DNS Firewall Threat Feeds are delivered in industry standard Response Policy Zone format which allows a DNS recursive resolver to choose specific actions to be performed for a number of collections of domain name data (zones). This includes dropping, blocking, and passing thru traffic.
There are networks, domains, and IP addresses on the internet whose sole purpose is to cause harm to or steal information from unsuspecting users who visit their servers and sites. For example, a phishing site, (that is listed in a threat feed) created for the sole purpose of stealing data can be used for a spam campaign that is sent to users on your network asking them to verify their account. The email that is received is not blocked by your spam filtering so the message gets delivered into your user’s inbox. When the user clicks on the link to verify their account their computer is unable to resolve the phishing website. This action will protect your user from surrendering their personal information and potentially prevent their workstation from becoming infected with botnet software. Blocking malicious content also offers you the potential to educate your users immediately.
While it is possible that the current hardware that is running your DNS resolver may be able to handle processing of RPZ format threat feeds we recommend the following hardware configuration:
For software the most recent version of BIND must be installed. Note that many of the yum, apt-get, and dnf repositories will have an out of date version available. It is recommended that updates to BIND be downloaded directly from ISC. https://www.isc.org/downloads/
In most cases a DNS resolver will return an NXDOMAIN (invalid domain) response when something that is contained in a threat feed. It is possible however to point to an internal IP resource that will allow the block to redirect to an informational page that can provide a warning, some education, or insight into why something was blocked.
Pricing is based on user numbers and will be adjusted accordingly. Approximately every two years the service price may be adjusted in line with inflation and market value.
DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list. The DROP list will not include any IP space allocated to a legitimate network and reassigned. DROP includes netblocks that are hijacked or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). These are direct allocations from ARIN, RIPE, APNIC, LACNIC, or other Regional Internet Registries and “portable allocations” (known as “PI”) from RIPE. The DROP list also includes net blocks controlled by professional spammers and cyber criminals that are not directly allocated.
Anyone or any place that has the ability to block or filter IP address ranges on their network.
The DROP list is also open for all to download and use, the is no fee for usage. The only things we require are that:
In products, credit for its use is given to Deteque.
If possible in your configuration, the date and © text should remain with the file and data.
The DROP list should not be imported into your network filters and forgotten about. Please check regularly to ensure you have the latest version of the DROP list. This should be automated.
The DROP list data should not be downloaded from us more than once per hour, nor less frequently than once per day.
The DROP list contains network ranges which can cause so much damage that Deteque provides it to all, free-of-charge. Deteque believes that due to the vital nature of the DROP list data, it will be available free-of-charge to any place, regardless of size or business type, to protect internet users. If you wish to redistribute the plain text feeds, name Deteque as source of the data and retain both the copyright statement and the date & time stamps at the top of the text file.
Please DO NOT auto-fetch the DROP list more than once per hour.
The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled.
Anyone or any place that has the ability to block or filter IP address ranges on their network by using router equipment (e.g. Internet Service Providers).
No. If you adopt the BGP data feeds or the botnet C&C list in your network, you are not allowed to redistribute the feed to other networks. The export of these feeds/prefixes to other networks is prohibited. Please see our Terms & Conditions here.
BGP data is designed to serve null advisories to ISPs or network providers using BGP which is implemented on the router level. However, Spamhaus also offers DROP list in plain text format which can be used to implement them on nearly any kind of device or software (eg. Network gateways, Firewalls, Web-proxies etc).
The application process is designed to allow organizations to initiate an application without committing to taking the service or making a payment until they are first satisfied with the service and have agreed to the service terms. The process is:
1. Use the Free Trial form on the Deteque website to request a 30 day trial of one or more of our services.
2. Fill out the Datafeed Application Form.
Your application is then submitted to for approval. Once approved, your application is handled by an Authorized Datafeed Vendor who will create a Datafeed account for you and email the account information to you. In your Datafeed account area you will then find installation instructions, a Service Agreement (for you to agree), payment options, and technical support contacts.
The Datafeed service is sold, supplied and managed by Authorized Datafeed Vendors, independent resellers of Deteque, division of Spamhaus, to include realtime data in a Datafeed service format.
You therefore contract the Datafeed Service directly with an Authorized Datafeed Vendor. The Authorized Datafeed Vendor is also responsible for first-line technical support. Deteque/Spamhausretains responsibility for initial vetting of your Datafeed application to eliminate non bona fide requests.
Deteque wants to ensure that its data is only given to reputable qualified organizations, we therefore need to know who you are before offering you access.
The Datafeed Service Agreement is between you and a 3rd party contractor (Authorized Datafeed Vendor). The Agreement therefore is only made available to you once you have first completed the Datafeed Application Form which is first vetted by Deteque/Spamhaus.
Completing the Datafeed Application Form does not commit you to anything.
A “hijacked netblock” is a netblock brought back from the dead, also called a “zombie netblock.” The original owner of the block may have left it derelict for any number of reasons. Squatters then reclaim it with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact, or printing up bogus letterhead, or doing a bit of social engineering over the telephone. Some hijackers even outright steal IP-space allocated to someone else just by announcing it under their Border Gateway Protocol (BGP) Autonomous System Number.
Autonomous Systems are hijacked too. Old abandoned ASNs are taken by a spammer or spammer supplier to announce various IP ranges. So it’s quite possible to have a hijacked netblock advertised by a hijacked ASN.