Introducing ioc2rpz – where threat intelligence meets DNS

Security researchers have developed a tool that helps to turn DNS resolution into a network defense layer.

DNS (Domain Name System) is a service that converts human-readable names to IP addresses, making it a core network protocol.

But there is also a dark side to the technology. Malware strains use DNS for command and control, data exfiltration/infiltration, and other nefarious purposes.

An estimated 80% of malware uses DNS, a factor that makes the technology a great vantage point to obtain visibility on all activities, and a control plane to enforce protection.

A response policy zone, or DNS firewall, is a technology that allows sys admins to apply security policies on DNS. The snag is that commercial DNS firewall providers seldom allow users to generate their own feeds, while cloud-only DNS service providers don’t provide feeds for on-premises DNS.

Security researchers at Infoblox have developed a utility – dubbed ioc2rpz – that creates an efficient pipeline for feeds.


Read more of the latest news from Black Hat 2020


ioc2rpz is a DNS server which automatically creates, maintains, and distributes DNS firewall feeds. The service can pull in threat intelligence, generate DNS firewall feeds, and distribute them to DNS servers.

These feeds can plug into any open source and commercial DNS servers which support RPZ, e.g. ISC BIND, PowerDNS, Infoblox, BlueCat, and Efficient IP.

Vadim Pavlov, Senior Security Product Manager, at Infoblox, outlined the benefits of ioc2rpz service as a defense against malware the during an Arsenal session of the Black Hat conference yesterday (August 5).

In practice

A newly-established community portal, ioc2rpz.net, allows prospective users to try several free DNS firewall feeds.

Pavlov told The Daily Swig. “You can turn your DNS into a security layer and ioc2rpz can help you with that.”

A DNS firewall analyses all incoming requests to see if they are listed as malicious (or prohibited) in configured feeds or local zones. If there is a match, such a request can be logged, blocked, or redirected to a sinkhole, among other actions.

Pavlov concluded: “ioc2rpz is a DNS server which can pull TI [threat intelligence] from various sources (local or remote) and deliver it to your DNS server in the most efficient way (via zone transfer).”

“DNS can easily handle millions of rules without impact on performance and can help you to offload your next-generation firewalls and SWG [Secure Web Getaways/Proxy],” he added.


READ MORE Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack