Knowledge Base ISC Main Website Ask a Question/Contact ISC
When maintaining a DNS RPZ, how do I disappear a malicious domain name?
Author: Paul Vixie Reference Number: AA-00519 Views: 2635 Created: 2011-11-01 06:16 Last Updated: 2011-11-01 22:04 0 Rating/ Voters

The simplest and most common use of a DNS firewall is to poison domain names known to be purely malicious, by simply making them disappear. All DNS RPZ rules are expressed as resource record sets (RRsets), and the way to express "force a name-does-not-exist condition" is by adding a CNAME pointing to the root domain ("."). In practice this looks like:

$ORIGIN rpz.example.com.
malicious1.org          CNAME .
*.malicious1.org        CNAME .
malicious2.org          CNAME .
*.malicious2.org        CNAME .

Two things are noteworthy in this example. First, the malicious names are made relative within the response policy zone. Since there is not a trailing dot following ".org" in the above example, the actual RRsets created within this response policy zone will be, after expansion:

malicious1.org.rpz.example.com.         CNAME .
*.malicious1.org.rpz.example.com.       CNAME .
malicious2.org.rpz.example.com.         CNAME .
*.malicious2.org.rpz.example.com.       CNAME .


Second, both the name being poisoned and also its descendent names, are usually listed. This is because a malicious domain name probably has or might potentially have malicious subdomains.

In the above example, the relative domain names malicious1.org and malicious2.org will match only the real domain names malicious1.org and malicious2.org respectively. The relative domain names *.malicious1.org and *.malicious2.org will match any subdomain.malicious1.org or subdomain.of.malicious2.org respectively.

This example forces a name-does-not-exist condition as its policy action. Other policy actions are also possible.

See also: Building DNS Firewalls with Response Policy Zones (RPZ)

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu