DNS Firewall

Protection Against Malware, Ransomware, C2s, DGAs, Phishing
and Cryptominers

Stop Threats at the Root

RPZ (Response Policy Zone) DNS was developed by the ISC as an open and vendor-neutral component of the BIND Domain Name Server. RPZ functions as a DNS firewall in which rules are expressed in specially constructed zone files. This segmented structure provides an effective method of leveraging threat data for the detection and prevention of malware and ransomware activities at the DNS level.

With this tool, administrators can override the global DNS and create rules that initiate specified responses and actions, such as providing alternate replies to queries. When a workstation, server or other network device tries to connect to a malicious location, it is unable to resolve DNS and is redirected to a specially crafted web page that explains why access was blocked. A DNS RPZ firewall not only protects assets, it also provides an opportunity to educate users so they can be made aware of the link, email or resource – in real-time – that was leading them to malware.

Threat Data

Flexibility is Key for DNS-Level Security

Restricting access at the DNS level is not without complications, however. While C2s, DGAs, and phishing sites tend to be “no brainers” as far as blocking access is concerned, many legitimate and very popular sites unknowingly host malware: Dropbox, Google Docs, etc. Preventing users from reaching these sites can, understandably, be met with great resistance. For this reason, granularity is key to helping administrators maximize threat coverage while minimizing the impact to their users’ crucial online sites, tools, and applications.

A Zone For Each Threat Type

To provide flexibility to our customers for managing the needs of their users or clients, we offer five separate Response Policy Zones. Each zone can be implemented – or not – depending on your needs. These zones include domains hosting (1) C2s, (2) DGAs (used by over 40 malware and ransomware families), (3) Malware, (4) Cryptominers, and (5) Phishing sites.


Apart from applying only the zones that relate to the threats faced by your business, Malware Patrol allows for whitelisting domains from all zones via a simple web interface.

Another tool available is the filtering of domains using the Cisco Umbrella domain ranking. Zones can be filtered based on the top 25,000 1000,000 or 1,000,000 domains as per your request. The Cisco Umbrella classification is updated weekly and applied seamlessly with the whitelisting mechanism.

Custom “Walled Garden”

You can use our “walled garden” to send your users when they hit a malicious domain, or configure your own using the instructions available here.


Package Details


Response Policy Zones:

  • Malware
  • DGAs
  • Command & Control Servers
  • Cryptominers
  • Phishing


– Zones are automatically transferred using AXFR/IXFR mechanisms

– Cisco Umbrella Domain Ranking filtered zones

– Apply whitelists to zones, even on top of Cisco Umbrella filtered ones



Free 7-day data evaluation

Includes Business Protect Data Feed Package

Zones updated every 5 minutes

Unlimited-use commercial license

Annual subscription

Configure and forget



About Our Data

Choosing the right data provider is an essential task as your DNS Firewall is as good as the data that powers it.

Malware Patrol’s threat data is aggregated from diverse sources, including web crawlers, botnet monitors, spam traps, honeypots, research teams, partners and historical data about malicious campaigns. All the data is carefully inspected and monitored. As a result, our feeds contain thoroughly vetted indicators sourced from the real world.

Because security budgets are usually limited, it is important to rely on a data source that provides coverage for the current malicious campaigns and threats that directly affect your company and your customers, maintaining a high level of security but using the minimum amount of resources.


Cisco ASA FirePOWER Configuration Guide

“With Cisco ASA with FirePOWER Services, you consolidate multiple security layers in a single platform, eliminating the cost of buying and managing...

Accessing threat data on AWS S3 buckets

Malware Patrol provides some of its threat data feeds via AWS/Amazon S3 buckets. Among the feeds are the "Malware Samples (Binaries)"...
pfsense logo

pfSense Configuration Guide

pfSense software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely...
pfsense logo

pfBlockerNG Configuration Guide

Malware Patrol provides block lists compatible with pfBlockerNG, a package for pfSense version 2.x that allows the usage of custom block list, IP...
malware threats

BIND9 Configuration Guide

Bind is the world’s most used DNS server. Keep reading to learn how to configure Bind 9. Malware Patrol provides a zone file compatible with Bind 9....

DNS RPZ Firewall Configuration Guide

BIND is the world’s most used DNS server and can be configured as a DNS Firewall using RPZ files (DNS RPZ). Response Policy Zone (RPZ)...

Clam AV Software Configuration Guide

“Clam AV is an open source ant-virus engine for detecting trojans, viruses, malware & other malicious threats.” Malware Patrol provides...

SpamAssassin Configuration Guide

Malware Patrol provides block lists compatible with SpamAssassin.   "Apache SpamAssassin is the #1 Open Source anti-spam platform...
squid logo

Squid3 Web Proxy Configuration Guide

Squid is a proxy for the web that provides extensive access control lists, reduces bandwidth consumption and improves response times by caching and...