Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



9 Commits

Repository files navigation

malwaredomains RPZ

A script to build a Response Policy Zone from data.

Background and rationale

The lovely people at RiskAnalytics provide lists of domains known to serve malware at It makes these available in several formats including DNS zone files. They don't even charge for the service which is, frankly, awesome!

Many people configure their DNS servers so that they spoof the zone for each domain such that traffic is redirected to (i.e. your own machine). This effectively stops hosts on that network from connecting to those zones and downloading unpleasant stuff. However, if you're running a local webserver, say for development purposes, things can get confusing very quickly!

An alternative is using a DNS Response Policy Zone. This requires BIND version 9.8 or greater (or another DNS server that supports RPZ). RPZs are much more flexible than the approach above because it gives us finer control over what we want the DNS server to tell the client. I have taken the approach that returning NXDOMAIN is the cleanest way of blocking traffic to these domains because a web browser will immediately give up on receiving that response. There's no need to worry that a local webserver might interfere with domain blocking.

What the script does

This script builds an RPZ by including a local set of records (which might be blank), then one line per malware domain. It then reloads BIND to bring the new RPZ into play.

It's a naive little hack that might need some tweaking, in particular:

  • MY_RPZ_RECORDS should contain your local RPZ stuff. I have records in here to stop my television phoning home and to curtail Windows 10's telemetry.
  • MY_RPZ_ZONE is the output zonefile. This will need both zone and response-policy stanzas in your BIND configuration.
  • MY_RPZ_ZONE_NAME is the name of your RPZ zone.
  • MALWARE_URL is where to get the list of bad domains from. You could be nice and use a local mirror.
  • MALWARE_MIN_LINES is the minimum number of lines that the script will accept in the bad domains list before it will go any further. This is to stop empty RPZs being generated if the list is empty or very short.

What the script doesn't do

  • Many things.

Are patches and issues welcome?

Of course! I don't turn down free help!

Ian Chard

25th January 2018


A script to build a Response Policy Zone from data







No releases published


No packages published