Filter / block resolution of bad domains at the DNS Level.

SURBL provides highly accurate and effective domain threat intelligence.  SURBL RPZ allows this data to be used at the DNS level to deny or modify the resolution of low-reputation domains.  Protect users from visiting objectionable or dangerous spam, phishing or malware web sites using DNS RPZ. 

  • Comprehensive: ~800,000 current, active, bad domains
  • Up-to-date: Data added or removed every 1-2 minutes
  • Proven: Currently used to protect 1 Billion+ users
  • Protection from domains involved in malware and phishing, plus cracked and abused sites
  • From the World’s First RPZ Data Provider

Help prevent identity theft, phishing attacks, malware infection, loss of revenue due to visiting infected or malicious sites.  Made possible by SURBL’s highly-regarded, multi-sourced, real-time domain intelligence.

How Does it work?


SURBL Response Policy Zone (RPZ) provides fast, dynamic threat intelligence to defend against advanced malware and phishing sources

DNS RPZ protects your systems and users by blocking websites hosting cyber threats, including spam, phishing, and malware. 

RPZ implements SURBL’s real-time threat intelligence domain data at the DNS level. DNS resolvers utilize SURBL RPZ data to protect users trying to visit known bad domains. 

  1. User submits a request to the DNS Resolver.  
  2. DNS Resolver queries the SURBL Response Policy Zone feeds to assess if the domain or related IP address is a known malicious threat. 
  3. If domain being queried is malicious, the DNS Resolver will be re-directed to stop the user from accessing the bad domain. Blocked domains will be re-directed to “NXDOMAIN” or a defined modified value.
    • If the domain is not listed in SURBL RPZ, then DNS request will resolve.

SURBL RPZ data is available by private incremental zone transfer using recent versions of BIND.  

Using SURBL RPZ improves detection and prevention of phishing attacks, malware infections, identity theft, and loss of revenue. 



Data from multiple sources covering sites that host malware. This includes OITC, the DNS blackhole malicious site data from and Malware Domain List.


Phishing data from multiple sources and is included in the PH phishing data source. Phishing data was first provided by MailSecurity, later joined by PhishTank data, OITC phishing data, PhishLabs data, and several other sources.

Abused Sites

Data feed of general spam sites (pills, counterfeits, dating, etc). Most of domains are found using SURBL internal, proprietary research. Abused sites feed is also supplemented with data from Internet security, anti-abuse, ISP, ESP and other communities.


FRESH identifying newly registered domains. Cybercriminal cycle through new domains to evade filters. As a result, the vast majority of newly registered domains are used for malicious activity. With SURBL FRESH, add an extra layer of protection against malware, ransomware and spamming by blocking traffic associated with recently registered domains whose reputations have yet to be established .

Cracked Sites

Data feed focused on cracked sites. Cybercriminals steal credentials or abuse vulnerabilities in CMSs, like WordPress or Joomla, to break into websites and add malicious content. Often, cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam.


Key Features & Benefits

Comprehensive Data: SURBL data feeds have ~800,000 known malicious domains.  Researchers specialize in hunting the hard-to-detect threats, like phishing, malware, and bot-net sites. 

Updated Every 1-2 Minutes: Data feeds are continuously being updated. New domains are added or removed every 1-2 minutes. System and users are protected from new threats as they are discovered. 

Accurate, Near-Zero False Positives:  50+ checks are in place to assess domain reputations and ensure accuracy of data, so only bad domains are blocked. 


Easy Implementation: RPZ Data is made available via private incremental zone transfer. 

Low Cost Solution: Works with current hardware and DNS appliances. Compatible with most recent versions of BIND.

Minimize Risk: Enhanced protection from phishing attacks, malware infections, identify theft, loss of revenue and more. Safeguard your organization from these detrimental cyberthreats. 

Maintain Control of your DNS Infrastructure: We deliver our RPZ zones directly to your resolvers, eliminating the need to point to a cloud server. 


Organizations benefiting from DNS RPZ

Start your free trial.

Design the best set of data feeds to meet your needs!

Experience improved cybersecurity and stop phishing emails, ransomware, malware, and other cyber threats. Sign up for your free consultation and receive an in-depth technical deep dive and a 30-day free trial.