Botnet Domain List: Detection & Blocking

TL;DR

This guide shows you how to find lists of domain names used by botnets and block them to protect your network. We’ll cover where to get the lists, how to check them, and ways to use them in firewalls or DNS servers.

1. Finding Botnet Domain Lists

Several sources provide regularly updated lists of known malicious domains associated with botnets. Here are some reliable options:

• AlienVault OTX: https://otx.alienvault.com/ – Offers a public feed of indicators, including domains.
• abuse.ch Blocklist: https://abuse.ch/blocklists/ – Provides several blocklists focused on malware and botnet infrastructure.
• Team Cymru Malware Forwarding Service (MFS): https://www.team-cymru.com/Services/Malware-Forwarding-Service/ – Requires registration but offers high-quality domain data.
• Spamhaus: https://www.spamhaus.org/ – Provides blocklists related to spam and botnet activity.

These lists are often available in formats like TXT, CSV or JSON.

2. Checking the Lists

Before blocking domains, it’s important to verify their legitimacy. False positives can disrupt legitimate services. Here’s how:

• VirusTotal: https://www.virustotal.com/ – Upload the domain list (or individual domains) to VirusTotal to check if they’ve been reported as malicious by multiple security engines.
• URLScan.io: https://urlscan.io/ – Scan the domains to see their behaviour and associated content.
• Passive DNS Lookups: Use tools like dig or online passive DNS services (e.g., SecurityTrails) to check historical DNS records for suspicious activity. For example:

  dig domainname.example.com

3. Blocking Domains in Your Firewall

Most firewalls allow you to block domains based on DNS requests. The exact method varies depending on your firewall vendor.

• pfSense: Go to Firewall > DNS Resolver > Host Aliases and create a new alias containing the list of malicious domains. Then, use this alias in your firewall rules to block access.
• iptables (Linux): You can use the ipset utility to create a set of blocked domains and then use iptables rules to drop traffic to those domains. For example:

  ipset create botnet_domains hash:net
  ipset add botnet_domains domain1.example.com
  ipset add botnet_domains domain2.example.com
  iptables -A INPUT -m set --match-set botnet_domains src -j DROP

• Windows Firewall: While Windows Firewall doesn’t directly support blocking lists, you can use PowerShell scripts to add blocked domains.

4. Blocking Domains with DNS Servers

You can configure your DNS server (e.g., Pi-hole, Unbound) to resolve malicious domains to a sinkhole IP address.

• Pi-hole: Add the domain list to Pi-hole’s gravity database using the command:

  pihole -updatelist botnet_list

• Unbound: Use Unbound’s local-zone feature to create a custom zone that resolves malicious domains to a specific IP address (e.g., 127.0.0.1).

5. Automating Updates

Botnet domain lists change frequently, so it’s crucial to automate the update process.

• Cron Jobs (Linux): Use cron jobs to regularly download and parse updated lists from the sources mentioned in Step 1.
• Scheduled Tasks (Windows): Create scheduled tasks to run PowerShell scripts that download and update your blocked domain lists.