Running your own DNSchanger proxies

On the other thread i read that some ISP are running their own proxies
for infected host.

That sounded interesting, so i googled around to find out how to do
that and i could not find a HOWTO, so imagined up a solution myself,
tested it in VirtualBox, and wrote it down in case anyone finds it
useful or has another approach

I don't plan to use this solution, but it was interesting to think
about and may be a good starting point in the unlikely event that some
VP pushes the panic button on Monday.


As an intellectual exercise, I think this is interesting and worth the
effort. As an actual implementation, I think it's more effective to block
DNS traffic to the affected subnets. Let the breakage occur, and then let
the end users get their broken machines fixed rather than let them continue
hobbling along with this hack in place.


Agreed, fixing the problem > patching the problem.

Some other ideas -

  * Assuming you're running the nameserver under Linux, an iptables rule
    would remove the need to have all the ip addresses added (iptables
    -I PREROUTING -t nat -d $badblock/24 -s -j DNAT --to
  * bind should by default accept connections on all interfaces if you
    don't tell it to bind to anything, unless behaviour has changed in
    versions more recent than my last bind experience
  * Having whatever nameserver you use return a single IP address for
    everything you request, which points you to a single web page that
    explains how to fix the problem can be good
  * that single IP address can also run a pop3/imap server that accepts
    any username/password and dumps the user into a read-only mailbox
    with a single message saying "fix your infected PC"

