ThreatSTOP operates by providing multi-host Fully Qualified Domain Name forward (A record) lookups. Each lookup resolves to up to 4000 IP addresses.

Because the lists are so long, you need to allow TCP DNS queries.

To use ThreatSTOP block lists, you first make sure that the device that will use them points to the ThreatStop DNS servers for name resolution.

This means setting your DNS client in your firewall to point to: 24.249.204.58 and ensuring that your firewall can resolve names using UDP and TCP (you may need to modify your DNS allow rule).

Then, you configure rules that reference the block list, and take the desired action.

To use the lists, you use the list in place of the IP address in your rule or object configuration on your firewall.

The specific mechanism for doing this varies by device, but the general form of the rules is:

FROM basic.threatstop.local TO ANY DENY

FROM basic1.threatstop.local TO ANY DENY

FROM basic2.threatstop.local TO ANY DENY

FROM basic3.threatstop.local TO ANY DENY

FROM basic4.threatstop.local TO ANY DENY

FROM ANY TO basic.threatstop.local DENY

FROM ANY TO basic1.threatstop.local DENY

FROM ANY TO basic2.threatstop.local DENY

FROM ANY TO basic3.threatstop.local DENY

FROM ANY TO basic4.threatstop.local DENY