Query DNS for Malicious IPs

DNS is the preferred method for querying our database of malicious IP addresses. This guide explains how to use DNS queries to protect your website from unwanted traffic.

Why DNS Queries?

DNS queries are lightweight and fast. They allow you to block IP addresses before they reach your server. By querying ip64.org, you can quickly determine whether an IP is malicious.

Example DNS Queries

Our service allows you to look up potentially malicious IP addresses easily. Simply use your DNS client, such as dig or nslookup, to query the IP address in the format <ip_address>.ip64.org. If the IP address is found to be malicious, you will receive a CNAME response indicating that it is a bad IP address. An NXDOMAIN response indicates that it is not in our database.

Example when IP is malicious:

aaron@main:~$ dig 1.2.3.4.ip64.org

; <<>> DiG 9.18.28-0ubuntu0.20.04.1-Ubuntu <<>> 1.2.3.4.ip64.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24976
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;1.2.3.4.ip64.org.      IN      A

;; ANSWER SECTION:
1.2.3.4.ip64.org. 48    IN      CNAME   bad.ip64.org.
bad.ip64.org.           3588    IN      A       216.250.124.186

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Oct 04 23:52:04 UTC 2024
;; MSG SIZE  rcvd: 87

Example when IP is not in the database:

If the IP address is not found in our database, you will receive an NXDOMAIN response, as shown below:

aaron@main:~$ dig 1.2.3.5.ip64.org

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> 1.2.3.5.ip64.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60040
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;1.2.3.5.ip64.org.              IN      A

;; AUTHORITY SECTION:
ip64.org.               1800    IN      SOA     ns1.ip64.org. hostmaster.ip64.org. 16 3600 1800 1209600 86400

;; Query time: 255 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Oct 09 20:53:25 PDT 2024
;; MSG SIZE  rcvd: 96

How to Integrate DNS Queries

Integrating DNS queries into your code allows you to automatically query IPs that visit your website in real time. This enables you to block malicious IP addresses before they access your resources.

Here’s how to integrate DNS queries in your server or application:

  1. For each incoming IP address, run a DNS query against <ip>.ip64.org.
  2. If a CNAME response of bad.ip64.org is returned, block the connection to your web server.
  3. Otherwise, allow the connection as usual.

To see detailed code examples in Python, Java, Go, and more, check out our Code Samples page.