Index.
18-Feb-2014: initial release.
Introduction.
On the website malwaredomains you can find a regular updated Malware Domain Blocklist. You can add this list to the name server that runs on your home server, so that it will block requests to hosts that contain malware. Well, it does not really block these requests but it will return a fake IP address instead of the real IP address of the requested site. This can be for example 127.0.0.1. On the home server described on this site, dnsmasq is used as name server. This setup is made so that it will include any files dropped in the /etc/dnsmasq.d subdirectory in the main configuration.
The script.
I have written a shell script and installed it as /usr/local/sbin/malwaredomains. The script:
#!/bin/sh
#
# Update list of malware domains
DNSMASQPATH="/etc/dnsmasq.d/"
DNSMASQFILE="80-malware-domains"
install_malwarezones() {
rm -f $DNSMASQFILE
echo "#" > $DNSMASQFILE
echo "# $DNSMASQFILE generated $(date)" >> $DNSMASQFILE
echo "# do not edit this file, your changes will get lost" >> $DNSMASQFILE
echo "#" >> $DNSMASQFILE
# Use " separator to isolate the domain names
IFS='"'
grep -E '^zone' /var/malwaredomains/spywaredomains.zones | while read L ; do
set $L
echo "address=/$2/10.126.151.231" >> $DNSMASQFILE
done
mkdir -p $DNSMASQPATH
cp -p $DNSMASQFILE $DNSMASQPATH/$DNSMASQFILE.new
mv $DNSMASQPATH/$DNSMASQFILE.new $DNSMASQPATH/$DNSMASQFILE
[ -x /etc/rc.d/rc.dnsmasq ] && /etc/rc.d/rc.dnsmasq restart >/dev/null
}
cd /var/malwaredomains
wget -qN http://mirror2.malwaredomains.com/files/spywaredomains.zones
rc=$?
if [ $rc -eq 0 ]; then
if [ -f spywaredomains.md5 ]; then
OLD=$(cat spywaredomains.md5)
NEW=$(md5sum spywaredomains.zones)
if [ "$OLD" != "$NEW" ]; then
md5sum spywaredomains.zones > spywaredomains.md5
install_malwarezones
fi
else
md5sum spywaredomains.zones > spywaredomains.md5
install_malwarezones
fi
fi
This script should be called by cron, you can create a symlink in /etc/cron.daily or /etc/cron.weekly so that this script runs every day or every week. The script checks for a new spywaredomans.zone file from a mirror of the malware domain website. If it detects that this file is changed by comparing the md5 checksum of this file against a known checksum, then a new file 80-malware-domains is created and installed in /etc/dnsmasq.d After that the dnsmasq sever is restarted so that it loads the new file.
The script does write a file 80-malware-domains in the format that dnsmasq understands. The IP address used is the IP address of the webserver on your homeserver. This should be a default empty server. You can also use 127.0.0.1 or 0.0.0.0 as IP address. The advantage of using an empty default server on your home server is that you can check the logfile to see if any client computer tries to reach a blacklisted malware site. This could be caused by already installed malware on the client. Clients that use Firefox or Chrome (others??) are already protected because they use Google Safe Browsing. However that can be disabled, or users use unsafe browsers.
For the first time, run this script by hand. Check your name server by making a query for a malware domain:
root@homsrv:~# host www.mixgrouptravel.cn www.mixgrouptravel.cn has address 10.126.151.231 root@homsrv:~#
You should see that it returns the IP address that you have used in your script.
Note that the downloaded file is in bind format, so if you use bind instead of dnsmasq, you can use the downloaded file without any change. Just follow the instructions on the malware domains website.