IntroductionThis page outlines a proof of concept method for a network administrator to turn up a DNSchanger proxy DNS server. The goal of this server is to keep DNSchanger victims from going off-line when the FBI shuts down the ISC servers on July 9th 2012. Implementing such a stand-in server may not be a good idea for various reasons, but if keeping infected host online until they can be fixed is a priority, you may need such a stand-in server. This solution is just a proof of concept (POC). It is NOT guaranteed to work, work at scale, or be optimal for any environment. And, it is likely best to let infected host go off-line on July 9th so that they can be properly fixed. This POC is not meant for novices (it is not step by step), and it is not for experts (they probably have a better way of doing it). This POC is just one person's findings. NOTE: I added an iptables destination NAT as an alternate solution
Setup Steps
Alternate Solution with iptablesInstead of creating 18,000+ loopback IP addresses to receive queries, it is also possible to add the following iptables rules for destination NAT. Just like the above solution, you will route the ip addresses to the server and run a forwarding DNS server, but instead of setting up the many loopback addresses you just setup one loopback address and destination NAT the queries to that loopback.
More Information
Q: Do you have to listen on all those address?
Q: Is this the best way to solve this problem?
Q: How do infected hosts get fixed?
|