When maintaining a DNS RPZ, how do I put infected users into a walled garden?

AA-00520

These Techniques Can Be Applied to a Variety of Malware Threats

Although this article was originally written about a specific piece of malware that is no longer a current threat, the techniques discussed can still be potentially useful in blocking the command and control apparatus of current malware.

If you know that the well known computer virus Conficker uses a domain generation algorithm (DGA) to choose up to fifty thousand (50,000) command and control domains per day, you might hesitate to try to create an RPZ that contains so many domain names and which changes so much on a daily basis. In that case you might want to trigger your RPZ rule based on the well-known name server names for these command and control domains, rather than trying to trigger on each of 50,000 different (daily) query names. Since the well known name server names for Conficker's domain names are never used by nonmalicious domains, it is safe to poison all lookups that rely on these name servers. Here is an example that achieves this result:

$ORIGIN rpz.example.com.
ns.0xc0f1c3a5.com.rpz-nsdname  CNAME  *.walled-garden.example.com.
ns.0xc0f1c3a5.net.rpz-nsdname  CNAME  *.walled-garden.example.com.
ns.0xc0f1c3a5.org.rpz-nsdname  CNAME  *.walled-garden.example.com.


The * at the beginning of these CNAME target names is special, and it causes the original query name to be prepended to the CNAME target. So if one of your users tries to visit the Conficker command and control domain http://racaldftn.com.ai/ (which is a valid Conficker command and control domain name for 19-October-2011), your RPZ-connected recursive name server will send back this answer:

racaldftn.com.ai.     CNAME     racaldftn.com.ai.walled-garden.example.com.
racaldftn.com.ai.walled-garden.example.com.     A      192.168.50.3

This example presumes that you've also created the following DNS content, which is not part of the RPZ zone itself but is in one of your other domains.

$ORIGIN walled-garden.example.com.
*     A     192.168.50.3

Assuming that you're running a web server listening on 192.168.50.3 that always displays a warning message no matter what URI is used, the above RPZ configuration will instruct the web browser of any infected end user to connect to a "server name" consisting of their original lookup name (racaldftn.com.ai) prepended to the walled garden domain name (walled-garden.example.com). This is the name which will appear in the web server's log file, and having the full name in that log file will facilitate your analysis as to which users are infected with what virus.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)