[dns-operations] A DNS and network security forced marriage

Patrick, Robert Robert.Patrick at hq.doe.gov
Fri Mar 12 17:26:48 UTC 2010

Using a black list of malicious domains to block (e.g. return wildcard responses for all A records, or provide an IP of a target system within your own network to catch and log all traffic requests) is a practice in use within a growing number of organizations as a countermeasure against malware, adware, etc.

The concept is an extension of an RBL for use beyond just fighting spam.

Careful on blocking TLD (example: .cn) and second-level domains (example: foo.com) as this can quickly result in breaking legitimate traffic.  But, blocking against third-level and higher names should have relatively low impact for most enterprises.

I recommend implementing a white-list to ensure any submissions to your black list don't inadvertently break sites you _must_ access (said differently, any such block against white-list names should required special approval), which for U.S. government agencies may include ".gov", ".mil", off-site applications hosted with contractors, business partners, etc.


More information about the dns-operations mailing list