Query DNS for Malicious IPs
DNS is the preferred method for querying our database of malicious IP addresses. This guide explains how to use DNS queries to protect your website from unwanted traffic.
Why DNS Queries?
DNS queries are lightweight and fast. They allow you to block IP addresses before they reach your server. By querying ip64.org, you can quickly determine whether an IP is malicious.
Example DNS Queries
Our service allows you to look up potentially malicious IP addresses easily. Simply use your DNS client, such as dig or nslookup, to query the IP address in the format <ip_address>.ip64.org. If the IP address is found to be malicious, you will receive a CNAME response indicating that it is a bad IP address. An NXDOMAIN response indicates that it is not in our database.
Example when IP is malicious:
aaron@main:~$ dig 1.2.3.4.ip64.org
; <<>> DiG 9.18.28-0ubuntu0.20.04.1-Ubuntu <<>> 1.2.3.4.ip64.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24976
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;1.2.3.4.ip64.org. IN A
;; ANSWER SECTION:
1.2.3.4.ip64.org. 48 IN CNAME bad.ip64.org.
bad.ip64.org. 3588 IN A 216.250.124.186
;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Oct 04 23:52:04 UTC 2024
;; MSG SIZE rcvd: 87
Example when IP is not in the database:
If the IP address is not found in our database, you will receive an NXDOMAIN response, as shown below:
aaron@main:~$ dig 1.2.3.5.ip64.org
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> 1.2.3.5.ip64.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60040
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;1.2.3.5.ip64.org. IN A
;; AUTHORITY SECTION:
ip64.org. 1800 IN SOA ns1.ip64.org. hostmaster.ip64.org. 16 3600 1800 1209600 86400
;; Query time: 255 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Oct 09 20:53:25 PDT 2024
;; MSG SIZE rcvd: 96
How to Integrate DNS Queries
Integrating DNS queries into your code allows you to automatically query IPs that visit your website in real time. This enables you to block malicious IP addresses before they access your resources.
Here’s how to integrate DNS queries in your server or application:
- For each incoming IP address, run a DNS query against
<ip>.ip64.org. - If a CNAME response is returned (examples:
bad.ip64.org,autoblock.ip64.org, ormanual.ip64.org), block the connection to your web server. - Otherwise, allow the connection as usual.
To see detailed code examples for using DNS in Python, Java, Go, and more, check out our code samples below.
Code Samples (DNS)
These examples show how to use DNS lookups to check for malicious IPs in real-time. DNS queries are usually slower than API calls, but can be faster if your local resolver caches the queries.
Python Example
Here is how you can perform DNS lookups in Python using the dnspython library to query the DNS for bad IPs:
import dns.resolver
def check_ip(ip_address):
try:
query = f'{ip_address}.ip64.org'
result = dns.resolver.resolve(query, 'CNAME')
for cname in result:
print(f'{ip_address} is flagged: {cname}')
except dns.resolver.NXDOMAIN:
print(f'{ip_address} is not flagged.')
except Exception as e:
print(f'An error occurred: {e}')
if __name__ == "__main__":
ip_to_check = "192.0.2.1"
check_ip(ip_to_check)
Ruby Example
This example shows how to perform a DNS query in Ruby to check if an IP address is flagged as malicious:
require 'resolv'
def check_ip(ip)
query = "#{ip}.ip64.org"
begin
result = Resolv::DNS.open do |dns|
dns.getresource(query, Resolv::DNS::Resource::IN::CNAME)
end
puts "#{ip} is flagged as: #{result.name}"
rescue Resolv::ResolvError
puts "#{ip} is not flagged."
end
end
check_ip('192.0.2.1')
C# Example
This example shows how to perform a DNS query in C# to check if an IP address is flagged as malicious:
using System;
using System.Net;
class Program
{
static void Main(string[] args)
{
string ip = "192.0.2.1";
string query = ip + ".ip64.org";
try
{
IPHostEntry entry = Dns.GetHostEntry(query);
Console.WriteLine($"{ip} is flagged as: {entry.HostName}");
}
catch (Exception)
{
Console.WriteLine($"{ip} is not flagged.");
}
}
}
Java Example
This example shows how to perform a DNS query in Java to check if an IP address is flagged as malicious:
import java.net.InetAddress;
import java.net.UnknownHostException;
public class DNSLookup {
public static void main(String[] args) {
String ip = "192.0.2.1";
String query = ip + ".ip64.org";
try {
InetAddress address = InetAddress.getByName(query);
System.out.println(ip + " is flagged as: " + address.getHostName());
} catch (UnknownHostException e) {
System.out.println(ip + " is not flagged.");
}
}
}
JavaScript Example
Here is a JavaScript example that uses a DNS query to check if an IP is flagged. This requires a DNS resolution library such as node-dns:
const dns = require('dns');
const checkIP = (ip) => {
const query = `${ip}.ip64.org`;
dns.resolveCname(query, (err, addresses) => {
if (err && err.code === 'ENOTFOUND') {
console.log(`${ip} is not flagged.`);
} else if (addresses) {
console.log(`${ip} is flagged: ${addresses}`);
} else {
console.error(`Error: ${err.message}`);
}
});
};
checkIP('192.0.2.1');
Go Example
This Go example shows how to perform a DNS query to check for malicious IPs using the net package:
package main
import (
"fmt"
"net"
)
func checkIP(ip string) {
query := fmt.Sprintf("%s.ip64.org.", ip)
cname, err := net.LookupCNAME(query)
if err != nil {
fmt.Printf("%s is not flagged.\n", ip)
} else {
fmt.Printf("%s is flagged: %s\n", ip, cname)
}
}
func main() {
checkIP("192.0.2.1")
}
PHP Example
Here is a PHP example for performing a DNS lookup to check if an IP address is flagged:
$ip = "192.0.2.1";
$query = $ip . ".ip64.org";
if (dns_get_record($query, DNS_CNAME)) {
echo "$ip is flagged as malicious.";
} else {
echo "$ip is not flagged.";
}