ThreatSTOP DNS Firewall Overview

ThreatSTOP DNS Firewall Overview

RPZ turns your DNS server into a DNS firewall!
Get additional protection against botnets, phishing attacks and other malware.

ThreatSTOP's service for firewalls has always blocked the worst of the worst but there are many situations where an IP block is too specific. ThreatSTOP DNS firewall blocks by domain as well as IP address so it can block just one malicious domain hosted on the same IP address as thousands of innocent domains.

DNS firewall is also more flexible. Instead of simply dropping all traffic, DNS firewall can redirect some queries to a walled garden via a proxy with full IDS/IPS analysis for traffic to places that are suspect but may not in fact be malicious.

ThreatSTOP DNS Firewall uses a feature introduced into BIND nameservers called Response Policy Zone or RPZ. Using RPZ, a nameserver can return different results when a client queries for a domain that is considered problematic.


  • Response Policy Zone (RPZ) information is transferred using standard DNS zone transfer mechanisms from DNS servers.
  • Policies are fully customizable using our web portal.
  • User-defined policies can incorporate multiple lists.
  • Reduces the need for additional network bandwidth.
  • Eliminates the need to manually blacklist Domain Names.
  • Prevents damage and data exfiltration caused by phishing attacks.
  • Easy to install, deploy and brings immediate protection.
  • Web-based reports provide at-a-glance summaries of threats stopped.

How It Works

ThreatSTOP's DNS firewall product is fully customizable using our standard portal and UI. It only takes a few minutes for subscribers to select one of our standard policies or create their own custom policy in our portal. Policies can specify different rules so that, for example, attempts to contact botnet C&C servers can simply be denied while users who click on phishing links see a redirection to a walled garden.

These new rules, customized for their precise policy name, are obtained from the portal and are added to the BIND DNS server configuration files. The DNS server automatically downloads the policy and applies it to all lookups it receives. The policy is automatically updated (by default this is every two hours) so that the policy can block new threats and no longer block access to locations that have been remediated.

RPZ takes action based on the domain name queried (QNAME), the IP address returned (RPZ IP) or the fully qualified domain name (FQDN) or IP address of any of the name servers used in the resolution process (NS IP and NS DNAME). Depending on the match the name server can opt to:

  • Report an error (NXDOMAIN or NODATA).
  • Not return anything (DROP).
  • Return a static IP address (for example,
  • Return a walled garden name (CNAME walledgarden.local).
  • Return the true data (PASSTHRU) - typically used to override a specific host/subdomain in an otherwise suspicious domain.

Supported devices

The ThreatSTOP threat intelligence Web service works with most firewalls and other traffic management devices that can make a forwarding decision based on a DNS lookup. Our RPZ solution works with Bind Server 9.0 +. BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications.