Home / News / How to

2020-10-26 TLD based custom feeds - new feature

Do you know how many Top Level Domains (TLD) are delegated right now? A lot - 1508! I bet that you intentionally (typing it in a browser) don't even use 5% (75) of the TLDs + some these TLDs are abused a lot (like .tk, .top).
So may be just block 95% TLDs you never use and significantly reduce the attack surface?
For me it seems an easy and viable solution for home office and in the office/DC you may just block the abused TLDs.

How? Obviously if you own DNS, you can do it on DNS and with this post I'm glad to announce a new feature on the ioc2rpz community website (https://ioc2rpz.net) - custom DNS Firewall feeds (based on TLDs).

2020-09-13 What's on your DNS?

ioc2rpz feeds


With this upgrade multiple changes were introduces to the community portal: new RPZ feeds were introduced, RpiDNS is now supported on generic Ubuntu 20.04 x64 server, community whitelist feeds were obsoleted.

New feeds:

  • adultfree.ioc2rpz - Adult free content powered by The Block List Project (https://github.com/blocklistproject/Lists).The feed is based on: abuse, drugs, gambling, porn lists.
  • covid19.ioc2rpz - Covid-19 malicious domains powered by Covid-19 Cyber Threat Coalition (https://www.cyberthreatcoalition.org) blocklist.
  • rescure-domains.ioc2rpz - Curated list of malicious domains powered by Fruxlabs Crack Team (https://rescure.me).
  • blocklist-malicious.ioc2rpz - Malicious domains powered by The Block List Project (https://github.com/blocklistproject/Lists).The feed is based on: fraud, malware, phishing, ransomware, scam lists.
  • malicious.ioc2rpz - A single feed with malicious domains which superseeds the following feeds: phishing, dns-bh, rescure-domains, blocklist-malicious, covid19.

Obsoleted feeds: whitelist.ioc2rpz, whitelist-raw.ioc2rpz, whitelist-ip.ioc2rpz, whitelist-raw-ip.ioc2rpz.

Right now on the ioc2rpz community you can get 13 security and policy DNS firewall feeds with 10,5M rules free of charge.

What's on your DNS?

2020-09-07 RpiDNS on Ubuntu 20.04 64-bit for the Raspberry Pi


RpiDNS is now supported on Ubuntu 20.04 64-bit for the Raspberry Pi.

Raspberry Pi 4 on 64-bit OS is faster and ISC Bind can handle more than 2 millions RPZ-rules. To get the maximum benefits you will need Raspberry Pi 4 with 4Gb or 8Gb RAM (up to 7-10 millions rules).

This update is important to support new RPZ feeds which will be coming soon. Stay tuned!



2020-08-24 ioc2rpz @ BlackHat USA 2020 Arsenal demo video

If you missed ioc2rpz demo @ BlackHat USA Arsenal this year, you can watch this prerecorded video.

2020-07-27 ioc2rpz @ BlackHat USA 2020 Arsenal

Next week I’ll be presenting my open source projects ioc2rpz and RpiDNS @ BlackHat Arsenal. The session is scheduled on August 5 @ 12pm PDT. https://www.blackhat.com/us-20/arsenal/schedule/#iocrpz-where-threat-intelligence-meets-dns-20685

This year it will be a virtual event and you can attend the arsenal demos and the business hall for free with a business pass: https://www.blackhat.com/us-20/registration.html

Join the session and ask any questions related to the projects and DNS Security in general.

2020-04-27 RpiDNS - new features

RpiDNS got new features:

  • recommended RPZ feeds
    • when you create a new RpiDNS recommended RPZ feeds are checked by default;
  • secondary RpiDNS
    • you are able to create a primary RpiDNS and a secondary RpiDNS so the local DNS zone and local RPZs are managed on the primary server and distributed to the secondary.

