Do you know how many Top Level Domains (TLD) are delegated right now? A lot - 1508! I bet that you intentionally (typing it in a browser) don't even use 5% (75) of the TLDs + some these TLDs are abused a lot (like .tk, .top).
So may be just block 95% TLDs you never use and significantly reduce the attack surface?
For me it seems an easy and viable solution for home office and in the office/DC you may just block the abused TLDs.
How? Obviously if you own DNS, you can do it on DNS and with this post I'm glad to announce a new feature on the ioc2rpz community website (https://ioc2rpz.net) - custom DNS Firewall feeds (based on TLDs).
With this upgrade multiple changes were introduces to the community portal: new RPZ feeds were introduced, RpiDNS is now supported on generic Ubuntu 20.04 x64 server, community whitelist feeds were obsoleted.
Obsoleted feeds: whitelist.ioc2rpz, whitelist-raw.ioc2rpz, whitelist-ip.ioc2rpz, whitelist-raw-ip.ioc2rpz.
Right now on the ioc2rpz community you can get 13 security and policy DNS firewall feeds with 10,5M rules free of charge.
What's on your DNS?
If you missed ioc2rpz demo @ BlackHat USA Arsenal this year, you can watch this prerecorded video.
Next week I’ll be presenting my open source projects ioc2rpz and RpiDNS @ BlackHat Arsenal. The session is scheduled on August 5 @ 12pm PDT. https://www.blackhat.com/us-20/arsenal/schedule/#iocrpz-where-threat-intelligence-meets-dns-20685
This year it will be a virtual event and you can attend the arsenal demos and the business hall for free with a business pass: https://www.blackhat.com/us-20/registration.html
Join the session and ask any questions related to the projects and DNS Security in general.
RpiDNS got new features:
If you already using RpiDNS in you network and want to use a secondary RpiDNS you may:
Please leave your comments in the telegram channel.