Knowledge Base ISC Main Website Ask a Question/Contact ISC
When maintaining a DNS RPZ, how do I disappear a malicious domain name?
Author: Paul Vixie Reference Number: AA-00519 Views: 5693 Created: 2011-11-01 06:16 Last Updated: 2011-11-01 22:04 0 Rating/ Voters

The simplest and most common use of a DNS firewall is to poison domain names known to be purely malicious, by simply making them disappear. All DNS RPZ rules are expressed as resource record sets (RRsets), and the way to express "force a name-does-not-exist condition" is by adding a CNAME pointing to the root domain ("."). In practice this looks like:

$ORIGIN rpz.example.com.
malicious1.org          CNAME .
*.malicious1.org        CNAME .
malicious2.org          CNAME .
*.malicious2.org        CNAME .

Two things are noteworthy in this example. First, the malicious names are made relative within the response policy zone. Since there is not a trailing dot following ".org" in the above example, the actual RRsets created within this response policy zone will be, after expansion:

malicious1.org.rpz.example.com.         CNAME .
*.malicious1.org.rpz.example.com.       CNAME .
malicious2.org.rpz.example.com.         CNAME .
*.malicious2.org.rpz.example.com.       CNAME .


Second, both the name being poisoned and also its descendent names, are usually listed. This is because a malicious domain name probably has or might potentially have malicious subdomains.

In the above example, the relative domain names malicious1.org and malicious2.org will match only the real domain names malicious1.org and malicious2.org respectively. The relative domain names *.malicious1.org and *.malicious2.org will match any subdomain.malicious1.org or subdomain.of.malicious2.org respectively.

This example forces a name-does-not-exist condition as its policy action. Other policy actions are also possible.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)


© 2001-2015 Internet Systems Consortium

Please help us to improve the content of our knowledge base by letting us know below how we can improve this article.

If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback.

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu