URLhaus is a project operated by abuse.ch (https://urlhaus.abuse.ch). The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats. urlhaus.ioc2rpz feed contains only malicious domains.
malicious.iocr2pz feed was also updated to include URLHaus data.
RiskAnalytics decided to shut off their free threat intelligence feed which was used as a source for dns-bh.ioc2rpz. Unfortunately I was not able to negotiate a free access to the source for our community.
dns-bh.ioc2rpz feed is officially deprecated and will be removed from ioc2rpz community portal on 2021-03-01. Please reconfigure your DNS servers.
I'm glad to announce a new ioc2rpz community website feature - custom country RPZ feeds. With the country based RPZ feeds you may extend your security polices to monitor or even block connections on DNS to resources located in specified countries. For example you may monitor/block connections to countries in US sanction list e.g. North Korea.
The feed has 3 flavours: TLDs, IPv4 and IPv6 networks. IPv4/IPv6 country information is powered by GeoLite2 data created by MaxMind. The country database is update weekly.
Country RPZ feeds are can be used to reduce your attack surface and/or to implement policies to restrict access due to some regulations or requirements. You need to be extra precautious deploying such feeds in production.
Do you know how many Top Level Domains (TLD) are delegated right now? A lot - 1508! I bet that you intentionally (typing it in a browser) don't even use 5% (75) of the TLDs + some these TLDs are abused a lot (like .tk, .top).
So may be just block 95% TLDs you never use and significantly reduce the attack surface?
For me it seems an easy and viable solution for home office and in the office/DC you may just block the abused TLDs.
How? Obviously if you own DNS, you can do it on DNS and with this post I'm glad to announce a new feature on the ioc2rpz community website (https://ioc2rpz.net) - custom DNS Firewall feeds (based on TLDs).
With this upgrade multiple changes were introduces to the community portal: new RPZ feeds were introduced, RpiDNS is now supported on generic Ubuntu 20.04 x64 server, community whitelist feeds were obsoleted.
Obsoleted feeds: whitelist.ioc2rpz, whitelist-raw.ioc2rpz, whitelist-ip.ioc2rpz, whitelist-raw-ip.ioc2rpz.
Right now on the ioc2rpz community you can get 13 security and policy DNS firewall feeds with 10,5M rules free of charge.
What's on your DNS?
If you missed ioc2rpz demo @ BlackHat USA Arsenal this year, you can watch this prerecorded video.
Next week I’ll be presenting my open source projects ioc2rpz and RpiDNS @ BlackHat Arsenal. The session is scheduled on August 5 @ 12pm PDT. https://www.blackhat.com/us-20/arsenal/schedule/#iocrpz-where-threat-intelligence-meets-dns-20685
This year it will be a virtual event and you can attend the arsenal demos and the business hall for free with a business pass: https://www.blackhat.com/us-20/registration.html
Join the session and ask any questions related to the projects and DNS Security in general.
RpiDNS got new features:
If you already using RpiDNS in you network and want to use a secondary RpiDNS you may:
Please leave your comments in the telegram channel.