RpiDNS secondary

If you already using RpiDNS in you network and want to use a secondary RpiDNS you may:

  • update bind's configuration manually to allow updates to the local zone and local RPZs. After that install a secondary RpiDNS;
  • reinstall primary RpiDNS:
    • download DB file;
    • reinstall RpiDNS;
    • replace DB with the old one;
    • toggle all locally created whitelisted and blacklisted indicators;
    • install a secondary RpiDNS.
  • if you don't need any data from DB - just reinstall the primary RpiDNS and install a secondary.

Please leave your comments in the telegram channel.

2020-03-31 RpiDNS - DNS Security for your home/office in 10 minutes or so

I'm happy to announce that I've just released RpiDNS for beta testing.

RpiDNS is not a new DNS server but a package which includes preconfigured ISC Bind with community RPZ feeds, OpenResty for a walled garden page (SSL certificates are generated on the fly) and a management interface, RSyslog to accept and forward logs to a syslog collector (can be another RpiDNS). Right now the installation script supports only the recent Raspbian distribution with SQLite on backend. In the roadmap to support Ubuntu and PostreSQL so it will be easy to deploy it in an office.

The installation takes about 10 minutes on Pi Zero.

2019-12-24 What's on your DNS?

The recent update ioc2rpz includes a new API call to check if a domain/hostname or IP-address are blocked by RPZ feeds.

The ioc2rpz community got a new tool "IoC Lookup" which leverage the API call and checks the community RPZ feeds as well as provides an easy way to drill down to DuckDuckGo, Google, VirusTotal, RiskIQ Community and DomainTools.

ioc2rpz is a custom DNS server which converts threat feeds into RPZ/DNS Firewall feeds and maintains them. ioc2rpz community is powered by ioc2rpz.

Merry and Secure Christmas!

2019-12-14 New DNS Firewall feed! notracking-dead.ioc2rpz.net

Recently the notracking feed (https://github.com/notracking/hosts-blocklists/) was updated by the feed provider. They started monitoring all hostname and domains. In case the A, AAAA, CNAME and NS records return NXDOMAIN they will be marked as dead and removed from hostnames. Domains are tested on their whois data, all unregistered domains will be filtered out of domains. This feed contains the dead domains and hosts.

Even if a domain or host is not registered it still may be used and reused/hijacked for other malicious activity. Using this feed you can monitor and block that.

2019-10-31 New DNS Firewall feed! dga-360.ioc2rpz.net

Today we have exciting news. A new DNS Firewall feed was added to the ioc2rpz community. Right now it is running in the test mode so there could be some changes.

dga-360.ioc2rpz - contains DGA domains generated by these malware families: Bamital, Banjori, Blackhole, Ccleaner, Chinad, Conficker, Cryptolocker, Dircrypt, Dyre, Emotet, Enviserv, Feodo, Fobber Gameover, Gspy, Locky, Madmax, Matsnu, Mirai, Murofet, Mydoom, Mecurs, Nymaim, Omexo, Padcrypt, Proslikefan, Pykspa, Qadars, Ramnit, Ranbyus, Rovnix, Shifu, Shiotob, Simda, Suppobox, Symmi, Tempedreve, Tinba, Tinynuke, Tofsee, Vawtrak, Vidro, Virut, Xshellghost.
The feed is powered by Netlab 360 (http://data.netlab.360.com/dga/) data.

DGA domains are used as rendezvous points for Command and Control. Malware can generate thousands domains using a defined algorithm. Even if C&C botnet was already taken down it is important to monitor the domains because they can be reused by other malware as well as your network still can be infected.

The feed currently contains about 1.2 million domains so please check if your DNS server is able to handle it.

In total on ioc2rpz community you can get 7 security feeds and 4 whitelists.

News | ioc2rpz technology | Terms & conditions | Sponsorship | Contact us

Sign up

I accept the terms and conditions. Creating...Create

Sign in

Signing in...Sign in Forgot password?

Email confirmation


Restore password


Change password