This page lists OSINT DNS RPZ Feeds for recursive resolvers to enhance security by blocking malware, phishing, and C2 domains. Submit your RPZ feed if it’s not listed.
Response Policy Zones(RPZ) or DNS Firewall or Protective DNS (thanks CISA) is a solid way to use the DNS protocol as a defense. For a primer on DNS RPZ, please see the blog post
Little Snitch is a network monitor & application firewall for the Mac OS. On 21st May 2024, with the release of Little Snitch 6.0, a notable Blocklists feature has been made available.
While the ability to add a custom blocklist existed in prior versions, it was a manual step. Little Snitch 6.0 changes that. Little Snitch 6.0 now provides a prepopulated list of blocklists for blocking Advertising, Malware, Tracking, Gambling etc.
Considering that the StevenBlack hosts file is one of the premier list for blocking adware, I was surprised not to find the StevenBlack blocklist in the list.
The other nice addition to the list is URLhaus. At the time of writing, there were 183 malicious domain names in the list.
And, the lists auto-update,
What is the advantage of blocking using Little Snitch over a browser extension like uBlock Origin?
I use both the methods. But the method of using Little Snitch is more powerful because it covers access to network connections (adware/malware etc) from any process in the Operating System and not just from those made from within the browser.
For example, Skype making a connecting to dns.google will be detected and can be blocked using Little Snitch.
It’s also important to note that this method of blocking network communication using an application firewall like Little Snitch might not scale if the blocklist is pretty large.
For example, the newly registered domain names dataset will most definitely cause the application to misbehave. In such cases, nothing beats having protection by using a DNS Firewall/DNS RPZ (Protective DNS).
Open Snitch for GNU/Linux
On similar lines to Little Snitch, Open Snitch is a GNU/Linux application firewall. Though I have to mention that I haven’t tried it yet.
While investigating a bit of oddity with the Skype app on Mac OS X, I wanted to capture all traffic from only the Skype processes.
But first, a little background on the issue. All DNS traffic from my systems is routed through a WireGuard tunnel. The peer endpoint at the other end runs a recursive resolver with DNS Response Policy Zones (DNS RPZ).
I’ve been running a WireGuard tunnel and routing DNS from my phone through a recursive resolver(unbound + rpz). Here are the battery stats.
Prior to WireGuard, an OpenVPN tunnel on the phone would drain the battery out in no time! pic.twitter.com/0rJVcJk1iq
The issue is – that as soon as the WireGuard tunnel is disabled, Skype will try connecting to Google DNS(8.8.8.8) and www.bing.com. Perhaps Skype bypasses the local recursive resolver set on the system and sends the DNS queries for its hosts to Google DNS directly? I cannot ascertain that yet, and it warrants a thorough investigation.
I was alerted to this by Little Snitch after I refreshed the rules. A ritual that I seem to follow every few months.
Little Snitch Network Monitor contains a hidden gem. The ability to capture traffic of a specific process.
For example, by right-clicking on any process, you should see the option to Capture Traffic. That should open a terminal window prompting for the sudo password.
After capturing traffic and interrupting should result in a PCAP on the Desktop. Neat!
