Malware hosts protection.


 18-Feb-2014: initial release.



On the website malwaredomains you can find a regular updated Malware Domain Blocklist. You can add this list to the name server that runs on your home server, so that it will block requests to hosts that contain malware. Well, it does not really block these requests but it will return a fake IP address instead of the real IP address of the requested site. This can be for example On the home server described on this site, dnsmasq  is used as name server. This setup is made so that it will include any files dropped in the /etc/dnsmasq.d subdirectory in the main configuration.


The script.

I have written a shell script and installed it as /usr/local/sbin/malwaredomains. The script:

# Update list of malware domains


install_malwarezones() {


  echo "#" > $DNSMASQFILE
  echo "# $DNSMASQFILE generated $(date)" >> $DNSMASQFILE
  echo "# do not edit this file, your changes will get lost" >> $DNSMASQFILE
  echo "#" >> $DNSMASQFILE 

  # Use " separator to isolate the domain names
  grep -E '^zone' /var/malwaredomains/spywaredomains.zones | while read L ; do
    set $L
    echo "address=/$2/" >> $DNSMASQFILE

  mkdir -p $DNSMASQPATH
  [ -x /etc/rc.d/rc.dnsmasq ] && /etc/rc.d/rc.dnsmasq restart >/dev/null

cd /var/malwaredomains
wget -qN

if [ $rc -eq 0 ]; then

  if [ -f spywaredomains.md5 ]; then

    OLD=$(cat spywaredomains.md5)
    NEW=$(md5sum spywaredomains.zones)

    if [ "$OLD" != "$NEW" ]; then
      md5sum spywaredomains.zones > spywaredomains.md5

    md5sum spywaredomains.zones > spywaredomains.md5


This script should be called by cron, you can create a symlink in /etc/cron.daily or /etc/cron.weekly so that this script runs every day or every week. The script checks for a new file from a mirror of the malware domain website. If it detects that this file is changed by comparing the md5 checksum of this file against a known checksum, then a new file 80-malware-domains is created and installed in /etc/dnsmasq.d After that the dnsmasq sever is restarted so that it loads the new file.

The script does write a file 80-malware-domains in the format that dnsmasq understands. The IP address used is the IP address of the webserver on your homeserver. This should be a default empty server. You can also use or as IP address. The advantage of using an empty default server on your home server is that you can check the logfile to see if any client computer tries to reach a blacklisted malware site. This could be caused by already installed malware on the client. Clients that use Firefox or Chrome (others??) are already protected because they use Google Safe Browsing. However that can be disabled, or users use unsafe browsers.

For the first time, run this script by hand. Check your name server by making a query for a malware domain:

root@homsrv:~# host has address


You should see that it returns the IP address that you have used in your script.

Note that the downloaded file is in bind format, so if you use bind instead of dnsmasq, you can use the downloaded file without any change. Just follow the instructions on the malware domains website.