TABLE OF CONTENTS Finally, if your organization is trying to combat malware traversing across its network and has implemented a blacklist of DNS domains for known malware sites, you can determine the effectiveness of the blacklist simply by looking through the DNS requests, A records again, for all those that return for your blackhole host.
There are several options if you want to use DNS domain blacklists to stop malware. The first would be to create your own list based off of your organizations intelligence . This list can be based off of something as simple at the list of the top software removal request that come into the helpdesk or from other resources. Another option would be to get one from a site or organization that already has done that process and is updating their list often such as the Spyware listening post from Bleedingsnort.org (http://www.bleedingsnort.com/staticpages/index.php?_page=listeningpost).
To figure out what to do with your blacklist and how to configure your DNS server there are several guides at the Bleedingsnort Black Hole DNS projects page (http://www.bleedingsnort.com/blackhole-dns/).
If you chose to set up the malware host to blackhole traffic to all known malware domains, a search through the Bro DNS or even HTTP logs will show how many hosts have malware loaded on them. If your security team is trying to demonstrate the effectiveness of the blackholing, a search through the logs for the malware host such as the following script...
