Home / News / How to

2021-01-24 urlhaus.ioc2rpz - new DNS Firewall community feed!

URLhaus is a project operated by abuse.ch (https://urlhaus.abuse.ch). The purpose of the project is to collect, track and share malware URLs, helping network administrators and security analysts to protect their network and customers from cyber threats. urlhaus.ioc2rpz feed contains only malicious domains.

malicious.iocr2pz feed was also updated to include URLHaus data.

2021-01-13 dns-bh.ioc2rpz feed is deprecated

RiskAnalytics decided to shut off their free threat intelligence feed which was used as a source for dns-bh.ioc2rpz. Unfortunately I was not able to negotiate a free access to the source for our community.

dns-bh.ioc2rpz feed is officially deprecated and will be removed from ioc2rpz community portal on 2021-03-01. Please reconfigure your DNS servers. 

2020-12-08 Custom country RPZ feeds

I'm glad to announce a new ioc2rpz community website feature - custom country RPZ feeds. With the country based RPZ feeds you may extend your security polices to monitor or even block connections on DNS to resources located in specified countries. For example you may monitor/block connections to countries in US sanction list e.g. North Korea.

The feed has 3 flavours: TLDs, IPv4 and IPv6 networks. IPv4/IPv6 country information is powered by GeoLite2 data created by MaxMind. The country database is update weekly.

Country RPZ feeds are can be used to reduce your attack surface and/or to implement policies to restrict access due to some regulations or requirements. You need to be extra precautious deploying such feeds in production.

Custom country RPZ feeds

2020-10-26 TLD based custom feeds - new feature

Do you know how many Top Level Domains (TLD) are delegated right now? A lot - 1508! I bet that you intentionally (typing it in a browser) don't even use 5% (75) of the TLDs + some these TLDs are abused a lot (like .tk, .top).
So may be just block 95% TLDs you never use and significantly reduce the attack surface?
For me it seems an easy and viable solution for home office and in the office/DC you may just block the abused TLDs.

How? Obviously if you own DNS, you can do it on DNS and with this post I'm glad to announce a new feature on the ioc2rpz community website (https://ioc2rpz.net) - custom DNS Firewall feeds (based on TLDs).

2020-09-13 What's on your DNS?

ioc2rpz feeds


With this upgrade multiple changes were introduces to the community portal: new RPZ feeds were introduced, RpiDNS is now supported on generic Ubuntu 20.04 x64 server, community whitelist feeds were obsoleted.

New feeds:

  • adultfree.ioc2rpz - Adult free content powered by The Block List Project (https://github.com/blocklistproject/Lists).The feed is based on: abuse, drugs, gambling, porn lists.
  • covid19.ioc2rpz - Covid-19 malicious domains powered by Covid-19 Cyber Threat Coalition (https://www.cyberthreatcoalition.org) blocklist.
  • rescure-domains.ioc2rpz - Curated list of malicious domains powered by Fruxlabs Crack Team (https://rescure.me).
  • blocklist-malicious.ioc2rpz - Malicious domains powered by The Block List Project (https://github.com/blocklistproject/Lists).The feed is based on: fraud, malware, phishing, ransomware, scam lists.
  • malicious.ioc2rpz - A single feed with malicious domains which superseeds the following feeds: phishing, dns-bh, rescure-domains, blocklist-malicious, covid19.

Obsoleted feeds: whitelist.ioc2rpz, whitelist-raw.ioc2rpz, whitelist-ip.ioc2rpz, whitelist-raw-ip.ioc2rpz.

Right now on the ioc2rpz community you can get 13 security and policy DNS firewall feeds with 10,5M rules free of charge.

What's on your DNS?

2020-09-07 RpiDNS on Ubuntu 20.04 64-bit for the Raspberry Pi


RpiDNS is now supported on Ubuntu 20.04 64-bit for the Raspberry Pi.

Raspberry Pi 4 on 64-bit OS is faster and ISC Bind can handle more than 2 millions RPZ-rules. To get the maximum benefits you will need Raspberry Pi 4 with 4Gb or 8Gb RAM (up to 7-10 millions rules).

This update is important to support new RPZ feeds which will be coming soon. Stay tuned!



2020-08-24 ioc2rpz @ BlackHat USA 2020 Arsenal demo video

If you missed ioc2rpz demo @ BlackHat USA Arsenal this year, you can watch this prerecorded video.

2020-07-27 ioc2rpz @ BlackHat USA 2020 Arsenal

Next week I’ll be presenting my open source projects ioc2rpz and RpiDNS @ BlackHat Arsenal. The session is scheduled on August 5 @ 12pm PDT. https://www.blackhat.com/us-20/arsenal/schedule/#iocrpz-where-threat-intelligence-meets-dns-20685

This year it will be a virtual event and you can attend the arsenal demos and the business hall for free with a business pass: https://www.blackhat.com/us-20/registration.html

Join the session and ask any questions related to the projects and DNS Security in general.

2020-04-27 RpiDNS - new features

RpiDNS got new features:

  • recommended RPZ feeds
    • when you create a new RpiDNS recommended RPZ feeds are checked by default;
  • secondary RpiDNS
    • you are able to create a primary RpiDNS and a secondary RpiDNS so the local DNS zone and local RPZs are managed on the primary server and distributed to the secondary.

RpiDNS secondary

If you already using RpiDNS in you network and want to use a secondary RpiDNS you may:

  • update bind's configuration manually to allow updates to the local zone and local RPZs. After that install a secondary RpiDNS;
  • reinstall primary RpiDNS:
    • download DB file;
    • reinstall RpiDNS;
    • replace DB with the old one;
    • toggle all locally created whitelisted and blacklisted indicators;
    • install a secondary RpiDNS.
  • if you don't need any data from DB - just reinstall the primary RpiDNS and install a secondary.

Please leave your comments in the telegram channel.

2020-03-31 RpiDNS - DNS Security for your home/office in 10 minutes or so

I'm happy to announce that I've just released RpiDNS for beta testing.

RpiDNS is not a new DNS server but a package which includes preconfigured ISC Bind with community RPZ feeds, OpenResty for a walled garden page (SSL certificates are generated on the fly) and a management interface, RSyslog to accept and forward logs to a syslog collector (can be another RpiDNS). Right now the installation script supports only the recent Raspbian distribution with SQLite on backend. In the roadmap to support Ubuntu and PostreSQL so it will be easy to deploy it in an office.

The installation takes about 10 minutes on Pi Zero.

News | ioc2rpz technology | Terms & conditions | Contribute | Contact us

Sign up

I accept the terms and conditions. Creating...Create

Sign in

Signing in...Sign in Forgot password?

Email confirmation


Restore password


Change password