From 45628702b6a8ce47b70322f4882903c9a52c255d Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Tue, 2 Jun 2020 13:03:41 +0200
Subject: [PATCH] Add SANS lists

---
 dnscrypt-proxy/example-ip-blacklist.txt                  | 3 +--
 utils/generate-domains-blacklists/domains-blacklist.conf | 9 +++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/dnscrypt-proxy/example-ip-blacklist.txt b/dnscrypt-proxy/example-ip-blacklist.txt
index 2f25bd43..b0d2fc62 100644
--- a/dnscrypt-proxy/example-ip-blacklist.txt
+++ b/dnscrypt-proxy/example-ip-blacklist.txt
@@ -7,9 +7,8 @@
 ## Sample feeds of suspect IP addresses:
 ## - https://github.com/stamparm/ipsum
 ## - https://github.com/tg12/bad_packets_blocklist
+## - https://isc.sans.edu/block.txt
 ## - https://block.energized.pro/extensions/ips/formats/list.txt
-## Use only one of the levels from that list. 1 is not very reliable
-## (may have a lot of false positives), 8 is the most reliable subset.
 
 163.5.1.4
 94.46.118.*
diff --git a/utils/generate-domains-blacklists/domains-blacklist.conf b/utils/generate-domains-blacklists/domains-blacklist.conf
index f404b2f6..9e7935e0 100644
--- a/utils/generate-domains-blacklists/domains-blacklist.conf
+++ b/utils/generate-domains-blacklists/domains-blacklist.conf
@@ -26,6 +26,15 @@
 # Local additions
 file:domains-blacklist-local-additions.txt
 
+# SANS Institute suspicious domains, HIGH sensitivity level
+https://isc.sans.edu/feeds/suspiciousdomains_High.txt
+
+# SANS Institute suspicious domains, MEDIUM sensitivity level
+# https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
+
+# SANS Institute suspicious domains, LOW sensitivity level (not recommended)
+# https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
+
 # Malware domains
 https://mirror1.malwaredomains.com/files/justdomains