Details

• ID: CM0009
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Refresh
• Status: Active

Intended Outcome

Updating the Domain Name Service (DNS) deny list blocks adversary command and control (C2).

Introduction

Adversaries who acquire infrastructure can use bad domains to run C2-based offensive operations.

Preparation

No Preparation content identified.

Risks

• Blocking domains can unintentionally prevent access to domains that that are needed for the enterprise.

Guidance

DNS blacklists or deny lists are often to filter and block emails containing known bad domains. They can also be used to block, blocks of IP addresses or even an internet service provider known for spam. There are two ways to block a domain:

• Domain redirect A domain redirect will redirect a flagged domain to a quarantine zone.
• Request denied A request denied will refuse DNS queries from flagged domains.

References

• What is a DNSBL? | https://whatismyipaddress.com/dnsbl-blacklist
• DNS Blocking: A Viable Strategy in Malware Defense | https://insights.sei.cmu.edu/blog/dns-blocking-a-viable-strategy-in-malware-defense/