Heh. This thread put me on a multi-hour tangent. The malwaredomains.com people give you a BIND config file that you can use with a BIND on a *NIX box.
Similarly, you can find community-maintained HOSTS files which will block ads and "bad" sites: http://hosts-file.net/ http://www.mvps.org/winhelp2002/hosts.htm As well as scripts to convert HOSTS files into BIND configuration snippets: http://pgl.yoyo.org/as/hosts2bind.php http://pgl.yoyo.org/as/software/nsblock.zip Unfortunately, this doesn't help those of you who don't have BIND daemons laying around, unless you happen to run BIND on Windows. I'll leave it an exercise for the reader to supply the zone file ;) Richard Stovall wrote: > Most excellent. Thank you very much. I'll give this a whirl at home > and see how it goes. > > Much obliged, > RS > > On Tue, Mar 9, 2010 at 4:41 PM, Tim Evans <[email protected] > <mailto:[email protected]>> wrote: > > I run this batch file: > > ****** begin batch file ***** > > @echo off > > set server=mydnsserver > > set /p delold=Delete old domains? > > if /I "%delold%" NEQ "Y" goto getit > > echo Deleting old domains... > > pause > > for /F %%f in (mal_list.txt) do dnscmd %server% /zonedelete %%f > /dsdel /f > > :getit > > if exist domains.txt del domains.txt > > wget http://www.malwaredomains.com/files/domains.txt || goto end > > if exist mal_list.txt del mal_list.txt > > rem ignore lines beginning with # & echo 1st word only > > for /F "eol=# tokens=1 " %%i in (domains.txt) do @echo %%i > >>mal_list.txt > > for /F %%f in (mal_list.txt) do (dnscmd %server% /zoneadd %%f > /DsPrimary /DP /forest && dnscmd %server% /recordadd %%f * A > 192.168.0.6) > > :end > > ****** end batch file ***** > > > > This adds a wildcard zone for each domain which points to an > internal web server at 192.168.0.6. It displays a "web site blocked > due to malware" page whenever anyone hits it. I go thru the logs > regularly and investigate any host on that server. It's a bit crude > in that it just attempts to add all the domains each time it is run, > but it works from me. Occasionally, they delete a bunch of domains > and I couldn't figure out a better way to handle it, so if I answer > Y to tor prompt, it deletes all domains and readds them from the > downloaded list. > > > > ...Tim > > > > *From:* Richard Stovall [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 1:13 PM > > > *To:* NT System Admin Issues > *Subject:* Re: DNS Server service shuts down shortly after the DC boots > > > > Very intriguing. > > > > How do you accomplish the loading of the domain list? Using a boot > file per the directions > here: http://www.malwaredomains.com/wordpress/?page_id=6#MS? Do you > refresh the list manually every once and a while? > > > > Thanks, > RS > > On Tue, Mar 9, 2010 at 3:58 PM, Tim Evans <[email protected] > <mailto:[email protected]>> wrote: > > FWIW, I load the entire domain list from > http://www.malwaredomains.com/ into my AD integrated DNS without any > problems. over 18000 domains are currently included. I've got a 2003 > native domain/forest too. DC's include WS08R2, WS08, & WS03 SP2. I > have not seen anything like this here. > > > > ...Tim > > > > *From:* Carl Houseman [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 11:53 AM > > > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > It appears that background zone loading is a feature of 2008 and > later... maybe I just need to hurry up the upgrade to 2008. > > > > Carl > > > > *From:* Michael B. Smith [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 2:44 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > Oh! Yes, now that you say that…. > > > > I bet what’s happening is that it’s timing out. > > > > There is a flag (and I’m sorry that I don’t remember the details) > that says “do the initial zone load in the background”. You probably > need to set that. That should be enough to biggle with… > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > *From:* Carl Houseman [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 2:40 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > "Debug logging" will log DNS packets to a text file. I guess the > last DNS packet received before the shutdown could tell me something > if it was shutting down randomly at any time. But the fact that > the service stays running forever after restarting suggests that bad > DNS packets on the wire aren't likely causing this. So if bad DNS > traffic is the problem, the only explanation would be a DNS query > from the DC to itself. DC DOS's its own DNS server service? > > > > One thing I may have that is less common is a lot of DNS > authoritative zones for well known bad (malware hosting) domain > names. There's over 1000 of 'em. > > > > I have to say I'm not up for an extended debugging journey on this > one, just wondering if this behavior triggered any memories for anyone. > > > > Carl > > > > *From:* Brian Desmond [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 1:53 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > *It should be able to kick out more info to a text file.* > > * * > > *The scenario you mention of branch DCs not having connectivity is > completely normal. * > > * * > > *Thanks,* > > *Brian Desmond* > > *[email protected] <mailto:[email protected]>* > > * * > > *c – 312.731.3132* > > * * > > *From:* Carl Houseman [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 12:46 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > Good idea, but the DNS Server's event logging option has been on > "all events" all this time. That must be the default, I don't > recall ever changing it. > > > > Carl > > > > *From:* Michael B. Smith [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 1:39 PM > *To:* NT System Admin Issues > *Subject:* RE: DNS Server service shuts down shortly after the DC boots > > > > This would seem to indicate to me that while the DNS Server service > was initiated, it never actually finished initializing. > > > > Aren’t there some logging options on the DNS server property tab? > I’d probably ratchet those up to max for a while and see if they > helped gather more info… > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > *From:* Carl Houseman [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Tuesday, March 09, 2010 1:22 PM > *To:* NT System Admin Issues > *Subject:* DNS Server service shuts down shortly after the DC boots > > > > Curious thing, started a few months ago after I moved the FSMO roles > from this DC to another one. This DC frequently boots "in a vacuum" > – no other DC's can be contacted, so it takes a long time sniffing > around before it finally starts Active Directory and its own DNS > Server service. A few minutes after that, the DNS Server service > shuts down. There's nothing in the System or Application event log > to explain it, and the DNS Server event log records simply that " > The DNS server has shutdown." (event ID 3). > > > > The recovery options are set to restart the service, but that > doesn't happen because the service appears to have been shut down on > purpose. But no human (for sure) and 99.9% sure no software is > issuing the command. > > > > Another interesting thing from the event logs, under System, when I > start the service there's an event 7036 logged "The DNS Server has > entered the running state". But I see NO event 7036 for DNS at the > time of booting. Obviously, it must be started, else the DNS event > log wouldn't record that it had shut down! And I see no 7036 > events for it stopping either. > > > > When this happens, I can manually start the DNS Server service and > all is well until the next boot, which may or may not have the > problem. I think it's happening about 50% of the time. > > > > I've scripted a solution to recover from the problem, but I'm just > curious if anyone has noticed something similar. I'm guessing the > instances of branch offices booting their DC without network > connectivity back to the FSMO holder at HQ is fairly rare, but not > unheard of. > > > > And this is Windows 2003 SP2, native 2003 domain/forest. Almost > left that off, yikes! > > > > TIA, > > Carl > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- Phil Brutsche [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
