Malware Domain Lists: How Blocklists Work and the Best Free Resources

Table of Contents

One of the most cost-effective ways to protect a network from malware is to block connections to known malicious domains before any content is delivered. Malware domain lists — also called blocklists or denyslists — are curated databases of domains, IPs, and URLs associated with malware distribution, command-and-control servers, phishing pages, and other threats. This guide explains how they work and the best free sources available.

How Malware Domain Blocklists Work

When a piece of malware tries to communicate with its C2 server, or when a user visits a malware-hosting site, that communication happens over the network using domain names. If you can intercept that DNS query or HTTP request and block it, you stop the malware's ability to function — even if it's already on the endpoint.

DNS-level blocking: A DNS resolver checks each domain query against a blocklist. If the domain is listed as malicious, the resolver returns a "not found" response or redirects to a block page. This stops communication before any data is exchanged. Tools: Pi-hole, pfBlockerNG, Cloudflare Gateway, Cisco Umbrella.

Firewall/proxy blocking: A next-generation firewall or web proxy checks outbound connections against URL and IP blocklists, blocking connections to known malicious destinations. This works for IP-based connections that bypass DNS.

Host-based blocking: The /etc/hosts file (Linux/Mac) or C:\Windows\System32\drivers\etc\hosts (Windows) can redirect malicious domains to localhost, preventing connection. This is how tools like the MVPS Hosts file work.

Best Free Malware Domain Lists

1. Abuse.ch Threat Feeds

URLhaus (urlhaus.abuse.ch): Real-time database of URLs actively distributing malware. Updated continuously by a community of researchers. Provides CSV, JSON, and DNS blocklist formats.

Feodo Tracker (feodotracker.abuse.ch): IP blocklist for botnet C2 servers used by Emotet, Dridex, TrickBot, QBot, and similar banking trojans. Invaluable for enterprise networks.

SSL Blacklist (SSLBL): Blocks botnet C2 servers identified by their SSL certificates rather than IPs (useful when attackers rotate IPs but keep certificates).

2. MalwareDomainList.com

One of the longest-running free malware domain blocklists, tracking domains actively hosting malware. Available in hosts file format, making it easy to implement.

3. StevenBlack Hosts

A consolidated hosts file combining multiple blocklists (Peter Lowe, DanPollock, MalwareDomainList, and others) into a single well-maintained list. Available on GitHub with regular updates. Used by millions of Pi-hole installations.

GitHub: github.com/StevenBlack/hosts

4. PhishTank

PhishTank (phishtank.org): Community-verified phishing URL database. Not exclusively malware, but phishing pages are frequently used as malware delivery mechanisms. Available via API and bulk download.

5. OpenPhish

OpenPhish (openphish.com): Automated phishing detection service providing a free feed of active phishing URLs. Updated frequently.

6. Emerging Threats (Proofpoint)

Emerging Threats provides free Snort/Suricata IDS rules and IP reputation lists, including rules specifically targeting malware C2 traffic patterns. The free "open" ruleset is available for non-commercial use.

7. CINS Army List

Collective Intelligence Network Security (CINS) Army List provides an IP blocklist of confirmed bad actors identified through analysis of traffic to CINS member networks.

8. Spamhaus

Spamhaus blocklists (the Domain Block List/DBL and the Block List/SBL) are widely used in email security but also valuable for web filtering. Free for personal and non-commercial use.

Implementing a Blocklist

Pi-hole (Home Network)

Pi-hole is a DNS server that runs on a Raspberry Pi or other device and blocks all devices on your home network:
1. Install Pi-hole (pi-hole.net)
2. Add blocklist URLs under Settings > Blocklists
3. Point your router's DNS to the Pi-hole IP

pfBlockerNG (pfSense)

For networks using pfSense firewall, pfBlockerNG provides DNS and IP blocking using multiple feeds with automatic updates.

Windows (Manual Hosts File)

Download the StevenBlack hosts file and merge it with your existing hosts file. The file redirects malicious domains to 0.0.0.0.

Enterprise (Cisco Umbrella, Cloudflare Gateway)

Cloud-based DNS filtering services provide automated blocklist management, reporting, and bypass controls for enterprise environments.

Limitations of Blocklists

Blocklists are reactive — they only block known malicious domains. Limitations include:

  • New domains: Freshly registered malicious domains won't appear on blocklists until reported and verified
  • Fast-flux: Malware that rapidly rotates domains may not be blocked before the new domain is added
  • False positives: Overly aggressive blocklists occasionally block legitimate sites
  • IP-only C2: Some malware uses IP addresses directly rather than domains, bypassing DNS blocklists
  • Encrypted DNS: If malware uses DNS-over-HTTPS (DoH) to a resolver that doesn't check your blocklist, DNS filtering is bypassed

FAQ

How often should blocklists be updated?
For active threat protection, daily updates are the minimum. Abuse.ch feeds update multiple times per day. For Pi-hole, configure automatic weekly or daily updates.

Will adding blocklists slow down my internet?
Minimally. DNS lookups are fast, and a blocklist check adds microseconds to each query. Users typically notice no performance difference.

Can I create my own blocklist?
Yes. If you identify malicious domains in incident response or threat hunting, you can maintain a custom blocklist alongside public feeds.

Do blocklists protect against zero-day malware?
Only if the domains used are already known. Zero-day malware using fresh infrastructure won't be on existing blocklists — you need behavioral detection for that.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: