A plugin that pulls malicious domain names from MISP feeds and enforces blocking in Technitium DNS Server.
It maintains an in-memory blocklist for fast lookups, keeps a disk-backed cache for faster startup, and periodically refreshes indicators from the configured MISP instance.
NOTE: This app is not included in the main Technitium DNS Server repository as of v15.
MISP is a threat intelligence platform for sharing, storing, and correlating indicators of compromise, threat intelligence, financial fraud information, vulnerability information, and related data. See the project documentation for details.
This plugin assumes that you already have a working MISP instance. Installing and configuring MISP itself is outside the scope of Technitium DNS Server.
See this article for a sample use case.
- Retrieves domain-name indicators of compromise from a MISP server through its REST API.
- Handles paginated fetches with exponential backoff and retry for transient network failures.
- Maintains the current blocklist in memory for fast lookup and persists it to disk for faster startup.
- Matches both exact domains and parent domains without allocating new strings during lookup.
- Blocks matching DNS requests by returning
NXDOMAIN, or, for TXT queries when enabled, a human-readable blocking report. - Optionally includes the same blocking report as Extended DNS Error metadata when the client query contains EDNS.
- Lets you configure the TTL applied to blocking answers.
- Supports configurable refresh intervals and IOC age windows.
- Allows TLS certificate validation to be disabled for test environments, with an explicit warning in logs.
Supply a JSON configuration like the following:
{
"enableBlocking": true,
"mispServerUrl": "https://misp.example.com",
"mispApiKey": "YourMispApiKeyHere",
"disableTlsValidation": false,
"updateInterval": "2h",
"maxIocAge": "15d",
"blockingAnswerTtl": 30,
"allowTxtBlockingReport": true,
"paginationLimit": 5000,
"addExtendedDnsError": true
}enableBlockinglets you disable enforcement without uninstalling the app.mispServerUrlis the base URL of the MISP instance.mispApiKeyis the API key used to query MISP.disableTlsValidationcan be useful for test instances and homelabs, but it is not recommended in production.updateIntervalcontrols how often the app refreshes indicators from MISP. Supported suffixes arem,h, andd.maxIocAgefilters indicators by their MISPlast_seenvalue, which lets you limit the blocklist to more recent campaigns. Supported suffixes arem,h, andd.blockingAnswerTtlsets the TTL, in seconds, for both blocking TXT answers and blocking SOA records. The allowed range is30to86400; the default is30.allowTxtBlockingReportreturns a TXT blocking report for blocked TXT queries instead ofNXDOMAIN.paginationLimitcontrols how many attributes are requested from MISP per page.addExtendedDnsErroradds the blocking report to the EDNS payload when the query includes EDNS, which is useful when DNS telemetry is exported to a SIEM.
For a blocked domain, the app generates a report in the following form:
source=misp-connector;domain=example.org
For ordinary queries, the app returns NXDOMAIN with an SOA record in the authority section. If allowTxtBlockingReport is enabled and the blocked query type is TXT, it returns the blocking report as the TXT answer instead.
If addExtendedDnsError is enabled and the request contains EDNS, the same report is also added as an Extended DNS Error with the Blocked code.
Thanks to everyone who has been part of or contributed to the MISP Project for making it an useful resource.