Blackhole DNS

At my last job as a sysadmin in a university, I worked on a project to setup a blackhole dns server for the campus. The goal of this project was to find a way to reduce the amount of traffic going over our internet link that was destined for sites hosting malware botnet irc servers. After we got this setup, we were extremely pleased with the amount of spyware/malware that could no longer communicate with their hosting servers.

The real problem with this project was that it blocked too many sites. When a known malware site was blocked, sometimes the hosting company for that site would get blocked as well. This meant that thousands of sites, completely unrelated, would get blocked. Almost all of the unintentionally blocked sites were perfectly safe to use.

In the end, we found, as many other people have found, that maintaining a blacklist of sites is difficult and very time-consuming. It is also easily error-prone. So, although so much malware was blocked, the cost was too high and we had to stop blacklisting sites and let the traffic through.