2020-07-27 ioc2rpz @ BlackHat USA 2020 Arsenal
Next week I’ll be presenting my open source projects ioc2rpz and RpiDNS @ BlackHat Arsenal. The session is scheduled on August 5 @ 12pm PDT. https://www.blackhat.com/us-20/arsenal/schedule/#iocrpz-where-threat-intelligence-meets-dns-20685
This year it will be a virtual event and you can attend the arsenal demos and the business hall for free with a business pass: https://www.blackhat.com/us-20/registration.html
Join the session and ask any questions related to the projects and DNS Security in general.
2020-04-27 RpiDNS - new features
RpiDNS got new features:
- recommended RPZ feeds
- when you create a new RpiDNS recommended RPZ feeds are checked by default;
- secondary RpiDNS
- you are able to create a primary RpiDNS and a secondary RpiDNS so the local DNS zone and local RPZs are managed on the primary server and distributed to the secondary.
If you already using RpiDNS in you network and want to use a secondary RpiDNS you may:
- update bind's configuration manually to allow updates to the local zone and local RPZs. After that install a secondary RpiDNS;
- reinstall primary RpiDNS:
- download DB file;
- reinstall RpiDNS;
- replace DB with the old one;
- toggle all locally created whitelisted and blacklisted indicators;
- install a secondary RpiDNS.
- if you don't need any data from DB - just reinstall the primary RpiDNS and install a secondary.
Please leave your comments in the telegram channel.
2020-03-31 RpiDNS - DNS Security for your home/office in 10 minutes or so
I'm happy to announce that I've just released RpiDNS for beta testing.RpiDNS is not a new DNS server but a package which includes preconfigured ISC Bind with community RPZ feeds, OpenResty for a walled garden page (SSL certificates are generated on the fly) and a management interface, RSyslog to accept and forward logs to a syslog collector (can be another RpiDNS). Right now the installation script supports only the recent Raspbian distribution with SQLite on backend. In the roadmap to support Ubuntu and PostreSQL so it will be easy to deploy it in an office.
The installation takes about 10 minutes on Pi Zero.
2019-12-24 What's on your DNS?
The recent update ioc2rpz includes a new API call to check if a domain/hostname or IP-address are blocked by RPZ feeds.The ioc2rpz community got a new tool "IoC Lookup" which leverage the API call and checks the community RPZ feeds as well as provides an easy way to drill down to DuckDuckGo, Google, VirusTotal, RiskIQ Community and DomainTools.
ioc2rpz is a custom DNS server which converts threat feeds into RPZ/DNS Firewall feeds and maintains them. ioc2rpz community is powered by ioc2rpz.
Merry and Secure Christmas!
2019-12-14 New DNS Firewall feed! notracking-dead.ioc2rpz.net
Recently the notracking feed (https://github.com/notracking/hosts-blocklists/) was updated by the feed provider. They started monitoring all hostname and domains. In case the A, AAAA, CNAME and NS records return NXDOMAIN they will be marked as dead and removed from hostnames. Domains are tested on their whois data, all unregistered domains will be filtered out of domains. This feed contains the dead domains and hosts.Even if a domain or host is not registered it still may be used and reused/hijacked for other malicious activity. Using this feed you can monitor and block that.
2019-10-31 New DNS Firewall feed! dga-360.ioc2rpz.net
Today we have exciting news. A new DNS Firewall feed was added to the ioc2rpz community. Right now it is running in the test mode so there could be some changes.dga-360.ioc2rpz - contains DGA domains generated by these malware families: Bamital, Banjori, Blackhole, Ccleaner, Chinad, Conficker, Cryptolocker, Dircrypt, Dyre, Emotet, Enviserv, Feodo, Fobber Gameover, Gspy, Locky, Madmax, Matsnu, Mirai, Murofet, Mydoom, Mecurs, Nymaim, Omexo, Padcrypt, Proslikefan, Pykspa, Qadars, Ramnit, Ranbyus, Rovnix, Shifu, Shiotob, Simda, Suppobox, Symmi, Tempedreve, Tinba, Tinynuke, Tofsee, Vawtrak, Vidro, Virut, Xshellghost.
The feed is powered by Netlab 360 (http://data.netlab.360.com/dga/) data.
DGA domains are used as rendezvous points for Command and Control. Malware can generate thousands domains using a defined algorithm. Even if C&C botnet was already taken down it is important to monitor the domains because they can be reused by other malware as well as your network still can be infected.
The feed currently contains about 1.2 million domains so please check if your DNS server is able to handle it.
In total on ioc2rpz community you can get 7 security feeds and 4 whitelists.
2019-09-26 New feature - community whitelist
The community whitelist is used to remediate false positives in other feeds. Of course you can use own whitelist on your DNS server but it is a bit less convenient. You can add and remove own indicators as well as vote for indicators submitted by other community users.To apply the whitelist you can use the following feeds:
- whitelist.ioc2rpz - verified whitelist. Domain based
- whitelist-ip.ioc2rpz - verified whitelist. IP based
- whitelist-raw.ioc2rpz - raw whitelist (positive votes). Domain based.
- whitelist-raw-ip.ioc2rpz - raw whitelist (positive votes). IP based.
2019-09-25 New DNS Firewall feed - doh.ioc2rpz
If you protect your network on DNS you must block communications to any 3rd party DNS server your applications or devices may use. Vice versa your DNS Firewall will be useless. The feed contains publicly available DNS over HTTPs (DoH) servers and canary domains.2019-09-24 New DNS Firewall feed - bogons-ipv4.ioc2rpz
A bogon prefix is a route that should never appear in the Internet routing table. The RPZ feed includes IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user.The RPZ is generated from IPv4 bogon feed by Team Cymru (https://www.team-cymru.com/bogon-reference.html).
2019-08-01 Welcome to the ioc2rpz community!
What is ioc2rpz community?
ioc2rpz community is a portal which provides free of charge DNS Firewall (or Response Policy Zone) feeds. The DNS Firewall feeds are based on publicly available threat intelligence(TI). The TI feeds are maintained by 3rd party communities or companies and only a limited number of indicatores were whitelisted. We are not validating the TI feeds on false positives.
DNS Firewall feeds provided "as-is". They may contain false positives.
If you have any questions, comments, proposals or want to provide any feedback please contact us.
News | ioc2rpz technology | Terms & conditions | Sponsorship | Contact us