Two years ago @ BlackHat 2019 and Defcon 27 I introduced the ioc2rpz community. The community is powered by ioc2rpz (http://ioc2rpz.com) and provides DNS Firewall feeds free of charge. The feeds are based on OSINT and protect against malware, block ads & trackers and filtrate adult sites. 

In 2013, when I joined Infoblox, I learned about DNS Firewall and I was able to evaluate only Infoblox's feeds. I tried to find any other free feeds but I was out of luck. There were only a few vendors who provided DNS Firewall feeds only for a fee. 

Late in 2017 I started working on ioc2rpz technology and to promote it as well as educate the community on DNS Firewall in 2019 I created the ioc2rpz community. Back then the community offered 3 feeds to block malware, ads & trackers with about 300k rules. During the next 2 years I added new feeds, custom feeds and RpiDNS - a provisioning script and management user interface intended to run on Raspberry PI.

Early this year the project and the community portal got a first sponsor which helps me to cover some costs to run the service.

Right now ioc2rpz:

- maintains 13 feeds with about 11 million rules, which you still can use on a beefy Raspberry PI 4/8Gb at your home (can your NGFW do the same?). Top 5 RPZ community feeds includes: dga-360.ioc2rpz, doh.ioc2rpz, phishtank.ioc2rpz, malicious.ioc2rpz, notracking.ioc2rpz;

- provides the service to more than 50 members from 5 continents, 25 countries and 70 locations.

This proves that ioc2rpz can serve in an organization of any size. If you use TIP, subscribed for TI or generate your own TI, ioc2rpz can help you to transform your DNS server (if it supports RPZ) to a DNS Security layer.

I'm looking forward to introduce new features soon, to serve more community members and make this world a bit safer and secure.

You are welcome to join the community (https://ioc2rpz.net).

URLhaus is a project operated by abuse.ch (https://urlhaus.abuse.ch). The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats. urlhaus.ioc2rpz feed contains only malicious domains.

malicious.iocr2pz feed was also updated to include URLHaus data.

RiskAnalytics decided to shut off their free threat intelligence feed which was used as a source for dns-bh.ioc2rpz. Unfortunately I was not able to negotiate a free access to the source for our community.

dns-bh.ioc2rpz feed is officially deprecated and will be removed from ioc2rpz community portal on 2021-03-01. Please reconfigure your DNS servers. 

I'm glad to announce a new ioc2rpz community website feature - custom country RPZ feeds. With the country based RPZ feeds you may extend your security polices to monitor or even block connections on DNS to resources located in specified countries. For example you may monitor/block connections to countries in US sanction list e.g. North Korea.

The feed has 3 flavours: TLDs, IPv4 and IPv6 networks. IPv4/IPv6 country information is powered by GeoLite2 data created by MaxMind. The country database is update weekly.

Country RPZ feeds are can be used to reduce your attack surface and/or to implement policies to restrict access due to some regulations or requirements. You need to be extra precautious deploying such feeds in production.

Do you know how many Top Level Domains (TLD) are delegated right now? A lot - 1508! I bet that you intentionally (typing it in a browser) don't even use 5% (75) of the TLDs + some these TLDs are abused a lot (like .tk, .top).
So may be just block 95% TLDs you never use and significantly reduce the attack surface?
For me it seems an easy and viable solution for home office and in the office/DC you may just block the abused TLDs.

How? Obviously if you own DNS, you can do it on DNS and with this post I'm glad to announce a new feature on the ioc2rpz community website (https://ioc2rpz.net) - custom DNS Firewall feeds (based on TLDs).

With this upgrade multiple changes were introduces to the community portal: new RPZ feeds were introduced, RpiDNS is now supported on generic Ubuntu 20.04 x64 server, community whitelist feeds were obsoleted.

New feeds:

• adultfree.ioc2rpz - Adult free content powered by The Block List Project (https://github.com/blocklistproject/Lists).The feed is based on: abuse, drugs, gambling, porn lists.
• covid19.ioc2rpz - Covid-19 malicious domains powered by Covid-19 Cyber Threat Coalition (https://www.cyberthreatcoalition.org) blocklist.
• rescure-domains.ioc2rpz - Curated list of malicious domains powered by Fruxlabs Crack Team (https://rescure.me).
• blocklist-malicious.ioc2rpz - Malicious domains powered by The Block List Project (https://github.com/blocklistproject/Lists).The feed is based on: fraud, malware, phishing, ransomware, scam lists.
• malicious.ioc2rpz - A single feed with malicious domains which superseeds the following feeds: phishing, dns-bh, rescure-domains, blocklist-malicious, covid19.

Obsoleted feeds: whitelist.ioc2rpz, whitelist-raw.ioc2rpz, whitelist-ip.ioc2rpz, whitelist-raw-ip.ioc2rpz.

Right now on the ioc2rpz community you can get 13 security and policy DNS firewall feeds with 10,5M rules free of charge.

What's on your DNS?

If you missed ioc2rpz demo @ BlackHat USA Arsenal this year, you can watch this prerecorded video.

Next week I’ll be presenting my open source projects ioc2rpz and RpiDNS @ BlackHat Arsenal. The session is scheduled on August 5 @ 12pm PDT. https://www.blackhat.com/us-20/arsenal/schedule/#iocrpz-where-threat-intelligence-meets-dns-20685

This year it will be a virtual event and you can attend the arsenal demos and the business hall for free with a business pass: https://www.blackhat.com/us-20/registration.html

Join the session and ask any questions related to the projects and DNS Security in general.

RpiDNS got new features:

• recommended RPZ feeds
  • when you create a new RpiDNS recommended RPZ feeds are checked by default;
• secondary RpiDNS
  • you are able to create a primary RpiDNS and a secondary RpiDNS so the local DNS zone and local RPZs are managed on the primary server and distributed to the secondary.

If you already using RpiDNS in you network and want to use a secondary RpiDNS you may:

• update bind's configuration manually to allow updates to the local zone and local RPZs. After that install a secondary RpiDNS;
• reinstall primary RpiDNS:
  • download DB file;
  • reinstall RpiDNS;
  • replace DB with the old one;
  • toggle all locally created whitelisted and blacklisted indicators;
  • install a secondary RpiDNS.
• if you don't need any data from DB - just reinstall the primary RpiDNS and install a secondary.

Please leave your comments in the telegram channel.