dnssinkholelist is a python package focused on combining open source lists of malicious domains, dynamic dns domains, and advertisement domains for use in a dns sinkhole on a bind server or /etc/hosts file.
- This is a script I used for a while for a bind server--- a lot needs cleaned up before you use it automatically to feed into bind or /etc/hosts. Consider it a work in progress. However, you can use it for a unique list of malicious/sinkhole domains from below.
- Requires internet access for downloading domain lists listed below and Alexa database.
- Linux
- Python 2.7
- pip install -U requests[security] #Install requests security
- pip install -U beautifulsoup4; #For HTML Parsing
- pip install -U lxml; #For beautifulsoup4
- pip install -U pyyaml; #For future config and whitelisting parsing
- pip install -U argparse #For future CLI parsing
- pip install -e git+https://github.com/neu5ron/domaininformation@master#egg=domaininformation #For download of Alexa database and filtering based on Alexa rank
git clone https://github.com/neu5ron/dnssinkholelist.git
python2.7 DNSSinkholeList.py
- https://pgl.yoyo.org/adservers/serverlist.php?hostformat=;showintro=0 #Advertisment domains
- http://mirror1.malwaredomains.com/files/justdomains / https://mirror.cedia.org.ec/malwaredomains/justdomains
- https://www.malwaredomainlist.com/hostslist/hosts.txt
- https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
- https://palevotracker.abuse.ch/blocklists.php?download=domainblocklist
- https://feodotracker.abuse.ch/blocklist/?download=domainblocklist
- https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
- https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
- https://isc.sans.edu/feeds/suspiciousdomains_High.txt
- https://malc0de.com/bl/ZONES
- http://labs.sucuri.net/malware-data
- http://cybercrime-tracker.net/all.php
- http://malwareurls.joxeankoret.com/normal.txt
- https://gist.githubusercontent.com/neu5ron/8dd695d4cb26b6dcd997/raw/5c31ae47887abbff76461e11a3733f26bddd5d44/dynamic-dns.txt #My Custom Dynamic DNS List
- http://hosts-file.net/download/hosts.txt #Might be too many false positives
- http://vxvault.net//URL_List.php
- http://malwaredb.malekal.com/export.php?type=url
- http://support.it-mate.co.uk/downloads/HOSTS.txt #Might be too many false positives
- https://data.phishtank.com/data/online-valid.json
- https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
- http://mirror1.malwaredomains.com/files/dynamic_dns.txt
- https://www.threatcrowd.org/feeds/domains.txt
- Add other domain blocklists from https://ransomwaretracker.abuse.ch/blocklist/ ?
- http://www.malwarepatrol.net/cgi/submit?action=list_bind #Requires Signing Up
- http://mtc.sri.com/live_data/malware_dns/ #Not working
- http://exposure.iseclab.org/malware_domains.txt #Not working
- https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist #Discontinued
- https://threatfeed.nullsecure.org/ #TOOOOOOOOO Late to the party? No updates in 2016 as of 2016-02-18.
- Make unique/sorted domains into a function as a new one is added in the corresponding lists function... instead of at the end
- Use python os commands for error checking and such
- If anything returns no values then email or alert/log
- Ability to choose between creating a host file or bind file..if bind then only get lowest level domain. if host file then keep as is (VIA CLI)
- Test if bind directories exist and if not create them etc
- Add variables for where bind files should be stored, like /use/share/bind folder thing (VIA CLI)
- Use python logging instead of print and such
- Option to exclude some whitelist / make it a yaml?
- Implement WhiteList via a gist/github link that is auto updated like the other lists/feeds
- Number each list, and add ability to disable list via the command line by specifying something like --disable-lists=1,2,3,4,5