DNS Firewall

DNS Firewall

Millions of users, M2M updates & IoT devices rely on the Domain Name System (DNS) to connect automatically to websites and domains. Use Deteque’s DNS Firewall Threat Feeds so your employees and customers do not run the risk of accessing malicious destinations, such as ransomware, phishing, and cryptojacked websites, from your network.

Deteque threat feeds provide protection against malicious domains used to install botnets, ransomware and other malware.

Get started

Our researchers work constantly to update threat intelligence data on your behalf

Integrates into employee security training and awareness programs

Part of your multi-layered security, DNS Firewall protects against bad reputation domains

Concerned that your network might be compromised by connections to malicious or low reputation domains and websites? Need to choke botnets that might be on your network? Then Deteque’s DNS Firewall is for you. Cyber criminals are actively trying to trick users into inadvertent connections so use DNS Firewall to ensure your DNS security.

Deteque researchers and automated systems gather information from across the internet to identify actively malicious domains, low reputation domains before they become active and compromised IP addresses.

The data sets of poor reputation domains and IP addresses is the cyber threat intelligence you need to provide your network with protection against botnets, ransomware and domain based security threats.

Online fraud, disruption and exploitation take many forms so Deteque feeds are always evolving to take into account new types of threats and new ways cyber criminals abuse the DNS process.

Standard Feeds

Edited Feeds

Hacked Feeds

Full strength feeds that contain identified bad reputation and maliciousness

Subsets of the Standard Feeds that contain the worst of the worst reputation domains

Compromised hosts or IPs not included in standard feeds

Bad Reputation Hosts
BotnetCC Hosts
Botnet Hosts
BotnetCC IPS
Phishing Hosts
Malware Hosts
Adware Hosts
Bad Nameserver IPs
Bad Nameserver Hosts
Domain generated algorithm
Tor Exit Nodes

Extrenally curated feeds included with Deteque

Zero Reputation Domains

Premium Feed for specialized use cases


Free of charge and also included in commercial service

Without a DNS Firewall, a client queries a local DNS resolver. If the IP address for that domain is not included in its cache, it will query in turn an external root server, the Top Level Domain server and the domain server itself to get access to the site. The process will return both legitimate and malicious sites.

When a client initiates a query on a Deteque enabled nameserver, each step of the recursive DNS process is analyzed to identify bad domains, addresses and nameservers. If Deteque identifies a security risk then the DNS server returns a ‘does not exist’ type answer to prevent access.

Download the overview

Rackspace saw a dramatic and immediate drop in botnet beaconing. Find out how.

Dutch hosting company XS4ALL blocks thousands of malicious connections every day. Find out how.

Profile 1

Profile 2

Profile 3

Protecting a network primarily used by customers.

Protecting a network primarily used by employees.

Protecting a network dealing with sensitive and critical content.

DROP Hosts
Domain Generated Algorithm
Malware Hosts
Hacked Malware Hosts
BotnetCC IPs
Hacked BotnetCC IPs
BotnetCC Hosts
Hacked BotnetCC Hosts
Botnet Hosts
Phishing Hosts
Hacked Phishing Hosts
Adware Hosts
Hacked Bad Reputation Hosts
Bad Reputation Hosts
Bad Nameserver Hosts
Bad Nameserver IPs
What are DNS Firewall Threat Feeds?

DNS Firewall Threat Feeds are delivered in industry standard Response Policy Zone format which allows a DNS recursive resolver to choose specific actions to be performed for a number of collections of domain name data (zones). This includes dropping, blocking, and passing thru traffic.

Why would I want to block DNS resolution?

There are networks, domains, and IP addresses on the internet whose sole purpose is to cause harm to or steal information from unsuspecting users who visit their servers and sites. For example, a phishing site, (that is listed in a threat feed) created for the sole purpose of stealing data can be used for a spam campaign that is sent to users on your network asking them to verify their account. The email that is received is not blocked by your spam filtering so the message gets delivered into your user’s inbox. When the user clicks on the link to verify their account their computer is unable to resolve the phishing website. This action will protect your user from surrendering their personal information and potentially prevent their workstation from becoming infected with botnet software. Blocking malicious content also offers you the potential to educate your users immediately.

What hardware and software do I need to support DNS Firewall Threat Feeds?

While it is possible that the current hardware that is running your DNS resolver may be able to handle processing of RPZ format threat feeds we recommend the following hardware configuration:

  • 8 core CPU
  • 8 gigabytes of RAM
  • Bare-metal dedicated server

For software the most recent version of BIND must be installed. Note that many of the yum, apt-get, and dnf repositories will have an out of date version available. It is recommended that updates to BIND be downloaded directly from ISC. https://www.isc.org/downloads/

What does the DNS resolver return when a site gets blocked?

In most cases a DNS resolver will return an NXDOMAIN (invalid domain) response when something that is contained in a threat feed. It is possible however to point to an internal IP resource that will allow the block to redirect to an informational page that can provide a warning, some education, or insight into why something was blocked.

Does the pricing change for DNS Firewall Threat Feeds?

Pricing is based on user numbers and will be adjusted accordingly. Approximately every two years the service price may be adjusted in line with inflation and market value.

What is DROP?

DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list. The DROP list will not include any IP space allocated to a legitimate network and reassigned. DROP includes netblocks that are hijacked or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). These are direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and “portable allocations” (known as “PI”) from RIPE. The DROP list also includes net blocks controlled by professional spammers and cyber criminals that are not directly allocated.

Who should use the DROP list?

Anyone or any place that has the ability to block or filter IP address ranges on their network.

The DROP list is also open for all to download and use, the is no fee for usage. The only things we require are that:

In products, credit for its use is given to Deteque.

If possible in your configuration, the date and © text should remain with the file and data.

The DROP list should not be imported into your network filters and forgotten about. Please check regularly to ensure you have the latest version of the DROP list. This should be automated.

The DROP list data should not be downloaded from us more than once per hour, nor less frequently than once per day.

The DROP list is free for any use, how can it be any good?

The DROP list contains network ranges which can cause so much damage that Deteque provides it to all, free-of-charge. Deteque believes that due to the vital nature of the DROP list data, it will be available free-of-charge to any place, regardless of size or business type, to protect internet users. If you wish to redistribute the plain text feeds, name Deteque as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.

How often should my system fetch the DROP list?

Please DO NOT auto-fetch the DROP list more than once per hour. The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled.

Engage with us on