Knowledge Base ISC Main Website Ask a Question/Contact ISC
What are the features of the DNS RPZ firewall?
Author: Reference Number: AA-00516 Views: 13338 Created: 2011-11-01 06:07 Last Updated: 2017-05-23 02:54 0 Rating/ Voters

DNS RPZ (Response Policy Zones) is a form of DNS firewall in which the firewall rule sets are expressed within DNS itself in the form of specially constructed DNS zones. DNS RPZ is an open vendor-neutral format for DNS firewall policy which allows a DNS server operator to maintain their own firewall policies and share them with all internal name servers, or to subscribe to external firewall policies such as commercial or cooperative "threat feeds". A name server using DNS RPZ can subscribe to one or more DNS policy rule sets (which are called Response Policy Zones). Each rule in an RPZ rule set is stored in a DNS resource record set (RRset) and consists of a "trigger" and an "action".

In a DNS firewall based on DNS RPZ, each rule can use one of four policy triggers and specify one of four policy actions.

A response policy rule in DNS RPZ can be triggered as follows:

  •         by the query name
  •         by an address which would be present in a truthful response
  •         by the name or address of an authoritative name server responsible for publishing the original response

A response policy action can be one of the following:

  •         to synthesize a "domain does not exist" (NXDOMAIN) response
  •         to synthesize a "name exists but there are no records of the requested type" (NODATA) response
  •         to replace/override the response's data with specific data (provided within the response policy zone)
  •         to exempt the response from further policy processing

The most common use of a DNS firewall is to poison a domain name, IP address, name server name, or name server IP address. Poisoning is usually done by forcing a synthetic "domain does not exist" response. This means if you know a list of known "phishing" domains you could make these names unreachable by your customers or end users just by adding some firewall policy into your recursive DNS server, with a trigger for each known "phishing" domain, and an action in every case forcing a synthetic "domain does not exist" response. Or you could use a data replacement action such as answering for these known "phishing" domains with the name of a local web server that can display a warning page. Such a web server would be called a "walled garden".


Authority name servers can be responsible for many different domains. If you use DNS RPZ to poison all domains served by some authority name server name or authority name server address, the effects will be quite far reaching. You should make sure that such authority name servers do not also serve domains that you might care about.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu