Knowledge Base ISC Main Website Ask a Question/Contact ISC
How can I synchronize DNS RPZ firewall policies across multiple DNS servers?
Author: Paul Vixie Reference Number: AA-00518 Views: 2393 Created: 2011-11-01 06:14 Last Updated: 2011-11-01 22:36 0 Rating/ Voters

In DNS RPZ, the DNS firewall policy rule set is stored in a DNS zone which is maintained and synchronized using the same tools and methods as for any other DNS zone. See How do I create and maintain my DNS firewall policy rule set using DNS RPZ? for the procedures to create and maintain the master copy of your DNS policy in a DNS Response Policy Zone (RPZ). Your primary name server for a DNS RPZ may be your own server if you are creating and maintaining your own DNS policy zone, or it may be an external name server (such as your security vendor's server) if you are importing a policy zone published externally.

If you are subscribing to an externally published DNS policy zone and you have a large number of internal recursive name servers then you should create an internal name server called a "distribution master" (DM). This DM is a secondary (stealth slave) name server from the publisher's point of view -- that is, your DM is fetching zone content from them. Your DM is also a master name server from your internal recursive name servers' point of view -- that is, they are fetching zone content from the DM. In this configuration the DM is acting as a gateway between your external publisher and your internal subscribers.

The master server must know the unicast listener address of every subscribing recursive server, and must enumerate all of these addresses as destinations for real time zone change notification (as described in RFC 1996). So if your enterprise-wide RPZ is called "rpz.example.com" and if the unicast listener addresses of four of your subscribing recursive name servers are 192.0.200.1, 192.0.201.1, 192.0.202.1, and 192.0.203.1, your master server's configuration will look like this:

options {
    // ...
    response-policy {
            zone "rpz.example.com";
    };
    // ...
};

zone "rpz.example.com" {
    type master;
    file "master/rpz.example.com";
    also-notify { 192.0.200.1;
                  192.0.201.1;
                  192.0.202.1;
                  192.0.203.1; };
    allow-transfer { 192.0.200.1;
                     192.0.201.1;
                     192.0.202.1;
                     192.0.203.1; };
    allow-query { localhost; };
};

Each recursive DNS server that subscribes to the policy zone will make itself a secondary (stealth slave) server for the zone, and will connect the policy zone to its control plane in its configuration. So to subscribe a recursive name server to a response policy zone where the unicast listener address of the master server is 192.0.220.2, the server's configuration will look like this:

zone "rpz.example.com";
    type slave;
    masters { 192.0.222.2; };
    file "slave/rpz.example.com";
    allow-query { localhost; };
    allow-transfer { none; };
};

Note that queries are restricted to "localhost", since query access is never used by DNS RPZ itself, but may be useful to DNS operators for use in debugging. Transfers should be disallowed to prevent policy information leaks.

Keeping your firewall policies updated

It is vital for overall system performance that incremental zone transfers (see RFC 1995) and real time change notification (see RFC 1996) be used to synchronize DNS firewall rule sets between the publisher's master copy of the rule set and the subscribers' working copies of the rule set.


If you use DNS dynamic update to maintain a DNS RPZ rule set, then your name server will automatically calculate a stream of deltas for use when sending incremental zone transfers to the subscribing name servers. Sending a stream of deltas is usually much faster than sending the full zone every time it changes. This stream of deltas is called "incremental zone transfer" and it's worth the effort to use an editing method that makes such incremental transfers possible.

If you edit or periodically regenerate a DNS RPZ rule set and your primary name server uses BIND you can enable the "ixfr-from-differences" option which tells the primary name server to calculate the differences between each new zone and the preceding version, and to make these differences available as a stream of deltas for use in incremental zone transfers to the subscribing name servers. This will look something like the following:

        options {
                // ...
                ixfr-from-differences yes;
                // ...
        };

See also: Building DNS Firewalls with Response Policy Zones (RPZ)

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu