Warning: the below may be consider off topic.

Have you considered how you will manage malicious websites/IPs?
Have you checked if anyone else is managing this via DNS?
What about malware that writes/hijacks MS windows hosts files?
Such infected devices will not make DNS queries and, therefore, will bypass
such a configuration.

Perhaps force http/https traffic through a proxy where URLs can be scrubbed for
malicious content?
For example, using Squid (www.squid-cache.net) and it's ACL funtionality such
acl maliciousregex urlpath_regex -i "/path/to/file/which/has/maliciousregex"
http_access deny maliciousregex

Furthermore, I recall reading the ability to config Squid to use a freeware
version of what the websense vendor-ware does. I never tried this, however.

Finally, one could write scripts to run reports on those devices making
requests for malware so it could be acted upon.

My intent was not to get off topic, but to offer another solution to what you
may be ultimately trying to achieve.
I included the list in case someone else may find value in my reply.


--- pthomp@gmail.com wrote:

> Greetings all,
> I'm trying to write a document about how we could intercept requests to
> potentially malicious websites using DNS forwarding. After doing some
> reading I stumbled across stub zones. What I don't fully understand is
> the implementation of this or which would be better.
> Example:
> Client infected with malware tries to get to something.ru So we tell
> our internal DNS servers to tell the client that instead of going out,
> my little server over here is actually something.ru effectively
> intercepting the request.
> I assumed creating a simple forward zone for *.ru would be the best was
> to accomplish this, but then I have to create a forward zone for every
> domain I want forwarded. With the stub zone I understand that I could
> just provide the DNS admin the root.stubs.conf file and this would
> effectively accomplish the same thing? Can you use wildcards in the
> root.stubs file? i.e. *.ru?
> Could someone please clarify this for me as I'm confused if they work
> the same way.
> Thanks in advance.