You might be interested in this white paper.

http://staff.science.uva.nl/~delaat/...p12/report.pdf

Quoting Fr34k :

> Hello,
>
> Warning: the below may be consider off topic.
>
> Have you considered how you will manage malicious websites/IPs?
> Have you checked if anyone else is managing this via DNS?
> What about malware that writes/hijacks MS windows hosts files?
> Such infected devices will not make DNS queries and, therefore, will bypass
> such a configuration.
>
> Perhaps force http/https traffic through a proxy where URLs can be scrubbed
> for
> malicious content?
> For example, using Squid (www.squid-cache.net) and it's ACL funtionality such
> as:
> acl maliciousregex urlpath_regex -i "/path/to/file/which/has/maliciousregex"
> http_access deny maliciousregex
>
> Furthermore, I recall reading the ability to config Squid to use a freeware
> version of what the websense vendor-ware does. I never tried this, however.
>
> Finally, one could write scripts to run reports on those devices making
> requests for malware so it could be acted upon.
>
> My intent was not to get off topic, but to offer another solution to what you
> may be ultimately trying to achieve.
> I included the list in case someone else may find value in my reply.
>
> HTH
>
> --- pthomp@gmail.com wrote:
>
> > Greetings all,
> >
> > I'm trying to write a document about how we could intercept requests to
> > potentially malicious websites using DNS forwarding. After doing some
> > reading I stumbled across stub zones. What I don't fully understand is
> > the implementation of this or which would be better.
> >
> > Example:
> >
> > Client infected with malware tries to get to something.ru So we tell
> > our internal DNS servers to tell the client that instead of going out,
> > my little server over here is actually something.ru effectively
> > intercepting the request.
> >
> > I assumed creating a simple forward zone for *.ru would be the best was
> > to accomplish this, but then I have to create a forward zone for every
> > domain I want forwarded. With the stub zone I understand that I could
> > just provide the DNS admin the root.stubs.conf file and this would
> > effectively accomplish the same thing? Can you use wildcards in the
> > root.stubs file? i.e. *.ru?
> >
> > Could someone please clarify this for me as I'm confused if they work
> > the same way.
> >
> > Thanks in advance.
> >
> >
> >

>
>