Knowledge Base ISC Main Website Ask a Question/Contact ISC
What are the features of the DNS RPZ firewall?
Author: Paul Vixie Reference Number: AA-00516 Views: 3184 Created: 2011-11-01 06:07 Last Updated: 2011-11-02 02:41 0 Rating/ Voters

DNS RPZ is a form of DNS firewall in which the firewall rule sets are expressed within DNS itself in the form of a specially constructed DNS zone. DNS RPZ is an open vendor-neutral format for DNS firewall policy which allows a DNS server operator to maintain their own firewall policies and share them with all internal name servers, or to subscribe to external firewall policies such as commercial or cooperative "threat feeds". A name server using DNS RPZ can subscribe to one or more DNS policy rule sets (which are called Response Policy Zones). Each rule in an RPZ rule set is stored in a DNS resource record set (RRset) and consists of a "trigger" and an "action".

In a DNS firewall based on DNS RPZ, each rule can use one of four policy triggers and specify one of four policy actions.

A response policy in DNS RPZ can be triggered as follows:

  •         by the query name.
  •         by an address which would be present in a truthful response.
  •         by the name or address of an authoritative name server responsible for publishing the original response.

A response policy action can be one of the following:

  •         to synthesize a "domain does not exist" response.
  •         to synthesize a "name exists but there are no records of the requested type" response.
  •         to replace the response with specified data.
  •         to exempt the response from further policy processing.

The most common use of a DNS firewall is to poison a domain name, IP address, name server name, or name server IP address. Poisoning is usually done by forcing a synthetic "domain does not exist" response. This means if you know a list of known "phishing" domains you could make these names unreachable by your customers or end users just by adding some firewall policy into your recursive DNS server, with a trigger for each known "phishing" domain, and an action in every case forcing a synthetic "domain does not exist" response. Or you could use a data replacement action such as answering for these known "phishing" domains with the name of a local web server that can display a warning page. Such a web server would be called a "walled garden".

Warning

Authority name servers can be responsible for many different domains. If you use DNS RPZ to poison all domains served by some authority name server name or authority name server address, the effects will be quite far reaching. You should make sure that such authority name servers do not also serve domains that you might care about.



See also: Building DNS Firewalls with Response Policy Zones (RPZ)

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu