What is it?
Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".
This website is made available to keep up with information about this feature.
Why is RPZ useful?
The prime motivation for creating this feature was to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.
- If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
- If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
- If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.
Policy zones published by a multiple providers (see below) can be checked in order before a normal answer from the global DNS is used. White lists can also be maintained by a local administrator to prevent false positives for key infrastructure.
Pointers to resources
- Paul Vixie's Taking Back the DNS blog entry
- Paul Vixie's DNS Firewalls in Action blog entry
- Discussion mailing list
- New! IETF Draft
- Case studies:
- ISC BIND 9 reference implementation
- Hugo Connery's Roadmap to Accellerate Adoption: RPZ-Building-Momentum.pdf
- April Lorenzen's Virtual Server for RPZ on github
- Hugo Connery's RPZ Log Analysis on github - aka RPZLA
- Hugo Connery's proposal on standardizing zone feedback
Send links to webmaster at dnsrpz.info to be added below.
Providers of reputation data (in alphabetical order)
|FarsightSecurity||Newly Observed Domains and example|
|SpamHaus||Several of their popular blocklists are available via RPZ. Article Pricing|
|ThreatStop||DNS firewall and announcement|
Products that can utilize DNS RPZ
|BlueCat||BlueCat DNS||BlueCat provides both their own protection policies for customers as well as the ability for customers to add their own zones. Here is a landing page: BlueCat RPZ.|
|InfoBlox||DNS Firewall||The DNS engine is based on BIND 9 (with enhancements). Add providers or manage your own list with a GUI. video|
|ISC||BIND 9||RPZ support is included in BIND version 9.8 and later.|
|Knot||policy.rpz module||Partial support explained here|
|PowerDNS||PowerDNS Recursor 4.0.0 and higher||Introduction|
|Deteque||Has provided integration consulting for some of the DNS RPZ providers above|
|SecurityZones||Provides product marketing and sales for some of the providers above|