Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

malwaredomains RPZ

A script to build a Response Policy Zone from malwaredomains.com data.

Background and rationale

The lovely people at RiskAnalytics provide lists of domains known to serve malware at http://www.malwaredomains.com/. It makes these available in several formats including DNS zone files. They don't even charge for the service which is, frankly, awesome!

Many people configure their DNS servers so that they spoof the zone for each domain such that traffic is redirected to 127.0.0.1 (i.e. your own machine). This effectively stops hosts on that network from connecting to those zones and downloading unpleasant stuff. However, if you're running a local webserver, say for development purposes, things can get confusing very quickly!

An alternative is using a DNS Response Policy Zone. This requires BIND version 9.8 or greater (or another DNS server that supports RPZ). RPZs are much more flexible than the approach above because it gives us finer control over what we want the DNS server to tell the client. I have taken the approach that returning NXDOMAIN is the cleanest way of blocking traffic to these domains because a web browser will immediately give up on receiving that response. There's no need to worry that a local webserver might interfere with domain blocking.

What the script does

This script builds an RPZ by including a local set of records (which might be blank), then one line per malware domain. It then reloads BIND to bring the new RPZ into play.

It's a naive little hack that might need some tweaking, in particular:

  • MY_RPZ_RECORDS should contain your local RPZ stuff. I have records in here to stop my television phoning home and to curtail Windows 10's telemetry.
  • MY_RPZ_ZONE is the output zonefile. This will need both zone and response-policy stanzas in your BIND configuration.
  • MY_RPZ_ZONE_NAME is the name of your RPZ zone.
  • MALWARE_URL is where to get the list of bad domains from. You could be nice and use a local mirror.
  • MALWARE_MIN_LINES is the minimum number of lines that the script will accept in the bad domains list before it will go any further. This is to stop empty RPZs being generated if the list is empty or very short.

What the script doesn't do

  • Many things.

Are patches and issues welcome?

Of course! I don't turn down free help!


Ian Chard

25th January 2018

About

A script to build a Response Policy Zone from malwaredomains.com data

Resources

License

Releases

No releases published

Packages

No packages published

Languages