Cisco IOS ACL for DNSChanger

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

I added this to my edge router to block DNSChanger trojan. I created a new ACL (101) and then applied it to my fast ethernet interface (Fa0/0) outbound. This blocks outound domain requests (DNS) to the netblock specified for each rule. You have to convert subnet masks to wildcard netmasks. You can do this with ipcalc easily.

ip access-list extended 101
! 85.255.112.0/20 DNSChanger
10 deny udp any 85.255.112.93 0.0.15.255 eq domain log
! 67.210.0.0/20 DNSChanger
20 deny udp any 67.210.0.0 0.0.15.255 eq domain log
! 93.188.160.0/21 DNSChanger
30 deny udp any 93.188.160.0 0.0.7.255 eq domain log
! 77.67.83.0/24 DNSChanger
40 deny udp any 77.67.83.0 0.0.0.255 eq domain log
! 213.109.64.0/20 DNSChanger
50 deny udp any 213.109.64.0 0.0.15.255 eq domain log
! 64.28.176.0/20 DNSChanger
60 deny udp any 64.28.176.0 0.0.15.255 eq domain log
70 permit ip any any
int fa0/0
ip access-group 101 out

To see how bad things are on the network, I can show the access-list hits by using:

cisco# sh access-list 101
Extended IP access list 101
    10 deny udp any 85.255.112.0 0.0.15.255 eq domain log (5 matches)
    20 deny udp any 67.210.0.0 0.0.15.255 eq domain log
    30 deny udp any 93.188.160.0 0.0.7.255 eq domain log
    40 deny udp any 77.67.83.0 0.0.0.255 eq domain log
    50 deny udp any 213.109.64.0 0.0.15.255 eq domain log
    60 deny udp any 64.28.176.0 0.0.15.255 eq domain log
    70 permit ip any any (3058492 matches)

I see that there are 5 matches to the first rule (my tests after I implemented it to ensure it was blocking it). Cool, eh?
More information on DNSChanger:
FBI

#cisco