Building the Linux Malware Lab – DJBDNS

I’m starting with my malware lab but before you read maybe you are interested in REMnux a Linux Distribution for Reverse-Engineering Malware that offers many analysis tools.

My lab will consist in two virtual hosts, one of them will be the victim where all the malware will be executed and the other will act as a server offering “Internet” services to the victim. The hosts will be placed in the 192.168.10.0/24 network (Server 192.168.10.1 and Client 192.168.10.2)

The first service I’m going to configure is DNS and for this task I’ll use DJBDNS. Two years ago I started to hear about D.J Bernstein DNS which wasn’t affected by Dan Kaminsky‘s DNS flaw announce. I like security, so why not use tinydns for this task? The DNS server will be configured to answer queries for the malware.lab domain and it’ll act as a fake root name server.

You can install Tinydns using aptitude but I like to compile things These are the steps I’ve followed.

1. apt-get install build-essential
2. useradd Gtinydns -s /bin/false
3. useradd Gdnslog -s /bin/false
4. mkdir -p /package
5. chmod 1755 /package
6. cd /package
7. wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
8. tar xvfz daemontools-0.76.tar.gz
9. rm -f daemontools-0.76.tar.gz
10. cd admin/daemontools-0.76/
11. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
12. cd src/
13. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
14. cd ..
15. package/install
16. cd /package
17. wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
18. tar xvfz ucspi-tcp-0.88.tar.gz
19. rm ucspi-tcp-0.88.tar.gz
20. cd ucspi-tcp-0.88/
21. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
22. make
23. make setup check
24. cd /package
25. wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
26. tar xvfz djbdns-1.05.tar.gz
27. rm djbdns-1.05.tar.gz
28. echo gcc -O2 -include /usr/include/errno.h > conf-cc
29. make
30. make setup check
31. reboot
32. tinydns-conf Gtinydns Gdnslog /etc/tinydns 192.168.10.1
33. ln -s /etc/tinydns /service/tinydns
34. sleep 5
35. svstat /service/tinydns
36. cd /service/tinydns/root
37. ./add-ns . 192.168.10.1 (this server will answer all DNS queries with the same address 192.168.10.1) If you have problems be sure you add this entry to the /etc/tinydns/root/data file  (   +*.:192.168.10.1    )
38. ./add-host server.malware.lab 192.168.10.1
39. ./add-host client.malware.lab 192.168.10.2
40. ./add-ns 10.168.192.in-addr.arpa 192.168.10.1 (It will resolve inverse queries)
41. make

And that’s it (41 steps!), I have a DNS server running… If you need more information visit DJBDNS page.

DJBDNS has been designed to be secure and it’s very easy to manage it (at least compared with BIND)

See ya!

Advertisement