I added this to my edge router to block DNSChanger trojan. I created a new ACL (101) and then applied it to my fast ethernet interface (Fa0/0) outbound. This blocks outound domain requests (DNS) to the netblock specified for each rule. You have to convert subnet masks to wildcard netmasks. You can do this with ipcalc easily.
ip access-list extended 101 ! 85.255.112.0/20 DNSChanger 10 deny udp any 85.255.112.93 0.0.15.255 eq domain log ! 67.210.0.0/20 DNSChanger 20 deny udp any 67.210.0.0 0.0.15.255 eq domain log ! 93.188.160.0/21 DNSChanger 30 deny udp any 93.188.160.0 0.0.7.255 eq domain log ! 77.67.83.0/24 DNSChanger 40 deny udp any 77.67.83.0 0.0.0.255 eq domain log ! 213.109.64.0/20 DNSChanger 50 deny udp any 213.109.64.0 0.0.15.255 eq domain log ! 64.28.176.0/20 DNSChanger 60 deny udp any 64.28.176.0 0.0.15.255 eq domain log 70 permit ip any any int fa0/0 ip access-group 101 out
To see how bad things are on the network, I can show the access-list hits by using:
cisco# sh access-list 101 Extended IP access list 101 10 deny udp any 85.255.112.0 0.0.15.255 eq domain log (5 matches) 20 deny udp any 67.210.0.0 0.0.15.255 eq domain log 30 deny udp any 93.188.160.0 0.0.7.255 eq domain log 40 deny udp any 77.67.83.0 0.0.0.255 eq domain log 50 deny udp any 213.109.64.0 0.0.15.255 eq domain log 60 deny udp any 64.28.176.0 0.0.15.255 eq domain log 70 permit ip any any (3058492 matches)
I see that there are 5 matches to the first rule (my tests after I implemented it to ensure it was blocking it). Cool, eh?
More information on DNSChanger:
FBI