What is it?

Wikipedia knows.

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".

This website is made available to keep up with information about this feature.

Why is RPZ useful?

The prime motivation for creating this feature was to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.

Examples include:

  • If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
  • If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
  • If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.

Policy zones published by a multiple providers (see below) can be checked in order before a normal answer from the global DNS is used. White lists can also be maintained by a local administrator to prevent false positives for key infrastructure.

Pointers to resources

Ecosystem

Send links to webmaster at dnsrpz.info to be added below.

Providers of reputation data (in alphabetical order)

Provider Service
DissectCyber rpzone.us
FarsightSecurity Newly Observed Domains and example
InternetIdentity DNS firewall
SpamHaus Several of their popular blocklists are available via RPZ. Article Pricing
SURBL Data Feed
ThreatStop DNS firewall and announcement

Products that can utilize DNS RPZ

Vendor Product Notes
BlueCat BlueCat DNS BlueCat provides both their own protection policies for customers as well as the ability for customers to add their own zones. Here is a landing page: BlueCat RPZ.
InfoBlox DNS Firewall The DNS engine is based on BIND 9 (with enhancements). Add providers or manage your own list with a GUI. video
ISC BIND 9 RPZ support in include in BIND version 9.8 and later.

Related services

Provider Service
Deteque Has provided integration consulting for some of the DNS RPZ providers above
SecurityZones Provides product marketing and sales for some of the providers above