and then relay the response back to the requester.
This allows for the creation of an extremely lightweight set of DNS proxy servers that can be placed between some network whose hosts you wish to contain and your existing resolver infrastructure. These proxy servers may then be configured to perform content-based filtering of DNS requests by performing string matching at a specific offset within the DNS packets. Such a proxy server requires nothing more than low-spec hardware (or a modest virtual machine) and uses only the built in features of a vanilla Linux 2.6 kernel - no nameserver software required.
What follows assumes a sound understanding Linux networking and iptables. The firewall snippets are in "iptables-restore" format. It is intended to provide comprehensive details of the approach I am using but does not consitute anything like a complete HOWTO.
The following configures a NAT that will rewrite DNS packets destined to the DNS_PROXY address to a set of DNS_RESOLVER_{1,2,3} addresses following a round-robin policy.
echo 1 > /proc/sys/net/ipv4/ip_forward
*mangle :PREROUTING ACCEPT [0:0] -A PREROUTING -d [DNS_PROXY]-p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 0 -m state --state new -j CONNMARK --set-mark 1 -A PREROUTING -d [DNS_PROXY][DNS_PROXY] -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 1 -m state --state new -j CONNMARK --set-mark 2 -A PREROUTING -d -p udp -m udp --dport 53 -m statistic --mode nth --every 3 --packet 2 -m state --state new -j CONNMARK --set-mark 3 -A PREROUTING -d [DNS_PROXY] -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.333333 -m state --state new -j CONNMARK --set-mark 1 -A PREROUTING -d [DNS_PROXY] -p tcp -m tcp --dport 53 -m statistic --mode random --probability 0.5 -m state --state new -j CONNMARK --set-mark 2 -A PREROUTING -d [DNS_PROXY] [DNS_PROXY] -p tcp -m tcp --dport 53 -m state --state new -j CONNMARK --set-mark 3 COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -m connmark --mark 1 -j DNAT --to-destination [DNS_RESOLVER_1] -A PREROUTING -m connmark --mark 2 -j DNAT --to-destination [DNS_RESOLVER_2] -A PREROUTING -m connmark --mark 3 -j DNAT --to-destination [DNS_RESOLVER_3] -A POSTROUTING -m connmark --mark 1 -j SNAT --to-source [DNS_PROXY] -A POSTROUTING -m connmark --mark 2 -j SNAT --to-source [DNS_PROXY] -A POSTROUTING -m connmark --mark 3 -j SNAT --to-source COMMIT
We want DNS packets that are queries, rather than responses, to be sent via the DNSCHECK chain. Other DNS packets are passed unchecked whilst non-DNS protocols are blocked. We only accept DNS packets from a trusted SRC_NET to avoid being an open resolver.
*filter :FORWARD ACCEPT [0:0] -A FORWARD -s SRC_NET -p udp --dport 53 -m u32 --u32 "0>>22&0x3C@8>>15&0x01=0" -j DNSCHECK -A FORWARD -s SRC_NET -p udp --dport 53 -j ACCEPT -A FORWARD -s SRC_NET -p tcp --dport 53 -j ACCEPT-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -j LOGDROP
To reduce the number of (expensive) "string" match tests applied to each DNS query we dispatch the packet to the relevant DNSCHECKxx chain based on the first two characters of the query data, using a (cheap) "u32" match on the correct offset of the packet.
:DNSCHECK - [0:0] -A DNSCHECK -m u32 --u32 "0>>22&0x3C@19&0xffff=0x6161" -j DNSCHECKaa -A DNSCHECK -m u32 --u32 "0>>22&0x3C@19&0xffff=0x6162" -j DNSCHECKab ... -A DNSCHECK -m u32 --u32 "0>>22&0x3C@19&0xffff=0x7a7a" -j DNSCHECKzz
In each DNSCHECKxx chain we perform the full string matches on the query data.
:DNSCHECKaa - [0:0] -A DNSCHECKaa -m string --from 40 --to 53 --hex-string "|08|aaadokfn|03|net|00|" --algo bm -j LOGDROP -A DNSCHECKaa -m string --from 40 --to 49 --hex-string "|05|aaakp|02|cc|00|" --algo bm -j LOGDROP -A DNSCHECKaa -m string --from 40 --to 55 --hex-string "|0b|aaapcxqiqgg|02|ws|00|" --algo bm -j LOGDROP ...
Log and drop matches, rate limiting to prevent flooding of logfiles.
:LOGDROP - [0:0] -A LOGDROP -m limit --limit 1/second --limit-burst 100 -j LOG -A LOGDROP -j DROP
The following sample scripts should be useful for generating and loading the daily iptables rulesets:
gen_domains.sh - http://pastebin.com/f240d06a1
Uses Downatool2 under Wine to create date-based files for a number of days that contain a sorted list of rendezvous domains for each Conficker variant. Could be invoked as an unprivileged user from cron once per week.
build_iptables.pl - http://pastebin.com/f2c085ac4
Builds a iptables firewall policy in iptables-restore format that implements the NAT-filter for DNS described above from a list of files containing blacklisted domains.
load_iptables.sh - http://pastebin.com/f158d3ffd
Uses build_iptables.pl to create a firewall policy to filter domains for the next couple of days and then executes it. Could be invoked as root from cron each night.
