Bret Staton

Cybersecurity Expert

Incident Responcer

Penitration Tester

Linux & Windows Systems Engineer

Freelance Writer

Bret Staton

Cybersecurity Expert

Incident Responcer

Penitration Tester

Linux & Windows Systems Engineer

Freelance Writer

Blog Post

Windows Client Hardening

March 13, 2021 Blue Team

Securing & Blocking Malicious DNS Requests

     Domain Name Resolution(DNS) translates domain names like “google.com” to an IP address of “8.8.8.8” so computers can understand where things are on the Internet. Most malware, spam emails, and malicious websites rely on DNS. By filtering out malicious DNS requests we can prevent malware from calling home or downloading more malware. Luckily, such a filtering service exists for free. QUAD9.net runs a free service that monitors malicious domain names and will block those DNS requests. All we need to do is configure our computer’s DNS servers to use QUAD9 and block any other DNS server from being used.

To set the QUAD9 DNS servers run the following in an Administrative PowerShell prompt.

Windows PowerShell 
Get-NetIPConfiguration | Foreach IPv4DefaultGateway | Set-DnsClientServerAddress -InterfaceIndex {$_.ifIndex} -ServerAddresses 9.9.9.9,149.112.112.112 ; ipconfig /all 

Now we need to prevent any other DNS service from being used for DNS resolution. We can do this by setting up a firewall rule that will only allow DNS requests with a destination of IPs 9.9.9.9 & 149.112.112.112.

Run the following in an Administrative PowerShell prompt.

 Windows PowerShell  
New-NetFirewallRule -DisplayName 'Allowed_DNS_Servers' -Profile @('Domain', 'Private','Public') -Direction Outbound -Action Allow -Protocol UDP -RemotePort '53' -RemoteAddress @('9.9.9.9', '149.112.112.112') 

Taggs:
Write a comment