Using Malwaredomains.com DNS Black hole list with Windows 2012 DNS and Powershell

Malwaredomains.com is a project that is constantly adding known malware domains to a giant list.
They have directions for adding there zones files to a windows server but they even describe it as a bit of a work around. They link to a powershell script that uses wmi. Well, I hadn’t worked with the windows 2012 Powershell DNS commands so I threw together a quick little script to handle linking to the malwaredomains.com list using the native commands for windows 2012.

The script pulls and parses the full .txt file www.malwaredomains.com keeps. The Primary Zone is as a non Active directory integrated entry. This will keep it from flooding your active directory and replication with entries. If you choose to add this script I would recommend you place it only on the domain controllers that your users are likely to query for DNS. An example would be if you have two active directory domain controllers to handle an office’s DNS and two domain controllers for FSMO roles and to serve the Datacenter the script should run on the office Domain controllers.

This script can be found on pastebin
And all three of these scripts can be found on my github.
Customize the top variables for your environment, the rest of the script should be self handling:

$tmp_file_holder = "current_list.bk"

$rollback_path = “C:\scripts\current_roll_back.list”
$rollback_date = get-date -format “M_dd_yyyy”
$rollback_backup_file = $rollback_path + “rollback_” + $rollback_date + “.bat”

move-item $rollback_path $rollback_backup_file -force

$domain_list = invoke-webrequest http://mirror1.malwaredomains.com/files/domains.txt | select -expandproperty content
$domain_list -replace “`t”, “;” -replace “;;” > $tmp_file_holder
$domain_content = get-content $tmp_file_holder

$zone_list = get-dnsserverzone | where {$_.IsDsIntegrated -eq $false} | select -expandproperty Zonename

foreach($line in $domain_content){
if(-not($line | select-string “##”)) {
$line_tmp = $line -split “;”
$line = $line_tmp[0]
if($zone_list -notcontains $line) {
Add-DnsServerPrimaryZone “$line” -DynamicUpdate “none” -ZoneFile “$line.dns”
echo “$line” | Out-File -FilePath $rollback_file -Encoding ascii -append
sleep 1
}
}
}

The Malwaredomains.com team often takes down sites off the list that were temporarily added, or wrongfully added. I created a roll back script.
This script can be found on pastebin
And all three of these scripts can be found on my github.
Make sure to modify the top variable to fit your environment and match the original script:

$rollback_path = "C:\scripts\current_roll_back.list"

$domain_content = get-content $rollback_path
$zone_list = get-dnsserverzone | where {$_.IsDsIntegrated -eq $false} | select -expandproperty Zonename

foreach($line in $domain_content) {
if($zone_list -contains $line) {
Remove-DnsServerZone “$line”
sleep 1
}
}

I would suggest setting up 2 scheduled tasks.
One to run weekly adding new domains to the list and keeping the list up to date.
The second task would run the roll back. Clearing out wrongly marked domains, etc. Though how you choose to manage it is up to you.

Since I was messing around with the files anyway I also made a host file generator. Host files are not really a preferable method as there have been reports of large host files slowing down browsing and the like. That said I do use a version of this script on my personal computers and haven’t seen an issue. Malwaredomains.com doesn’t offer host files, but they offer a list of some great host files. That limits the use of the bellow script, but I do like adding my own hostfile entries to the top of the script and run it as a scheduled task once a week.
This can be found on pastebin
And all of the code can be found on my github

Change the variables at the top to fit your needs. I even made it easy to setup a reroute ip to a branded warning for businesses. I would point out that this doesn’t protect against sub domains and the like.


$host_file_path = "C:\windows\system32\drivers\etc\hosts_tmp"
$final_loc = "C:\windows\system32\drivers\etc\hosts"
$tmp_file_holder = ".\current_list.bk"
$reroute = "127.0.0.1"

$Host_File_header = “# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost”

echo “$Host_File_header” > $host_file_path

$domain_list = invoke-webrequest http://mirror1.malwaredomains.com/files/domains.txt | select -expandproperty content
$domain_list -replace “`t”, “;” -replace “;;” > $tmp_file_holder
$domain_content = get-content $tmp_file_holder
foreach($line in $domain_content){
if(-not($line | select-string “##”)) {
$line_tmp = $line -split “;”
$line = $line_tmp[0]
echo “$reroute $line” >> $host_file_path
}
}

move-item $host_file_path $final_loc -force

All the code can be found on my github.com

Thanks for reading.

Sharing is caring!

Leave your comment

3 × five =