A script to build a Response Policy Zone from malwaredomains.com data
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


malwaredomains RPZ

A script to build a Response Policy Zone from malwaredomains.com data.

Background and rationale

The lovely people at RiskAnalytics provide lists of domains known to serve malware at http://www.malwaredomains.com/. It makes these available in several formats including DNS zone files. They don't even charge for the service which is, frankly, awesome!

Many people configure their DNS servers so that they spoof the zone for each domain such that traffic is redirected to (i.e. your own machine). This effectively stops hosts on that network from connecting to those zones and downloading unpleasant stuff. However, if you're running a local webserver, say for development purposes, things can get confusing very quickly!

An alternative is using a DNS Response Policy Zone. This requires BIND version 9.8 or greater (or another DNS server that supports RPZ). RPZs are much more flexible than the approach above because it gives us finer control over what we want the DNS server to tell the client. I have taken the approach that returning NXDOMAIN is the cleanest way of blocking traffic to these domains because a web browser will immediately give up on receiving that response. There's no need to worry that a local webserver might interfere with domain blocking.

What the script does

This script builds an RPZ by including a local set of records (which might be blank), then one line per malware domain. It then reloads BIND to bring the new RPZ into play.

It's a naive little hack that might need some tweaking, in particular:

  • MY_RPZ_RECORDS should contain your local RPZ stuff. I have records in here to stop my television phoning home and to curtail Windows 10's telemetry.
  • MY_RPZ_ZONE is the output zonefile. This will need both zone and response-policy stanzas in your BIND configuration.
  • MY_RPZ_ZONE_NAME is the name of your RPZ zone.
  • MALWARE_URL is where to get the list of bad domains from. You could be nice and use a local mirror.
  • MALWARE_MIN_LINES is the minimum number of lines that the script will accept in the bad domains list before it will go any further. This is to stop empty RPZs being generated if the list is empty or very short.

What the script doesn't do

  • Many things.

Are patches and issues welcome?

Of course! I don't turn down free help!

Ian Chard

25th January 2018