Knowledge Base ISC Main Website Ask a Question/Contact ISC
Webinar: BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
Author: Reference Number: AA-00493 Views: 4125 Created: 2011-10-16 20:18 Last Updated: 2015-10-08 13:06 0 Rating/ Voters

Turn your network’s DNS into a Security Tool!

What do you do if the security tools are not protecting your network? Cyber-criminals are constantly finding ways to bypass your security tools and own your network. When the threat changes, you should grow with the threat - think out of the box – using tools that the criminals have not yet considered; the DNS.

ISC’s Internet Critical Open Source DNS software BIND has a new feature that would turn a DNS Caching Resolver into a tool to help protect your network from malware. All the computers in your network must contact your DNS Resolvers to get to the outside world. Your DNS Resolvers are critical “choke-point” for which all devices in your network must interact to get to the outside world. This "choke-point" is a logical choice to put security capabilities to check if a domain is "clean" or "dirty." 

How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ). DNSRPZ uses secure and fast zone transfer technologies to pull down black list of bad domains and put them into your DNS resolver.

Who should watch this Webinar?

E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.

Network Operators: Learn how DNSRPZ can be used inside your network to keep your users from being in-inadvertently infected by malware, zero-days, and malvertisements.

Security Engineers: Discover how DNSRPZ is a tool to help contain infections that get into your network and try to “call home” to a BOTNET controller.

Hosting Providers: By default, most of your hosting customers are using your DNS resolvers. Learn how DNSRPZ can help prevent and contain the threat of your customers getting infected.

Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.

Mobile Telecoms Operators: Find a new tool that would prevent miscreant smart phone applications from calling home with DNS and infecting your customer’s phones.

SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.

Where to get information about DNSRPZ?

You can find more information, specifications, code, and presentations on DNSRPZ. Click on any of the following links to get started:

Taking Back the DNS by Paul Vixie (ISC Blog)

Taking Back the DNS by Paul Vixie (see comments in the CircleID blog)

"DNSRPZ March 2011 Webinar" by Barry Greene - slides attached as DNSRPZ-2011-03-01-Webinar.pdf

"Response Policy Zones" by Paul Vixie - slides attached as TakingBackTheDNSrpz2.pdf

See also: Building DNS Firewalls with Response Policy Zones (RPZ)


This was presented on 12th Oct, 2011


Webex Recording

© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

DNSRPZ Webinar 2011-10-12-4.pdf 12 Mb Download File
DNSRPZ Webinar 2011-10-12-4.ppt 9.9 Mb Download File
DNSRPZ-2011-03-01-Webinar.pdf 2.3 Mb Download File
TakingBackTheDNSrpz2.pdf 67.7 Kb Download File
Feedback 3
  • #
    [Jean Paul Thomsin]: Dead link 2014-06-04 20:22

    the link
    "Response Policy Zones presentation by Paul Vixie"

    doesn't work.

  • #
    [Jean Paul Thomsin]: Cannot see or download RPZ webinar or slides 2014-06-04 20:20

    I am on:

    (Webinar: BIND’s New Security Feature: DNSRPZ - the "DNS Firewall")

    but the downloads for the webinar or the PPT slides do not work.

  • #
    [Brian Conry]: Re: Cannot see or download RPZ webinar or slides 2015-10-07 21:32


    I've managed to recover (via the two sets of slides you mentioned, but I've not been able to locate recordings of the webinar.

    I've attached the PDFs to this article, but bear in mind that these are currently over four years old and the information contained therein may not apply to more current versions of BIND and/or RPZ.

    Brian Conry
    ISC Support

Quick Jump Menu