DNS Firewall

DNS Firewall

Millions of users, M2M updates & IoT devices rely on the Domain Name System (DNS) to connect automatically to websites and domains. Use Deteque’s DNS Firewall Threat Feeds so your employees and customers do not run the risk of accessing malicious destinations, such as ransomware, phishing, and cryptojacked websites, from your network.

Deteque threat feeds provide protection against malicious domains used to install botnets, ransomware and other malware.

Start my free trial

Deteque researchers work constantly to update cyber threat intelligence data on your behalf

Integrates into employee security training and awareness programs as part of your DNS policy

Part of your multi-layered security, DNS Firewall is protection against bad reputation domains

What are Deteque's threat feeds?

Deteque researchers and automated systems gather information from across the internet to identify actively malicious domains, low reputation domains before they become active and compromised IP addresses.

The data sets of poor reputation domains and IP addresses is the cyber threat intelligence you need to provide your network with protection against botnets, ransomware and domain based security threats.

Online fraud, disruption and exploitation take many forms so Deteque feeds are always evolving to take into account new types of threats and new ways cyber criminals abuse the DNS process.

Download the datasheet


Deteque’s global research team works on your behalf to bring you the most
comprehensive set of malicious domains on the internet. Don’t just rely on user
training and vigilance for protection: DNS Firewall provides automated protection from
visiting malicious websites and domains (particularly useful as a defence against

dbl.zone (~ 3,900,000 entries)

Domains used as malware dropper sites, malware hosting sites, malicious
redirectors, domains used by botnets, botnet command and control servers and
other malicious activity. It includes domains used as spam sources and senders,
known spammers and spam gangs, phishing, virus and malware-related sites.

Includes ‘Slow Release’ segment which holds domains for longer in case bad
actors try to recycle domains.

bad-nameservers.zone (~ 5,000 entries)

Lists name servers which are known to resolve malicious domains.


Don’t let cyber criminals abuse or hijack your network – these Malware zones
block domains that are used specifically to abuse your systems.

botnetcc.zone (~ 1,200,000 entries)

This zone contains IPs of known botnet C&C servers so it is highly likely that
any machine resolving domains pointing to an IP listed in this zone has been
compromised and is hosting malware.

Includes segment of domains generated by Domain Generation Algorithms,
created from sandboxed malware and lists domains that the malware might use
to contact C&C servers.

malware.zone (~ 67,000 entries)

A subset of DBL.zone containing just those domains associated with malware.
(Spam sources, phish sources and redirectors are excluded from this dataset.)

malware-aggressive.zone (~ 4,000 entries)

An extension to malware.zone containing domains which are known to be
associated with malware but scoring mechanisms have not included them in
the main listing. Due to the ‘aggressive’ nature of this list, it has a slightly greater
chance of false positives.

malware-adware.zone (~ 1,000 entries)

Domains revealed from running adware in sandboxes. Helps you to identify
which of your machines need to be cleaned up.


Even the best run networks can be abused occasionally – Deteque keeps track of
those that should be temporarily avoided.

abused-legit.zone (~ 35,000 entries)

Contains legitimate servers and/or services which have been (temporarily)
compromised. False positives are possible as the servers are mostly legitimate
but being used to distribute malware. Risk averse organizations may consider the
tradeoff to be acceptable.

bogon.zone (~ 6,000 entries)

IP ranges from an area of the IP address space reserved, but not yet allocated
or delegated, by the Internet Assigned Numbers Authority (IANA) or a delegated
Regional Internet Registry (RIR). Frequently used to target specific organizations.


Cyber criminals change their methods constantly – this zone contains the
datasets of varying and evolving threats.

cryptominer.zone (~ 10,000 to 15,000 entries)

Blocks crypto mining networks using browser-based code to hijack processing power.

sbl.zone (~ 550,000 entries)

Known spam sources (IP) Based on the Deteque Block List

tor-exit-nodes.zone (~ 1,000 entries)

TOR exit nodes.


ZRD.zone (~ variable)

Blocks connections to newly-registered and previously dormant domains for 24 hours. Domains are removed after 24 hours or transferred to another zone feed based on reputation assessment.


There are some domains that you should not connect to under any
circumstances – Deteque has compiled a list of the ‘worst of the worst’.

drop.zone (~ 1,000 entries)

An advisory ‘drop all traffic’ list, consisting of netblocks that are ‘hijacked’ or
leased by professional spam or cyber-crime operations (used for dissemination
of malware, trojan downloaders, botnet controllers). Designed for use by firewalls
and routing equipment to filter out the malicious traffic from these net blocks.

How do Deteque threat feeds work?

Without a DNS Firewall, a client queries a local DNS resolver. If the IP address for that domain is not included in its cache, it will query in turn an external root server, the Top Level Domain server and the domain server itself to get access to the site. The process will return both legitimate and malicious sites.

When a client initiates a query on a Deteque enabled nameserver, each step of the recursive DNS process is analyzed to identify bad domains, addresses and nameservers. If Deteque identifies a security risk then the DNS server returns a ‘does not exist’ type answer to prevent access.

Download the factsheet

Why do I need Deteque’s DNS Firewall?

Concerned that your network might be compromised by connections to malicious or low reputation domains and websites? Need to choke botnets that might be on your network? Then Deteque’s DNS Firewall is for you. Cyber criminals are actively trying to trick users into inadvertent connections so use DNS Firewall to ensure your DNS security.

Who can use Deteque’s DNS Firewall Threat Feeds?

Anyone who has a self managed recursive resolver that is using BIND or PowerDNS and/or uses an appliance that supports consuming third party sources for DNS Firewall can use our threat feeds to protect their employee and customer network from malicious destinations.

Find out how our customers are benefitting

Rackspace saw a dramatic and immediate drop in botnet beaconing. Find out how.

Dutch hosting company XS4ALL blocks thousands of malicious connections every day. Find out how.

Keep ahead of the threat - for free

DNS Firewall Threat Feeds are such a powerful tool we want you to experience it for free. The DROP (Do not Route Or Peer) feed protects you from the ‘worst of the worst’ – IP ranges known to have been hijacked by professional spammers and cyber criminals, or have been directly allocated to criminal organizations by a regional internet registry. It also includes a list of IP ranges that cyber criminals have leased from ISPs.

Cryptominer protects your systems from websites using ‘cryptojacking’ scripts that will use the end-user’s resources to mine crypto-currency. With this feed your users will be able to access the sites  they want but adverts and background scripts involved in cryptojacking will be blocked.

We have made this feed available as a no-cost public service to direct users of the data. See the positive impact threat feeds from Deteque can have protecting you, your networks and your users.

Sign up for free DNS Firewall Data

To receive DNS Firewall you will need to set up your local recursive resolver. For use with the popular BIND software, download the Set Up Guide.

Engage with us on

It's time to protect your organization

Start my free trial