Knowledge Base ISC Main Website Ask a Question/Contact ISC
When maintaining a DNS RPZ, how do I disappear a malicious domain name?
Author: Paul Vixie Reference Number: AA-00519 Views: 2635 Created: 2011-11-01 06:16 Last Updated: 2011-11-01 22:04 0 Rating/ Voters

The simplest and most common use of a DNS firewall is to poison domain names known to be purely malicious, by simply making them disappear. All DNS RPZ rules are expressed as resource record sets (RRsets), and the way to express "force a name-does-not-exist condition" is by adding a CNAME pointing to the root domain ("."). In practice this looks like:

$ORIGIN          CNAME .
*        CNAME .          CNAME .
*        CNAME .

Two things are noteworthy in this example. First, the malicious names are made relative within the response policy zone. Since there is not a trailing dot following ".org" in the above example, the actual RRsets created within this response policy zone will be, after expansion:         CNAME .
*       CNAME .         CNAME .
*       CNAME .

Second, both the name being poisoned and also its descendent names, are usually listed. This is because a malicious domain name probably has or might potentially have malicious subdomains.

In the above example, the relative domain names and will match only the real domain names and respectively. The relative domain names * and * will match any or respectively.

This example forces a name-does-not-exist condition as its policy action. Other policy actions are also possible.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)

© 2001-2014 Internet Systems Consortium

  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu