Often Malware can be downloaded from websites as an accident (hidden iframe content on compromised websites) or may need to communicate to an update server or control server across the Internet. This can be cut off with the use of the DNS and your local cache & recursive resolver.

There are quite a few lists of malware download sites available, this one seems to have a decently comprehensive list and it comes in a good format bind configuration format:

zone “007arcadegames.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};
zone “008i.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};
zone “008k.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};

SAGA-dc.org even provides the empty zone file, to do this in an automated fashion:

put in your root crontab:

31 0,6,12,18 * * * /usr/bin/wget -q -O - http://dns-bh.sagadc.org/files/spywaredomains.zones | sed ‘s/\/namedb\//\/bind\//’ > /etc/bind/spywaredomains.zones 2>&1 && pkill -HUP named

setup named to read this new zone info, add to the bottom of your named.conf:

include “/etc/bind/spywaredomains.zones”;

Now, anyone that uses your recursive resolver should better protected than before…